google_organization_policy
Allows management of Organization policies for a Google Organization. For more information see the official documentation and API.
Example Usage
To set policy with a boolean constraint:
resource "google_organization_policy" "serial_port_policy" { org_id = "123456789" constraint = "compute.disableSerialPortAccess" boolean_policy { enforced = true } }
To set a policy with a list contraint:
resource "google_organization_policy" "services_policy" { org_id = "123456789" constraint = "serviceuser.services" list_policy { allow { all = true } } }
Or to deny some services, use the following instead:
resource "google_organization_policy" "services_policy" { org_id = "123456789" constraint = "serviceuser.services" list_policy { suggested_values = "compute.googleapis.com" deny { values = ["cloudresourcemanager.googleapis.com"] } } }
To restore the default organization policy, use the following instead:
resource "google_organization_policy" "services_policy" { org_id = "123456789" constraint = "serviceuser.services" restore_policy { default = true } }
Argument Reference
The following arguments are supported:
-
org_id
- (Required) The numeric ID of the organization to set the policy for. -
constraint
- (Required) The name of the Constraint the Policy is configuring, for example,serviceuser.services
. Check out the complete list of available constraints.
-
version
- (Optional) Version of the Policy. Default version is 0. -
boolean_policy
- (Optional) A boolean policy is a constraint that is either enforced or not. Structure is documented below. -
list_policy
- (Optional) A policy that can define specific values that are allowed or denied for the given constraint. It can also be used to allow or deny all values. Structure is documented below. -
restore_policy
- (Optional) A restore policy is a constraint to restore the default policy. Structure is documented below.
The boolean_policy
block supports:
-
enforced
- (Required) If true, then the Policy is enforced. If false, then any configuration is acceptable.
The list_policy
block supports:
-
allow
ordeny
- (Optional) One or the other must be set. -
suggested_values
- (Optional) The Google Cloud Console will try to default to a configuration that matches the value specified in this field.
The allow
or deny
blocks support:
-
all
- (Optional) The policy allows or denies all values. -
values
- (Optional) The policy can define specific values that are allowed or denied.
The restore_policy
block supports:
-
default
- (Required) May only be set to true. If set, then the default Policy is restored.
Attributes Reference
In addition to the arguments listed above, the following computed attributes are exported:
-
etag
- (Computed) The etag of the organization policy.etag
is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other. -
update_time
- (Computed) The timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds, representing when the variable was last updated. Example: "2016-10-09T12:33:37.578138407Z".
Import
Organization Policies can be imported using the org_id
and the contraint
, e.g.
$ terraform import google_organization_policy.services_policy 123456789:constraints/serviceuser.services
© 2018 HashiCorpLicensed under the MPL 2.0 License.
https://www.terraform.io/docs/providers/google/r/google_organization_policy.html