google_organization_iam_policy

Allows management of the entire IAM policy for an existing Google Cloud Platform Organization.

Warning: New organizations have several default policies which will, without extreme caution, be overwritten by use of this resource. The safest alternative is to use multiple google_organization_iam_binding resources. It is easy to use this resource to remove your own access to an organization, which will require a call to Google Support to have fixed, and can take multiple days to resolve. If you do use this resource, the best way to be sure that you are not making dangerous changes is to start by importing your existing policy, and examining the diff very closely.

Note: This resource must not be used in conjunction with google_organization_iam_member or google_organization_iam_binding or they will fight over what your policy should be.

Example Usage

resource "google_organization_iam_policy" "policy" {
  org_id = "123456789"
  policy_data = "${data.google_iam_policy.admin.policy_data}"
}

data "google_iam_policy" "admin" {
  binding {
    role = "roles/editor"

    members = [
      "user:[email protected]",
    ]
  }
}

Argument Reference

The following arguments are supported:

• org_id - (Required) The numeric ID of the organization in which you want to create a custom role.

• policy_data - (Required) The google_iam_policy data source that represents the IAM policy that will be applied to the organization. This policy overrides any existing policy applied to the organization.

Import

$ terraform import google_organization_iam_policy.my_org your-org-id