Google Cloud Platform Project Organization Policy

google_project_organization_policy (Terraform)

The Project Organization Policy in Cloud Platform can be configured in Terraform with the resource name google_project_organization_policy. The following sections describe 5 examples of how to use the resource and its parameters.

Example Usage from GitHub

jkwong888/gke-nap-gitlab-runner

resource "google_project_organization_policy" "shielded_vm_disable" {
  project    = data.google_project.service_project.project_id
  constraint = "constraints/compute.requireShieldedVm"

  boolean_policy {
    enforced = false

ejmadkins/config-sync-kcc-policy-demo

resource "google_project_organization_policy" "os_login" {
  project = var.project
  constraint = "compute.requireOsLogin"

  restore_policy {
    default = true

THT27/terraform-valiadator

resource "google_project_organization_policy" "services_policy" {
  project    = "{{.Provider.project}}"
  constraint = "serviceuser.services"

  list_policy {
    allow {

beninanutshell/wam-gcp-modules

resource "google_project_organization_policy" "project_policy_list_allow_all" {
  count = local.project && local.list_policy && local.enforce == false ? 1 : 0

  project    = var.project_id
  constraint = var.constraint

jonpulsifer/nawl

resource "google_project_organization_policy" "bool-policies" {
  for_each = {
    "iam.disableServiceAccountCreation" : false,
    "iam.disableServiceAccountKeyCreation" : false,
    "compute.disableGuestAttributesAccess" : false,
    "compute.requireShieldedVm" : false,

Parameters

• constraint required - string

The name of the Constraint the Policy is configuring, for example, serviceuser.services.

• etag optional computed - string

The etag of the organization policy. etag is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other.

• id optional computed - string
• project required - string

The project ID.

• update_time optional computed - string

The timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds, representing when the variable was last updated. Example: "2016-10-09T12:33:37.578138407Z".

• version optional computed - number

Version of the Policy. Default version is 0.

• boolean_policy list block
  • enforced required - bool

  If true, then the Policy is enforced. If false, then any configuration is acceptable.

• list_policy list block
  • inherit_from_parent optional - bool

  If set to true, the values from the effective Policy of the parent resource are inherited, meaning the values set in this Policy are added to the values inherited up the hierarchy.

  • suggested_value optional computed - string

  The Google Cloud Console will try to default to a configuration that matches the value specified in this field.

  • allow list block
    • all optional - bool

    The policy allows or denies all values.

    • values optional - set of string

    The policy can define specific values that are allowed or denied.

  • deny list block
    • all optional - bool

    The policy allows or denies all values.

    • values optional - set of string

    The policy can define specific values that are allowed or denied.

• restore_policy list block
  • default required - bool

  May only be set to true. If set, then the default Policy is restored.

• timeouts single block
  • create optional - string
  • delete optional - string
  • read optional - string
  • update optional - string

Explanation in Terraform Registry

Allows management of Organization Policies for a Google Cloud Project.

Warning: This resource has been superseded by google_org_policy_policy. google_org_policy_policy uses Organization Policy API V2 instead of Cloud Resource Manager API V1 and it supports additional features such as tags and conditions. To get more information about Organization Policies, see:

• API documentation
• How-to Guides
  • Introduction to the Organization Policy Service

Tips: Best Practices for The Other Google Cloud Platform Resources

In addition to the google_project, Google Cloud Platform has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

google_project

Ensure project-level default network creation is disabled

It is better to disable the auto-creation of default networks. The default network for a GCP project is usually configured coarsely, leaving the risk of unwanted access to resources in the network.