Google Cloud Platform Project Organization Policy

This page shows how to write Terraform for Cloud Platform Project Organization Policy and write them securely.

google_project_organization_policy (Terraform)

The Project Organization Policy in Cloud Platform can be configured in Terraform with the resource name google_project_organization_policy. The following sections describe 5 examples of how to use the resource and its parameters.

Example Usage from GitHub

org_policy.tf#L1
resource "google_project_organization_policy" "shielded_vm_disable" {
  project    = data.google_project.service_project.project_id
  constraint = "constraints/compute.requireShieldedVm"

  boolean_policy {
    enforced = false
main.tf#L19
resource "google_project_organization_policy" "os_login" {
  project = var.project
  constraint = "compute.requireOsLogin"

  restore_policy {
    default = true
example_project_organization_policy.tf#L39
resource "google_project_organization_policy" "services_policy" {
  project    = "{{.Provider.project}}"
  constraint = "serviceuser.services"

  list_policy {
    allow {
list_constraints.tf#L36
resource "google_project_organization_policy" "project_policy_list_allow_all" {
  count = local.project && local.list_policy && local.enforce == false ? 1 : 0

  project    = var.project_id
  constraint = var.constraint

policy.tf#L1
resource "google_project_organization_policy" "bool-policies" {
  for_each = {
    "iam.disableServiceAccountCreation" : false,
    "iam.disableServiceAccountKeyCreation" : false,
    "compute.disableGuestAttributesAccess" : false,
    "compute.requireShieldedVm" : false,

Parameters

  • constraint required - string
    • The name of the Constraint the Policy is configuring, for example, serviceuser.services.

  • etag requiredcomputed - string
    • The etag of the organization policy. etag is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other.

  • id optionalcomputed - string
  • project required - string
    • The project ID.

  • update_time requiredcomputed - string
    • The timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds, representing when the variable was last updated. Example: "2016-10-09T12:33:37.578138407Z".

  • version optionalcomputed - number
    • Version of the Policy. Default version is 0.

Explanation in Terraform Registry

Allows management of Organization Policies for a Google Cloud Project.

Warning: This resource has been superseded by google_org_policy_policy. google_org_policy_policy uses Organization Policy API V2 instead of Cloud Resource Manager API V1 and it supports additional features such as tags and conditions. To get more information about Organization Policies, see:

Frequently asked questions

What is Google Cloud Platform Project Organization Policy?

Google Cloud Platform Project Organization Policy is a resource for Cloud Platform of Google Cloud Platform. Settings can be wrote in Terraform.

Where can I find the example code for the Google Cloud Platform Project Organization Policy?

For Terraform, the jkwong888/gke-nap-gitlab-runner, ejmadkins/config-sync-kcc-policy-demo and THT27/terraform-valiadator source code examples are useful. See the Terraform Example section for further details.

security-icon

Scan your IaC problem in 3 minutes for free

You can keep your IaC security for free. No credit card required.