-
Notifications
You must be signed in to change notification settings - Fork 910
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add network tags support to the organization module (#979)
- Loading branch information
Showing
9 changed files
with
185 additions
and
91 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -375,7 +375,7 @@ module "org" { | |
| "roles/resourcemanager.tagAdmin" = ["group:[email protected]"] | ||
| } | ||
| values = { | ||
| dev = null | ||
| dev = {} | ||
| prod = { | ||
| description = "Environment: production." | ||
| iam = { | ||
|
|
@@ -393,6 +393,34 @@ module "org" { | |
| # tftest modules=1 resources=7 | ||
| ``` | ||
|
|
||
| You can also define network tags, through a dedicated variable *network_tags*: | ||
|
|
||
| ```hcl | ||
| module "org" { | ||
| source = "./fabric/modules/organization" | ||
| organization_id = var.organization_id | ||
| network_tags = { | ||
| net-environment = { | ||
| description = "This is a network tag." | ||
| network = "my_project/my_vpc" | ||
| iam = { | ||
| "roles/resourcemanager.tagAdmin" = ["group:[email protected]"] | ||
| } | ||
| values = { | ||
| dev = null | ||
| prod = { | ||
| description = "Environment: production." | ||
| iam = { | ||
| "roles/resourcemanager.tagUser" = ["user:[email protected]"] | ||
| } | ||
| } | ||
| } | ||
| } | ||
| } | ||
| } | ||
| # tftest modules=1 resources=5 | ||
| ``` | ||
|
|
||
| <!-- TFDOC OPTS files:1 --> | ||
| <!-- BEGIN TFDOC --> | ||
|
|
||
|
|
@@ -415,7 +443,7 @@ module "org" { | |
|
|
||
| | name | description | type | required | default | | ||
| |---|---|:---:|:---:|:---:| | ||
| | [organization_id](variables.tf#L225) | Organization id in organizations/nnnnnn format. | <code>string</code> | ✓ | | | ||
| | [organization_id](variables.tf#L246) | Organization id in organizations/nnnnnn format. | <code>string</code> | ✓ | | | ||
| | [contacts](variables.tf#L17) | List of essential contacts for this resource. Must be in the form EMAIL -> [NOTIFICATION_TYPES]. Valid notification types are ALL, SUSPENSION, SECURITY, TECHNICAL, BILLING, LEGAL, PRODUCT_UPDATES. | <code>map(list(string))</code> | | <code>{}</code> | | ||
| | [custom_roles](variables.tf#L24) | Map of role name => list of permissions to create in this project. | <code>map(list(string))</code> | | <code>{}</code> | | ||
| | [firewall_policies](variables.tf#L31) | Hierarchical firewall policy rules created in the organization. | <code title="map(map(object({ action = string description = string direction = string logging = bool ports = map(list(string)) priority = number ranges = list(string) target_resources = list(string) target_service_accounts = list(string) })))">map(map(object({…})))</code> | | <code>{}</code> | | ||
|
|
@@ -430,24 +458,27 @@ module "org" { | |
| | [iam_bindings_authoritative](variables.tf#L116) | IAM authoritative bindings, in {ROLE => [MEMBERS]} format. Roles and members not explicitly listed will be cleared. Bindings should also be authoritative when using authoritative audit config. Use with caution. | <code>map(list(string))</code> | | <code>null</code> | | ||
| | [logging_exclusions](variables.tf#L122) | Logging exclusions for this organization in the form {NAME -> FILTER}. | <code>map(string)</code> | | <code>{}</code> | | ||
| | [logging_sinks](variables.tf#L129) | Logging sinks to create for the organization. | <code title="map(object({ bq_partitioned_table = optional(bool) description = optional(string) destination = string disabled = optional(bool, false) exclusions = optional(map(string), {}) filter = string include_children = optional(bool, true) type = string }))">map(object({…}))</code> | | <code>{}</code> | | ||
| | [org_policies](variables.tf#L159) | Organization policies applied to this organization keyed by policy name. | <code title="map(object({ inherit_from_parent = optional(bool) # for list policies only. reset = optional(bool) allow = optional(object({ all = optional(bool) values = optional(list(string)) })) deny = optional(object({ all = optional(bool) values = optional(list(string)) })) enforce = optional(bool, true) # for boolean policies only. rules = optional(list(object({ allow = optional(object({ all = optional(bool) values = optional(list(string)) })) deny = optional(object({ all = optional(bool) values = optional(list(string)) })) enforce = optional(bool, true) # for boolean policies only. condition = object({ description = optional(string) expression = optional(string) location = optional(string) title = optional(string) }) })), []) }))">map(object({…}))</code> | | <code>{}</code> | | ||
| | [org_policies_data_path](variables.tf#L199) | Path containing org policies in YAML format. | <code>string</code> | | <code>null</code> | | ||
| | [org_policy_custom_constraints](variables.tf#L205) | Organization policiy custom constraints keyed by constraint name. | <code title="map(object({ display_name = optional(string) description = optional(string) action_type = string condition = string method_types = list(string) resource_types = list(string) }))">map(object({…}))</code> | | <code>{}</code> | | ||
| | [org_policy_custom_constraints_data_path](variables.tf#L219) | Path containing org policy custom constraints in YAML format. | <code>string</code> | | <code>null</code> | | ||
| | [tag_bindings](variables.tf#L235) | Tag bindings for this organization, in key => tag value id format. | <code>map(string)</code> | | <code>null</code> | | ||
| | [tags](variables.tf#L241) | Tags by key name. The `iam` attribute behaves like the similarly named one at module level. | <code title="map(object({ description = string iam = map(list(string)) values = map(object({ description = string iam = map(list(string)) })) }))">map(object({…}))</code> | | <code>null</code> | | ||
