This Terraform module makes it easier to manage organization policies for your Google Cloud environment, particularly when you want to have exclusion rules. This module will allow you to set a top-level org policy and then disable it on individual projects or folders easily.
This module is meant for use with Terraform 1.3+ and tested using Terraform 1.10+. If you find incompatibilities using Terraform >=1.3, please open an issue. If you haven't upgraded and need a Terraform 0.12.x-compatible version of this module, the last released version intended for Terraform 0.12.x is v4.0.0.
Many examples are included in the examples folder, but simple usage is as follows:
module "org-policy" {
source = "terraform-google-modules/org-policy/google"
version = "~> 3.0.2"
policy_for = "organization"
constraint = "constraints/serviceuser.services"
policy_type = "list"
organization_id = "123456789"
enforce = true
exclude_folders = ["folders/folder-1-id", "folders/folder-2-id"]
exclude_projects = ["project3", "project4"]
}
To control module's behavior, change variables' values regarding the following:
constraint
: set this variable with the constraint value in the formconstraints/{constraint identifier}
. For example,constraints/serviceuser.services
policy_type
: Specify eitherboolean
for boolean policies orlist
for list policies. (defaultlist
)- Policy Root: set one of the following values to determine where the policy is applied:
organization_id
project_id
folder_id
policy_for
: Specify the hierarchy level where the policy is applied. Can be one of the following values.organization
folder
project
exclude_folders
: a list of folder IDs to be excluded from this policy. These folders must be lower in the hierarchy than the policy root.exclude_projects
: a list of project IDs to be excluded from this policy. They must be lower in the hierarchy than the policy root.- Boolean policies (with
policy_type: "boolean"
) can set the following variables:enforce
: iftrue
ornull
then the policy is enforced at the root; iffalse
then policy is not enforced at the root. (defaultnull
)
- List policies (with
policy_type: "list"
) can set one of the following variables. Only one may be set.enforce
: iftrue
ornull
then policy will deny all; iffalse
then policy will allow all (defaultnull
)allow
: list of values to include in the policy with ALLOW behavior. Setenforce
tonull
to use it.deny
: list of values to include in the policy with DENY behavior. Setenforce
tonull
to use it.
- List policies with allow or deny values require the length to be set (a workaround for this terraform issue)
allow_list_length
deny_list_length
Name | Description | Type | Default | Required |
---|---|---|---|---|
allow | (Only for list constraints) List of values which should be allowed | list(string) |
[ |
no |
allow_list_length | The number of elements in the allow list | number |
0 |
no |
constraint | The constraint to be applied | string |
n/a | yes |
deny | (Only for list constraints) List of values which should be denied | list(string) |
[ |
no |
deny_list_length | The number of elements in the deny list | number |
0 |
no |
enforce | If boolean constraint, whether the policy is enforced at the root; if list constraint, whether to deny all (true) or allow all | bool |
null |
no |
exclude_folders | Set of folders to exclude from the policy | set(string) |
[] |
no |
exclude_projects | Set of projects to exclude from the policy | set(string) |
[] |
no |
folder_id | The folder id for putting the policy | string |
null |
no |
organization_id | The organization id for putting the policy | string |
null |
no |
policy_for | Resource hierarchy node to apply the policy to: can be one of organization , folder , or project . |
string |
n/a | yes |
policy_type | The constraint type to work with (either 'boolean' or 'list') | string |
"list" |
no |
project_id | The project id for putting the policy | string |
null |
no |
No outputs.
- Terraform >= 1.3
- terraform-provider-google >= v3.53
In order to execute this module, the Service Account you run as must have the Organization Policy Administrator (roles/orgpolicy.PolicyAdmin
) role.
Be sure you have the correct Terraform version (>= 1.3.x), you can choose the binary here:
- terraform-provider-google >= v3.53
For a fast install, please configure the variables on init_centos.sh or init_debian.sh script and then launch it.
The script will do:
- Environment variables setting
- Installation of base packages like wget, curl, unzip, gcloud, etc.