Google Cloud Platform Project Organization Policy

This page shows how to write Terraform for Cloud Platform Project Organization Policy and write them securely.

google_project_organization_policy (Terraform)

The Project Organization Policy in Cloud Platform can be configured in Terraform with the resource name google_project_organization_policy. The following sections describe 5 examples of how to use the resource and its parameters.

Example Usage from GitHub

org_policy.tf#L1
resource "google_project_organization_policy" "shielded_vm_disable" {
  project    = data.google_project.service_project.project_id
  constraint = "constraints/compute.requireShieldedVm"

  boolean_policy {
    enforced = false
main.tf#L19
resource "google_project_organization_policy" "os_login" {
  project = var.project
  constraint = "compute.requireOsLogin"

  restore_policy {
    default = true
example_project_organization_policy.tf#L39
resource "google_project_organization_policy" "services_policy" {
  project    = "{{.Provider.project}}"
  constraint = "serviceuser.services"

  list_policy {
    allow {
list_constraints.tf#L36
resource "google_project_organization_policy" "project_policy_list_allow_all" {
  count = local.project && local.list_policy && local.enforce == false ? 1 : 0

  project    = var.project_id
  constraint = var.constraint

policy.tf#L1
resource "google_project_organization_policy" "bool-policies" {
  for_each = {
    "iam.disableServiceAccountCreation" : false,
    "iam.disableServiceAccountKeyCreation" : false,
    "compute.disableGuestAttributesAccess" : false,
    "compute.requireShieldedVm" : false,

Review your Terraform file for Google best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

The name of the Constraint the Policy is configuring, for example, serviceuser.services.

  • etag optional computed - string

The etag of the organization policy. etag is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other.

  • id optional computed - string
  • project required - string

The project ID.

The timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds, representing when the variable was last updated. Example: "2016-10-09T12:33:37.578138407Z".

Version of the Policy. Default version is 0.

  • boolean_policy list block

    If true, then the Policy is enforced. If false, then any configuration is acceptable.

  • list_policy list block

    If set to true, the values from the effective Policy of the parent resource are inherited, meaning the values set in this Policy are added to the values inherited up the hierarchy.

    The Google Cloud Console will try to default to a configuration that matches the value specified in this field.

    • allow list block
      • all optional - bool

      The policy allows or denies all values.

      The policy can define specific values that are allowed or denied.

    • deny list block
      • all optional - bool

      The policy allows or denies all values.

      The policy can define specific values that are allowed or denied.

  • restore_policy list block

    May only be set to true. If set, then the default Policy is restored.

  • timeouts single block

Explanation in Terraform Registry

Allows management of Organization Policies for a Google Cloud Project.

Warning: This resource has been superseded by google_org_policy_policy. google_org_policy_policy uses Organization Policy API V2 instead of Cloud Resource Manager API V1 and it supports additional features such as tags and conditions. To get more information about Organization Policies, see:

Tips: Best Practices for The Other Google Cloud Platform Resources

In addition to the google_project, Google Cloud Platform has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

risk-label

google_project

Ensure project-level default network creation is disabled

It is better to disable the auto-creation of default networks. The default network for a GCP project is usually configured coarsely, leaving the risk of unwanted access to resources in the network.

Review your Google Cloud Platform settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

Frequently asked questions

What is Google Cloud Platform Project Organization Policy?

Google Cloud Platform Project Organization Policy is a resource for Cloud Platform of Google Cloud Platform. Settings can be wrote in Terraform.

Where can I find the example code for the Google Cloud Platform Project Organization Policy?

For Terraform, the jkwong888/gke-nap-gitlab-runner, ejmadkins/config-sync-kcc-policy-demo and THT27/terraform-valiadator source code examples are useful. See the Terraform Example section for further details.