This module allows the creation and management of folders, including support for IAM bindings, organization policies, and hierarchical firewall rules.
module "folder" {
source = "./fabric/modules/folder"
parent = "organizations/1234567890"
name = "Folder name"
group_iam = {
"[email protected]" = [
"roles/owner",
"roles/resourcemanager.folderAdmin",
"roles/resourcemanager.projectCreator"
]
}
iam = {
"roles/owner" = ["user:[email protected]"]
}
iam_additive = {
"roles/compute.admin" = ["user:[email protected]", "user:[email protected]"]
"roles/compute.viewer" = ["user:[email protected]"]
}
iam_additive_members = {
"user:[email protected]" = ["roles/storage.admin"]
"user:[email protected]" = ["roles/storage.objectViewer"]
}
}
# tftest modules=1 resources=9 inventory=iam.yaml
There are two mutually exclusive ways at the role level of managing IAM in this module
- non-authoritative via the
iam_additive
andiam_additive_members
variables, where bindings created outside this module will coexist with those managed here - authoritative via the
group_iam
andiam
variables, where bindings created outside this module (eg in the console) will be removed at eachterraform apply
cycle if the same role is also managed here
Some care must be taken with the groups_iam
variable (and in some situations with the additive variables) to ensure that variable keys are static values, so that Terraform is able to compute the dependency graph.
To manage organization policies, the orgpolicy.googleapis.com
service should be enabled in the quota project.
module "folder" {
source = "./fabric/modules/folder"
parent = "organizations/1234567890"
name = "Folder name"
org_policies = {
"compute.disableGuestAttributesAccess" = {
rules = [{ enforce = true }]
}
"compute.skipDefaultNetworkCreation" = {
rules = [{ enforce = true }]
}
"iam.disableServiceAccountKeyCreation" = {
rules = [{ enforce = true }]
}
"iam.disableServiceAccountKeyUpload" = {
rules = [
{
condition = {
expression = "resource.matchTagId('tagKeys/1234', 'tagValues/1234')"
title = "condition"
description = "test condition"
location = "somewhere"
}
enforce = true
},
{
enforce = false
}
]
}
"iam.allowedPolicyMemberDomains" = {
rules = [{
allow = {
values = ["C0xxxxxxx", "C0yyyyyyy"]
}
}]
}
"compute.trustedImageProjects" = {
rules = [{
allow = {
values = ["projects/my-project"]
}
}]
}
"compute.vmExternalIpAccess" = {
rules = [{ deny = { all = true } }]
}
}
}
# tftest modules=1 resources=8 inventory=org-policies.yaml
See the organization policy factory in the project module.
Hierarchical firewall policies can be managed in two ways:
- via the
firewall_policies
variable, to directly define policies and rules in Terraform - via the
firewall_policy_factory
variable, to leverage external YaML files via a simple "factory" embedded in the module (see here for more context on factories)
Once you have policies (either created via the module or externally), you can associate them using the firewall_policy_association
variable.
module "folder1" {
source = "./fabric/modules/folder"
parent = var.organization_id
name = "policy-container"
firewall_policies = {
iap-policy = {
allow-admins = {
description = "Access from the admin subnet to all subnets"
direction = "INGRESS"
action = "allow"
priority = 1000
ranges = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
ports = { all = [] }
target_service_accounts = null
target_resources = null
logging = false
}
allow-iap-ssh = {
description = "Always allow ssh from IAP"
direction = "INGRESS"
action = "allow"
priority = 100
ranges = ["35.235.240.0/20"]
ports = { tcp = ["22"] }
target_service_accounts = null
target_resources = null
logging = false
}
}
}
firewall_policy_association = {
iap-policy = "iap-policy"
}
}
module "folder2" {
source = "./fabric/modules/folder"
parent = var.organization_id
name = "hf2"
firewall_policy_association = {
iap-policy = module.folder1.firewall_policy_id["iap-policy"]
}
}
# tftest modules=2 resources=7 inventory=hfw.yaml
The in-built factory allows you to define a single policy, using one file for rules, and an optional file for CIDR range substitution variables. Remember that non-absolute paths are relative to the root module (the folder where you run terraform
).
