Google Cloud Platform Folder Organization Policy
This page shows how to write Terraform for Cloud Platform Folder Organization Policy and write them securely.
google_folder_organization_policy (Terraform)
The Folder Organization Policy in Cloud Platform can be configured in Terraform with the resource name google_folder_organization_policy
. The following sections describe 5 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "google_folder_organization_policy" "folder_policy_list_allow_all" {
count = local.folder && local.list_policy && local.enforce == false ? 1 : 0
folder = var.folder_id
constraint = var.constraint
resource "google_folder_organization_policy" "folder_policy_list_allow_all" {
count = local.enable && local.folder && local.valid_policy && local.allow_all_constraint == true ? 1 : 0
folder = var.folder_id
constraint = var.constraint
resource "google_folder_organization_policy" "folder_policy_list_allow_all" {
count = local.folder && local.list_policy && local.enforce == false ? 1 : 0
folder = var.folder_id
constraint = var.constraint
resource "google_folder_organization_policy" "folder_policy_boolean" {
count = local.folder && local.boolean_policy ? 1 : 0
folder = var.folder_id
constraint = var.constraint
resource "google_folder_organization_policy" "default_network_policy" {
for_each = local.google_folder_organization_policy_boolean
folder = data.google_folder.root.id
constraint = each.value
boolean_policy {
enforced = true
Parameters
-
constraint
required - string
The name of the Constraint the Policy is configuring, for example, serviceuser.services.
-
etag
optional computed - string
The etag of the organization policy. etag is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other.
-
folder
required - string
The resource name of the folder to set the policy for. Its format is folders/[folder_id].
-
id
optional computed - string -
update_time
optional computed - string
The timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds, representing when the variable was last updated. Example: "2016-10-09T12:33:37.578138407Z".
-
version
optional computed - number
Version of the Policy. Default version is 0.
-
boolean_policy
list block-
enforced
required - bool
If true, then the Policy is enforced. If false, then any configuration is acceptable.
-
-
list_policy
list block-
inherit_from_parent
optional - bool
If set to true, the values from the effective Policy of the parent resource are inherited, meaning the values set in this Policy are added to the values inherited up the hierarchy.
-
suggested_value
optional computed - string
The Google Cloud Console will try to default to a configuration that matches the value specified in this field.
-
allow
list block-
all
optional - bool
The policy allows or denies all values.
-
values
optional - set of string
The policy can define specific values that are allowed or denied.
-
-
deny
list block-
all
optional - bool
The policy allows or denies all values.
-
values
optional - set of string
The policy can define specific values that are allowed or denied.
-
-
-
restore_policy
list block-
default
required - bool
May only be set to true. If set, then the default Policy is restored.
-
-
timeouts
single block
Explanation in Terraform Registry
Allows management of Organization Policies for a Google Cloud Folder.
Warning: This resource has been superseded by
google_org_policy_policy
.google_org_policy_policy
uses Organization Policy API V2 instead of Cloud Resource Manager API V1 and it supports additional features such as tags and conditions. To get more information about Organization Policies, see:
Tips: Best Practices for The Other Google Cloud Platform Resources
In addition to the google_project, Google Cloud Platform has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
google_project
Ensure project-level default network creation is disabled
It is better to disable the auto-creation of default networks. The default network for a GCP project is usually configured coarsely, leaving the risk of unwanted access to resources in the network.
Frequently asked questions
What is Google Cloud Platform Folder Organization Policy?
Google Cloud Platform Folder Organization Policy is a resource for Cloud Platform of Google Cloud Platform. Settings can be wrote in Terraform.
Where can I find the example code for the Google Cloud Platform Folder Organization Policy?
For Terraform, the beninanutshell/wam-gcp-modules, rubans/GCPConcepts and terraform-google-modules/terraform-google-org-policy source code examples are useful. See the Terraform Example section for further details.