This Terraform module makes it easier to manage organization policies for your Google Cloud environment, particularly when you want to have exclusion rules. This module will allow you to set a top-level org policy and then disable it on individual projects or folders easily.
This module is meant for use with Terraform 1.3+ and tested using Terraform 1.10+. If you find incompatibilities using Terraform >=1.3, please open an issue.
Many examples are included in the examples folder, but simple usage is as follows:
module "org-policy" { source = "terraform-google-modules/org-policy/google" version = "~> 7.0" policy_for = "organization" constraint = "constraints/serviceuser.services" policy_type = "list" organization_id = "123456789" enforce = true exclude_folders = ["folders/folder-1-id", "folders/folder-2-id"] exclude_projects = ["project3", "project4"] }To control module's behavior, change variables' values regarding the following:
constraint: set this variable with the constraint value in the formconstraints/{constraint identifier}. For example,constraints/serviceuser.servicespolicy_type: Specify eitherbooleanfor boolean policies orlistfor list policies. (defaultlist)- Policy Root: set one of the following values to determine where the policy is applied:
organization_idproject_idfolder_id
policy_for: Specify the hierarchy level where the policy is applied. Can be one of the following values.organizationfolderproject
exclude_folders: a list of folder IDs to be excluded from this policy. These folders must be lower in the hierarchy than the policy root.exclude_projects: a list of project IDs to be excluded from this policy. They must be lower in the hierarchy than the policy root.- Boolean policies (with
policy_type: "boolean") can set the following variables:enforce: iftrueornullthen the policy is enforced at the root; iffalsethen policy is not enforced at the root. (defaultnull)
- List policies (with
policy_type: "list") can set one of the following variables. Only one may be set.enforce: iftrueornullthen policy will deny all; iffalsethen policy will allow all (defaultnull)allow: list of values to include in the policy with ALLOW behavior. Setenforcetonullto use it.deny: list of values to include in the policy with DENY behavior. Setenforcetonullto use it.
- List policies with allow or deny values require the length to be set (a workaround for this terraform issue)
allow_list_lengthdeny_list_length
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| allow | (Only for list constraints) List of values which should be allowed | list(string) | [ | no |
| allow_list_length | The number of elements in the allow list | number | 0 | no |
| constraint | The constraint to be applied | string | n/a | yes |
| deny | (Only for list constraints) List of values which should be denied | list(string) | [ | no |
| deny_list_length | The number of elements in the deny list | number | 0 | no |
| enforce | If boolean constraint, whether the policy is enforced at the root; if list constraint, whether to deny all (true) or allow all | bool | null | no |
| exclude_folders | Set of folders to exclude from the policy | set(string) | [] | no |
| exclude_projects | Set of projects to exclude from the policy | set(string) | [] | no |
| folder_id | The folder id for putting the policy | string | null | no |
| organization_id | The organization id for putting the policy | string | null | no |
| policy_for | Resource hierarchy node to apply the policy to: can be one of organization, folder, or project. | string | n/a | yes |
| policy_type | The constraint type to work with (either 'boolean' or 'list') | string | "list" | no |
| project_id | The project id for putting the policy | string | null | no |
No outputs.
- Terraform >= 1.3
In order to execute this module, the Service Account you run as must have the Organization Policy Administrator (roles/orgpolicy.PolicyAdmin) role.
![@renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=64&v=4){kind=small}
![@release-please[bot]](https://avatars.githubusercontent.com/in/40688?s=64&v=4){kind=small}
![@dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=64&v=4){kind=small}
