Name | Description | Type | Default | Required |
---|---|---|---|---|
audit_data_users | Google Workspace or Cloud Identity group that have access to audit logs. | string |
n/a | yes |
audit_logs_table_delete_contents_on_destroy | (Optional) If set to true, delete all the tables in the dataset when destroying the resource; otherwise, destroying the resource will fail if tables are present. | bool |
false |
no |
audit_logs_table_expiration_days | Period before tables expire for all audit logs in milliseconds. Default is 30 days. | number |
30 |
no |
billing_data_users | Google Workspace or Cloud Identity group that have access to billing data set. | string |
n/a | yes |
billing_export_dataset_location | The location of the dataset for billing data export. | string |
"US" |
no |
create_access_context_manager_access_policy | Whether to create access context manager access policy. | bool |
true |
no |
create_unique_tag_key | Creates unique organization-wide tag keys by adding a random suffix to each key. | bool |
false |
no |
data_access_logs_enabled | Enable Data Access logs of types DATA_READ, DATA_WRITE for all GCP services. Enabling Data Access logs might result in your organization being charged for the additional logs usage. See https://cloud.google.com/logging/docs/audit#data-access The ADMIN_READ logs are enabled by default. | bool |
false |
no |
domains_to_allow | The list of domains to allow users from in IAM. Used by Domain Restricted Sharing Organization Policy. Must include the domain of the organization you are deploying the foundation. To add other domains you must also grant access to these domains to the Terraform Service Account used in the deploy. | list(string) |
n/a | yes |
enable_hub_and_spoke | Enable Hub-and-Spoke architecture. | bool |
false |
no |
enforce_allowed_worker_pools | Whether to enforce the organization policy restriction on allowed worker pools for Cloud Build. | bool |
false |
no |
essential_contacts_domains_to_allow | The list of domains that email addresses added to Essential Contacts can have. | list(string) |
n/a | yes |
essential_contacts_language | Essential Contacts preferred language for notifications, as a ISO 639-1 language code. See Supported languages for a list of supported languages. | string |
"en" |
no |
gcp_groups | Groups to grant specific roles in the Organization. platform_viewer: Google Workspace or Cloud Identity group that have the ability to view resource information across the Google Cloud organization. security_reviewer: Google Workspace or Cloud Identity group that members are part of the security team responsible for reviewing cloud security network_viewer: Google Workspace or Cloud Identity group that members are part of the networking team and review network configurations. scc_admin: Google Workspace or Cloud Identity group that can administer Security Command Center. audit_viewer: Google Workspace or Cloud Identity group that members are part of an audit team and view audit logs in the logging project. global_secrets_admin: Google Workspace or Cloud Identity group that members are responsible for putting secrets into Secrets Manage |
object({ |
{} |
no |
gcp_user | Users to grant specific roles in the Organization. org_admin: Identity that has organization administrator permissions. billing_creator: Identity that can create billing accounts. billing_admin: Identity that has billing administrator permissions. |
object({ |
{} |
no |
log_export_storage_force_destroy | (Optional) If set to true, delete all contents when destroying the resource; otherwise, destroying the resource will fail if contents are present. | bool |
false |
no |
log_export_storage_location | The location of the storage bucket used to export logs. | string |
"US" |
no |
log_export_storage_retention_policy | Configuration of the bucket's data retention policy for how long objects in the bucket should be retained. | object({ |
null |
no |
log_export_storage_versioning | (Optional) Toggles bucket versioning, ability to retain a non-current object version when the live object version gets replaced or deleted. | bool |
false |
no |
project_budget | Budget configuration for projects. budget_amount: The amount to use as the budget. alert_spent_percents: A list of percentages of the budget to alert on when threshold is exceeded. alert_pubsub_topic: The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of projects/{project_id}/topics/{topic_id} . |
object({ |
{} |
no |
remote_state_bucket | Backend bucket to load Terraform Remote State Data from previous steps. | string |
n/a | yes |
scc_notification_filter | Filter used to create the Security Command Center Notification, you can see more details on how to create filters in https://cloud.google.com/security-command-center/docs/how-to-api-filter-notifications#create-filter | string |
"state = \"ACTIVE\"" |
no |
scc_notification_name | Name of the Security Command Center Notification. It must be unique in the organization. Run gcloud scc notifications describe <scc_notification_name> --organization=org_id to check if it already exists. |
string |
n/a | yes |
Name | Description |
---|---|
base_net_hub_project_id | The Base Network hub project ID |
common_folder_name | The common folder name |
dns_hub_project_id | The DNS hub project ID |
domains_to_allow | The list of domains to allow users from in IAM. |
interconnect_project_id | The Dedicated Interconnect project ID |
interconnect_project_number | The Dedicated Interconnect project number |
logs_export_bigquery_dataset_name | The log bucket for destination of log exports. See https://cloud.google.com/logging/docs/routing/overview#buckets |
logs_export_logbucket_name | The log bucket for destination of log exports. See https://cloud.google.com/logging/docs/routing/overview#buckets |
logs_export_pubsub_topic | The Pub/Sub topic for destination of log exports |
logs_export_storage_bucket_name | The storage bucket for destination of log exports |
org_audit_logs_project_id | The org audit logs project ID |
org_billing_logs_project_id | The org billing logs project ID |
org_id | The organization id |
org_secrets_project_id | The org secrets project ID |
parent_resource_id | The parent resource id |
parent_resource_type | The parent resource type |
restricted_net_hub_project_id | The Restricted Network hub project ID |
restricted_net_hub_project_number | The Restricted Network hub project number |
scc_notification_name | Name of SCC Notification |
scc_notifications_project_id | The SCC notifications project ID |
tags | Tag Values to be applied on next steps |