Google Cloud Platform Project Organization Policy
This page shows how to write Terraform for Cloud Platform Project Organization Policy and write them securely.
google_project_organization_policy (Terraform)
The Project Organization Policy in Cloud Platform can be configured in Terraform with the resource name google_project_organization_policy
. The following sections describe 5 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "google_project_organization_policy" "shielded_vm_disable" {
project = data.google_project.service_project.project_id
constraint = "constraints/compute.requireShieldedVm"
boolean_policy {
enforced = false
resource "google_project_organization_policy" "os_login" {
project = var.project
constraint = "compute.requireOsLogin"
restore_policy {
default = true
resource "google_project_organization_policy" "services_policy" {
project = "{{.Provider.project}}"
constraint = "serviceuser.services"
list_policy {
allow {
resource "google_project_organization_policy" "project_policy_list_allow_all" {
count = local.project && local.list_policy && local.enforce == false ? 1 : 0
project = var.project_id
constraint = var.constraint
resource "google_project_organization_policy" "bool-policies" {
for_each = {
"iam.disableServiceAccountCreation" : false,
"iam.disableServiceAccountKeyCreation" : false,
"compute.disableGuestAttributesAccess" : false,
"compute.requireShieldedVm" : false,
Parameters
-
constraint
required - string
The name of the Constraint the Policy is configuring, for example, serviceuser.services.
-
etag
optional computed - string
The etag of the organization policy. etag is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other.
The project ID.
-
update_time
optional computed - string
The timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds, representing when the variable was last updated. Example: "2016-10-09T12:33:37.578138407Z".
-
version
optional computed - number
Version of the Policy. Default version is 0.
-
boolean_policy
list block-
enforced
required - bool
If true, then the Policy is enforced. If false, then any configuration is acceptable.
-
-
list_policy
list block-
inherit_from_parent
optional - bool
If set to true, the values from the effective Policy of the parent resource are inherited, meaning the values set in this Policy are added to the values inherited up the hierarchy.
-
suggested_value
optional computed - string
The Google Cloud Console will try to default to a configuration that matches the value specified in this field.
-
allow
list block-
all
optional - bool
The policy allows or denies all values.
-
values
optional - set of string
The policy can define specific values that are allowed or denied.
-
-
deny
list block-
all
optional - bool
The policy allows or denies all values.
-
values
optional - set of string
The policy can define specific values that are allowed or denied.
-
-
-
restore_policy
list block-
default
required - bool
May only be set to true. If set, then the default Policy is restored.
-
-
timeouts
single block
Explanation in Terraform Registry
Allows management of Organization Policies for a Google Cloud Project.
Warning: This resource has been superseded by
google_org_policy_policy
.google_org_policy_policy
uses Organization Policy API V2 instead of Cloud Resource Manager API V1 and it supports additional features such as tags and conditions. To get more information about Organization Policies, see:
Tips: Best Practices for The Other Google Cloud Platform Resources
In addition to the google_project, Google Cloud Platform has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
google_project
Ensure project-level default network creation is disabled
It is better to disable the auto-creation of default networks. The default network for a GCP project is usually configured coarsely, leaving the risk of unwanted access to resources in the network.
Frequently asked questions
What is Google Cloud Platform Project Organization Policy?
Google Cloud Platform Project Organization Policy is a resource for Cloud Platform of Google Cloud Platform. Settings can be wrote in Terraform.
Where can I find the example code for the Google Cloud Platform Project Organization Policy?
For Terraform, the jkwong888/gke-nap-gitlab-runner, ejmadkins/config-sync-kcc-policy-demo and THT27/terraform-valiadator source code examples are useful. See the Terraform Example section for further details.