| | [network_tags](variables.tf#L159) | Network tags by key name. The `iam` attribute behaves like the similarly named one at module level. | <code title="map(object({ description = optional(string, "Managed by the Terraform organization module.") iam = optional(map(list(string)), {}) network = string # project_id/vpc_name values = optional(map(object({ description = optional(string, "Managed by the Terraform organization module.") iam = optional(map(list(string)), {}) })), {}) }))">map(object({…}))</code> | | <code>{}</code> | | ||
| | [org_policies](variables.tf#L180) | Organization policies applied to this organization keyed by policy name. | <code title="map(object({ inherit_from_parent = optional(bool) # for list policies only. reset = optional(bool) allow = optional(object({ all = optional(bool) values = optional(list(string)) })) deny = optional(object({ all = optional(bool) values = optional(list(string)) })) enforce = optional(bool, true) # for boolean policies only. rules = optional(list(object({ allow = optional(object({ all = optional(bool) values = optional(list(string)) })) deny = optional(object({ all = optional(bool) values = optional(list(string)) })) enforce = optional(bool, true) # for boolean policies only. condition = object({ description = optional(string) expression = optional(string) location = optional(string) title = optional(string) }) })), []) }))">map(object({…}))</code> | | <code>{}</code> | | ||
| | [org_policies_data_path](variables.tf#L220) | Path containing org policies in YAML format. | <code>string</code> | | <code>null</code> | | ||
| | [org_policy_custom_constraints](variables.tf#L226) | Organization policiy custom constraints keyed by constraint name. | <code title="map(object({ display_name = optional(string) description = optional(string) action_type = string condition = string method_types = list(string) resource_types = list(string) }))">map(object({…}))</code> | | <code>{}</code> | | ||
| | [org_policy_custom_constraints_data_path](variables.tf#L240) | Path containing org policy custom constraints in YAML format. | <code>string</code> | | <code>null</code> | | ||
| | [tag_bindings](variables.tf#L275) | Tag bindings for this organization, in key => tag value id format. | <code>map(string)</code> | | <code>null</code> | | ||
| | [tags](variables.tf#L255) | Tags by key name. The `iam` attribute behaves like the similarly named one at module level. | <code title="map(object({ description = optional(string, "Managed by the Terraform organization module.") iam = optional(map(list(string)), {}) values = optional(map(object({ description = optional(string, "Managed by the Terraform organization module.") iam = optional(map(list(string)), {}) })), {}) }))">map(object({…}))</code> | | <code>{}</code> | | ||
|
|
||
| ## Outputs | ||
|
|
||
| | name | description | sensitive | | ||
| |---|---|:---:| | ||
| | [custom_role_id](outputs.tf#L18) | Map of custom role IDs created in the organization. | | | ||
| | [custom_roles](outputs.tf#L31) | Map of custom roles resources created in the organization. | | | ||
| | [firewall_policies](outputs.tf#L36) | Map of firewall policy resources created in the organization. | | | ||
| | [firewall_policy_id](outputs.tf#L41) | Map of firewall policy ids created in the organization. | | | ||
| | [organization_id](outputs.tf#L46) | Organization id dependent on module resources. | | | ||
| | [sink_writer_identities](outputs.tf#L63) | Writer identities created for each sink. | | | ||
| | [tag_keys](outputs.tf#L71) | Tag key resources. | | | ||
| | [tag_values](outputs.tf#L78) | Tag value resources. | | | ||
| | [custom_role_id](outputs.tf#L17) | Map of custom role IDs created in the organization. | | | ||
| | [custom_roles](outputs.tf#L30) | Map of custom roles resources created in the organization. | | | ||
| | [firewall_policies](outputs.tf#L35) | Map of firewall policy resources created in the organization. | | | ||
| | [firewall_policy_id](outputs.tf#L40) | Map of firewall policy ids created in the organization. | | | ||
| | [network_tag_keys](outputs.tf#L45) | Tag key resources. | | | ||
| | [network_tag_values](outputs.tf#L52) | Tag value resources. | | | ||
| | [organization_id](outputs.tf#L60) | Organization id dependent on module resources. | | | ||
| | [sink_writer_identities](outputs.tf#L77) | Writer identities created for each sink. | | | ||
| | [tag_keys](outputs.tf#L85) | Tag key resources. | | | ||
| | [tag_values](outputs.tf#L92) | Tag value resources. | | | ||
|
|
||
| <!-- END TFDOC --> | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| network_tags = { | ||
| net_environment = { | ||
| network = "foobar" | ||
| } | ||
| } |
38 changes: 38 additions & 0 deletions
38
tests/modules/organization/fixture/test.resource_tags.tfvars
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,38 @@ | ||
| tags = { | ||
| foo = {} | ||
| bar = { | ||
| description = null | ||
| iam = null | ||
| values = null | ||
| } | ||
| foobar = { | ||
| description = "Foobar tag." | ||
| iam = { | ||
| "roles/resourcemanager.tagAdmin" = [ | ||
| "user:[email protected]", "user:[email protected]" | ||
| ] | ||
| } | ||
| values = { | ||
| one = null | ||
| two = { | ||
| description = "Foobar 2." | ||
| iam = { | ||
| "roles/resourcemanager.tagViewer" = [ | ||
| "user:[email protected]" | ||
| ] | ||
| } | ||
| } | ||
| three = { | ||
| description = "Foobar 3." | ||
| iam = { | ||
| "roles/resourcemanager.tagViewer" = [ | ||
| "user:[email protected]" | ||
| ] | ||
| "roles/resourcemanager.tagAdmin" = [ | ||
| "user:[email protected]" | ||
| ] | ||
| } | ||
| } | ||
| } | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.