google_organization_policy

Allows management of Organization Policies for a Google Cloud Organization.

To get more information about Organization Policies, see:

Example Usage

To set policy with a boolean constraint:

resource "google_organization_policy" "serial_port_policy" {
  org_id     = "123456789"
  constraint = "compute.disableSerialPortAccess"

  boolean_policy {
    enforced = true
  }
}

To set a policy with a list constraint:

resource "google_organization_policy" "services_policy" {
  org_id     = "123456789"
  constraint = "serviceuser.services"

  list_policy {
    allow {
      all = true
    }
  }
}

Or to deny some services, use the following instead:

resource "google_organization_policy" "services_policy" {
  org_id     = "123456789"
  constraint = "serviceuser.services"

  list_policy {
    suggested_value = "compute.googleapis.com"

    deny {
      values = ["cloudresourcemanager.googleapis.com"]
    }
  }
}

To restore the default organization policy, use the following instead:

resource "google_organization_policy" "services_policy" {
  org_id     = "123456789"
  constraint = "serviceuser.services"

  restore_policy {
    default = true
  }
}

Argument Reference

The following arguments are supported:



The boolean_policy block supports:

The list_policy block supports:

The allow or deny blocks support:

The restore_policy block supports:

Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

Import

Organization Policies can be imported using the org_id and the constraint, e.g.

In Terraform v1.5.0 and later, use an import block to import Organization Policies using one of the formats above. For example:

import {
  id = "{{org_id}}/constraints/{{constraint}}"
  to = google_organization_policy.default
}

When using the terraform import command, Organization Policies can be imported using one of the formats above. For example:

$ terraform import google_organization_policy.default {{org_id}}/constraints/{{constraint}}

It is all right if the constraint contains a slash, as in the example above.