Allows management of Organization Policies for a Google Cloud Project.
To get more information about Organization Policies, see:
To set policy with a boolean constraint:
resource "google_project_organization_policy" "serial_port_policy" {
project = "your-project-id"
constraint = "compute.disableSerialPortAccess"
boolean_policy {
enforced = true
}
}
To set a policy with a list constraint:
resource "google_project_organization_policy" "services_policy" {
project = "your-project-id"
constraint = "serviceuser.services"
list_policy {
allow {
all = true
}
}
}
Or to deny some services, use the following instead:
resource "google_project_organization_policy" "services_policy" {
project = "your-project-id"
constraint = "serviceuser.services"
list_policy {
suggested_value = "compute.googleapis.com"
deny {
values = ["cloudresourcemanager.googleapis.com"]
}
}
}
To restore the default project organization policy, use the following instead:
resource "google_project_organization_policy" "services_policy" {
project = "your-project-id"
constraint = "serviceuser.services"
restore_policy {
default = true
}
}
The following arguments are supported:
project
- (Required) The project id of the project to set the policy for.
constraint
- (Required) The name of the Constraint the Policy is configuring, for example, serviceuser.services
. Check out the complete list of available constraints.
version
- (Optional) Version of the Policy. Default version is 0.
boolean_policy
- (Optional) A boolean policy is a constraint that is either enforced or not. Structure is documented below.
list_policy
- (Optional) A policy that can define specific values that are allowed or denied for the given constraint. It can also be used to allow or deny all values. Structure is documented below.
restore_policy
- (Optional) A restore policy is a constraint to restore the default policy. Structure is documented below.
The boolean_policy
block supports:
enforced
- (Required) If true, then the Policy is enforced. If false, then any configuration is acceptable.The list_policy
block supports:
allow
or deny
- (Optional) One or the other must be set.
suggested_value
- (Optional) The Google Cloud Console will try to default to a configuration that matches the value specified in this field.
inherit_from_parent
- (Optional) If set to true, the values from the effective Policy of the parent resource
are inherited, meaning the values set in this Policy are added to the values inherited up the hierarchy.
The allow
or deny
blocks support:
all
- (Optional) The policy allows or denies all values.
values
- (Optional) The policy can define specific values that are allowed or denied.
The restore_policy
block supports:
default
- (Required) May only be set to true. If set, then the default Policy is restored.In addition to the arguments listed above, the following computed attributes are exported:
etag
- (Computed) The etag of the organization policy. etag
is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other.
update_time
- (Computed) The timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds, representing when the variable was last updated. Example: "2016-10-09T12:33:37.578138407Z".
Project organization policies can be imported using any of the follow formats:
projects/{{project_id}}:constraints/{{constraint}}
{{project_id}}:constraints/{{constraint}}
{{project_id}}:{{constraint}}
In Terraform v1.5.0 and later, use an import
block to import project organization policies using one of the formats above. For example:
import {
id = "projects/{{project_id}}:constraints/{{constraint}}"
to = google_project_organization_policy.default
}
When using the terraform import
command, project organization policies can be imported using one of the formats above. For example:
$ terraform import google_project_organization_policy.default projects/{{project_id}}:constraints/{{constraint}}
$ terraform import google_project_organization_policy.default {{project_id}}:constraints/{{constraint}}
$ terraform import google_project_organization_policy.default {{project_id}}:{{constraint}}