google_organization_policy

Allows management of Organization policies for a Google Organization. For more information see the official documentation and API.

Example Usage

To set policy with a boolean constraint:

resource "google_organization_policy" "serial_port_policy" {
  org_id     = "123456789"
  constraint = "compute.disableSerialPortAccess"

  boolean_policy {
    enforced = true
  }
}

To set a policy with a list contraint:

resource "google_organization_policy" "services_policy" {
  org_id     = "123456789"
  constraint = "serviceuser.services"

  list_policy {
    allow {
      all = true
    }
  }
}

Or to deny some services, use the following instead:

resource "google_organization_policy" "services_policy" {
  org_id     = "123456789"
  constraint = "serviceuser.services"

  list_policy {
    suggested_values = "compute.googleapis.com"

    deny {
      values = ["cloudresourcemanager.googleapis.com"]
    }
  }
}

To restore the default organization policy, use the following instead:

resource "google_organization_policy" "services_policy" {
  org_id   = "123456789"
  constraint = "serviceuser.services"

  restore_policy {
    default = true
  }
}

Argument Reference

The following arguments are supported:

  • version - (Optional) Version of the Policy. Default version is 0.

  • boolean_policy - (Optional) A boolean policy is a constraint that is either enforced or not. Structure is documented below.

  • list_policy - (Optional) A policy that can define specific values that are allowed or denied for the given constraint. It can also be used to allow or deny all values. Structure is documented below.

  • restore_policy - (Optional) A restore policy is a constraint to restore the default policy. Structure is documented below.

The boolean_policy block supports:

  • enforced - (Required) If true, then the Policy is enforced. If false, then any configuration is acceptable.

The list_policy block supports:

  • allow or deny - (Optional) One or the other must be set.

  • suggested_values - (Optional) The Google Cloud Console will try to default to a configuration that matches the value specified in this field.

The allow or deny blocks support:

  • all - (Optional) The policy allows or denies all values.

  • values - (Optional) The policy can define specific values that are allowed or denied.

The restore_policy block supports:

  • default - (Required) May only be set to true. If set, then the default Policy is restored.

Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

  • etag - (Computed) The etag of the organization policy. etag is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other.

  • update_time - (Computed) The timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds, representing when the variable was last updated. Example: "2016-10-09T12:33:37.578138407Z".

Import

Organization Policies can be imported using the org_id and the contraint, e.g.

$ terraform import google_organization_policy.services_policy 123456789:constraints/serviceuser.services

© 2018 HashiCorp
Licensed under the MPL 2.0 License.
https://www.terraform.io/docs/providers/google/r/google_organization_policy.html