module "folder1" {
source = "./fabric/modules/folder"
parent = var.organization_id
name = "policy-container"
firewall_policy_factory = {
cidr_file = "configs/firewall-policies/cidrs.yaml"
policy_name = "iap-policy"
rules_file = "configs/firewall-policies/rules.yaml"
}
firewall_policy_association = {
iap-policy = "iap-policy"
}
}
module "folder2" {
source = "./fabric/modules/folder"
parent = var.organization_id
name = "hf2"
firewall_policy_association = {
iap-policy = module.folder1.firewall_policy_id["iap-policy"]
}
}
# tftest modules=2 resources=7 files=cidrs,rules inventory=hfw.yaml
# tftest-file id=cidrs path=configs/firewall-policies/cidrs.yaml
rfc1918:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
# tftest-file id=rules path=configs/firewall-policies/rules.yaml
allow-admins:
description: Access from the admin subnet to all subnets
direction: INGRESS
action: allow
priority: 1000
ranges:
- $rfc1918
ports:
all: []
target_resources: null
logging: false
allow-iap-ssh:
description: "Always allow ssh from IAP"
direction: INGRESS
action: allow
priority: 100
ranges:
- 35.235.240.0/20
ports:
tcp: ["22"]
target_resources: null
logging: false
module "gcs" {
source = "./fabric/modules/gcs"
project_id = "my-project"
name = "gcs_sink"
force_destroy = true
}
module "dataset" {
source = "./fabric/modules/bigquery-dataset"
project_id = "my-project"
id = "bq_sink"
}
module "pubsub" {
source = "./fabric/modules/pubsub"
project_id = "my-project"
name = "pubsub_sink"
}
module "bucket" {
source = "./fabric/modules/logging-bucket"
parent_type = "project"
parent = "my-project"
id = "bucket"
}
module "folder-sink" {
source = "./fabric/modules/folder"
parent = "folders/657104291943"
name = "my-folder"
logging_sinks = {
warnings = {
destination = module.gcs.id
filter = "severity=WARNING"
type = "storage"
}
info = {
destination = module.dataset.id
filter = "severity=INFO"
type = "bigquery"
}
notice = {
destination = module.pubsub.id
filter = "severity=NOTICE"
type = "pubsub"
}
debug = {
destination = module.bucket.id
filter = "severity=DEBUG"
exclusions = {
no-compute = "logName:compute"
}
type = "logging"
}
}
logging_exclusions = {
no-gce-instances = "resource.type=gce_instance"
}
}
# tftest modules=5 resources=14 inventory=logging.yaml
Refer to the Creating and managing tags documentation for details on usage.
module "org" {
source = "./fabric/modules/organization"
organization_id = var.organization_id
tags = {
environment = {
description = "Environment specification."
iam = null
values = {
dev = null
prod = null
}
}
}
}
module "folder" {
source = "./fabric/modules/folder"
name = "Test"
parent = module.org.organization_id
tag_bindings = {
env-prod = module.org.tag_values["environment/prod"].id
foo = "tagValues/12345678"
}
}
# tftest modules=2 resources=6 inventory=tags.yaml
name | description | resources |
---|---|---|
firewall-policies.tf | None | google_compute_firewall_policy · google_compute_firewall_policy_association · google_compute_firewall_policy_rule |
iam.tf | IAM bindings, roles and audit logging resources. | google_folder_iam_binding · google_folder_iam_member |
logging.tf | Log sinks and supporting resources. | google_bigquery_dataset_iam_member · google_logging_folder_exclusion · google_logging_folder_sink · google_project_iam_member · google_pubsub_topic_iam_member · google_storage_bucket_iam_member |
main.tf | Module-level locals and resources. | google_essential_contacts_contact · google_folder |
organization-policies.tf | Folder-level organization policies. | google_org_policy_policy |
outputs.tf | Module outputs. | |
tags.tf | None | google_tags_tag_binding |
variables.tf | Module variables. | |
versions.tf | Version pins. |
name | description | type | required | default |
---|---|---|---|---|
contacts | List of essential contacts for this resource. Must be in the form EMAIL -> [NOTIFICATION_TYPES]. Valid notification types are ALL, SUSPENSION, SECURITY, TECHNICAL, BILLING, LEGAL, PRODUCT_UPDATES. | map(list(string)) |
{} |
|
firewall_policies | Hierarchical firewall policies created in this folder. | map(map(object({…}))) |
{} |
|
firewall_policy_association | The hierarchical firewall policy to associate to this folder. Must be either a key in the firewall_policies map or the id of a policy defined somewhere else. |
map(string) |
{} |
|
firewall_policy_factory | Configuration for the firewall policy factory. | object({…}) |
null |
|
folder_create | Create folder. When set to false, uses id to reference an existing folder. | bool |
true |
|
group_iam | Authoritative IAM binding for organization groups, in {GROUP_EMAIL => [ROLES]} format. Group emails need to be static. Can be used in combination with the iam variable. |
map(list(string)) |
{} |
|
iam | IAM bindings in {ROLE => [MEMBERS]} format. | map(list(string)) |
{} |
|
iam_additive | Non authoritative IAM bindings, in {ROLE => [MEMBERS]} format. | map(list(string)) |
{} |
|
iam_additive_members | IAM additive bindings in {MEMBERS => [ROLE]} format. This might break if members are dynamic values. | map(list(string)) |
{} |
|
id | Folder ID in case you use folder_create=false. | string |
null |
|
logging_exclusions | Logging exclusions for this folder in the form {NAME -> FILTER}. | map(string) |
{} |
|
logging_sinks | Logging sinks to create for the organization. | map(object({…})) |
{} |
|
name | Folder name. | string |
null |
|
org_policies | Organization policies applied to this folder keyed by policy name. | map(object({…})) |
{} |
|
org_policies_data_path | Path containing org policies in YAML format. | string |
null |
|
parent | Parent in folders/folder_id or organizations/org_id format. | string |
null |
|
tag_bindings | Tag bindings for this folder, in key => tag value id format. | map(string) |
null |
name | description | sensitive |
---|---|---|
firewall_policies | Map of firewall policy resources created in this folder. | |
firewall_policy_id | Map of firewall policy ids created in this folder. | |
folder | Folder resource. | |
id | Fully qualified folder id. | |
name | Folder name. | |
sink_writer_identities | Writer identities created for each sink. |