Top / Google Cloud Platform / Google Cloud Platform / Folder Organization Policy

Google Cloud Platform Folder Organization Policy

This page shows how to write Terraform for Cloud Platform Folder Organization Policy and write them securely.

terraform-logo

Review your .tf file for Google best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

google_folder_organization_policy (Terraform)

The Folder Organization Policy in Cloud Platform can be configured in Terraform with the resource name google_folder_organization_policy. The following sections describe 5 examples of how to use the resource and its parameters.

Example Usage from GitHub

list_constraints.tf#L20
resource "google_folder_organization_policy" "folder_policy_list_allow_all" {
  count = local.folder && local.list_policy && local.enforce == false ? 1 : 0

  folder     = var.folder_id
  constraint = var.constraint
main.tf#L33
resource "google_folder_organization_policy" "folder_policy_list_allow_all" {
  count = local.enable && local.folder && local.valid_policy && local.allow_all_constraint == true ? 1 : 0

  folder     = var.folder_id
  constraint = var.constraint
list_constraints.tf#L36
resource "google_folder_organization_policy" "folder_policy_list_allow_all" {
  count = local.folder && local.list_policy && local.enforce == false ? 1 : 0

  folder     = var.folder_id
  constraint = var.constraint
boolean_constraints.tf#L18
resource "google_folder_organization_policy" "folder_policy_boolean" {
  count = local.folder && local.boolean_policy ? 1 : 0

  folder     = var.folder_id
  constraint = var.constraint
organization-policies.tf#L10
resource "google_folder_organization_policy" "default_network_policy" {
  for_each   = local.google_folder_organization_policy_boolean
  folder     = data.google_folder.root.id
  constraint = each.value
  boolean_policy {
    enforced = true

Review your Terraform file for Google best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

The name of the Constraint the Policy is configuring, for example, serviceuser.services.

  • etag optional computed - string

The etag of the organization policy. etag is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other.

The resource name of the folder to set the policy for. Its format is folders/[folder_id].

The timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds, representing when the variable was last updated. Example: "2016-10-09T12:33:37.578138407Z".

Version of the Policy. Default version is 0.

  • boolean_policy list block

    If true, then the Policy is enforced. If false, then any configuration is acceptable.

  • list_policy list block

    If set to true, the values from the effective Policy of the parent resource are inherited, meaning the values set in this Policy are added to the values inherited up the hierarchy.

    The Google Cloud Console will try to default to a configuration that matches the value specified in this field.

    • allow list block
      • all optional - bool

      The policy allows or denies all values.

      The policy can define specific values that are allowed or denied.

    • deny list block
      • all optional - bool

      The policy allows or denies all values.

      The policy can define specific values that are allowed or denied.

  • restore_policy list block

    May only be set to true. If set, then the default Policy is restored.

  • timeouts single block

>> from Terraform Registry

Explanation in Terraform Registry

Allows management of Organization Policies for a Google Cloud Folder.

Warning: This resource has been superseded by google_org_policy_policy. google_org_policy_policy uses Organization Policy API V2 instead of Cloud Resource Manager API V1 and it supports additional features such as tags and conditions. To get more information about Organization Policies, see:

>> from Terraform Registry

Tips: Best Practices for The Other Google Cloud Platform Resources

In addition to the google_project, Google Cloud Platform has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

risk-label

google_project

Ensure project-level default network creation is disabled

It is better to disable the auto-creation of default networks. The default network for a GCP project is usually configured coarsely, leaving the risk of unwanted access to resources in the network.

Review your Google Cloud Platform settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

The Other Related Google Cloud Platform Resources

Frequently asked questions

What is Google Cloud Platform Folder Organization Policy?

Google Cloud Platform Folder Organization Policy is a resource for Cloud Platform of Google Cloud Platform. Settings can be wrote in Terraform.

Where can I find the example code for the Google Cloud Platform Folder Organization Policy?

For Terraform, the beninanutshell/wam-gcp-modules, rubans/GCPConcepts and terraform-google-modules/terraform-google-org-policy source code examples are useful. See the Terraform Example section for further details.

security-icon

Automate config file reviews on your commits

Fix issues in your infrastructure as code with auto-generated patches.

Table of Contents