Skip to content

Latest commit

 

History

History
60 lines (56 loc) · 11.2 KB

File metadata and controls

60 lines (56 loc) · 11.2 KB

Inputs

Name Description Type Default Required
billing_export_dataset_location The location of the dataset for billing data export. string "US" no
cai_monitoring_kms_force_destroy If set to true, delete KMS keyring and keys when destroying the module; otherwise, destroying the module will fail if KMS keys are present. bool false no
create_access_context_manager_access_policy Whether to create access context manager access policy. bool true no
create_unique_tag_key Creates unique organization-wide tag keys by adding a random suffix to each key. bool false no
data_access_logs_enabled Enable Data Access logs of types DATA_READ, DATA_WRITE for all GCP services. Enabling Data Access logs might result in your organization being charged for the additional logs usage. See https://cloud.google.com/logging/docs/audit#data-access The ADMIN_READ logs are enabled by default. bool false no
domains_to_allow The list of domains to allow users from in IAM. Used by Domain Restricted Sharing Organization Policy. Must include the domain of the organization you are deploying the foundation. To add other domains you must also grant access to these domains to the Terraform Service Account used in the deploy. list(string) n/a yes
enable_hub_and_spoke Enable Hub-and-Spoke architecture. bool false no
enforce_allowed_worker_pools Whether to enforce the organization policy restriction on allowed worker pools for Cloud Build. bool false no
essential_contacts_domains_to_allow The list of domains that email addresses added to Essential Contacts can have. list(string) n/a yes
essential_contacts_language Essential Contacts preferred language for notifications, as a ISO 639-1 language code. See Supported languages for a list of supported languages. string "en" no
gcp_groups Groups to grant specific roles in the Organization.
platform_viewer: Google Workspace or Cloud Identity group that have the ability to view resource information across the Google Cloud organization.
security_reviewer: Google Workspace or Cloud Identity group that members are part of the security team responsible for reviewing cloud security
network_viewer: Google Workspace or Cloud Identity group that members are part of the networking team and review network configurations.
scc_admin: Google Workspace or Cloud Identity group that can administer Security Command Center.
audit_viewer: Google Workspace or Cloud Identity group that members are part of an audit team and view audit logs in the logging project.
global_secrets_admin: Google Workspace or Cloud Identity group that members are responsible for putting secrets into Secrets Manage
object({
audit_viewer = optional(string, null)
security_reviewer = optional(string, null)
network_viewer = optional(string, null)
scc_admin = optional(string, null)
global_secrets_admin = optional(string, null)
kms_admin = optional(string, null)
})
{} no
log_export_storage_force_destroy (Optional) If set to true, delete all contents when destroying the resource; otherwise, destroying the resource will fail if contents are present. bool false no
log_export_storage_location The location of the storage bucket used to export logs. string "US" no
log_export_storage_retention_policy Configuration of the bucket's data retention policy for how long objects in the bucket should be retained.
object({
is_locked = bool
retention_period_days = number
})
null no
log_export_storage_versioning (Optional) Toggles bucket versioning, ability to retain a non-current object version when the live object version gets replaced or deleted. bool false no
project_budget Budget configuration for projects.
budget_amount: The amount to use as the budget.
alert_spent_percents: A list of percentages of the budget to alert on when threshold is exceeded.
alert_pubsub_topic: The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of projects/{project_id}/topics/{topic_id}.
alert_spend_basis: The type of basis used to determine if spend has passed the threshold. Possible choices are CURRENT_SPEND or FORECASTED_SPEND (default).
object({
dns_hub_budget_amount = optional(number, 1000)
dns_hub_alert_spent_percents = optional(list(number), [1.2])
dns_hub_alert_pubsub_topic = optional(string, null)
dns_hub_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")
base_net_hub_budget_amount = optional(number, 1000)
base_net_hub_alert_spent_percents = optional(list(number), [1.2])
base_net_hub_alert_pubsub_topic = optional(string, null)
base_net_hub_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")
base_network_budget_amount = optional(number, 1000)
base_network_alert_spent_percents = optional(list(number), [1.2])
base_network_alert_pubsub_topic = optional(string, null)
base_network_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")
restricted_net_hub_budget_amount = optional(number, 1000)
restricted_net_hub_alert_spent_percents = optional(list(number), [1.2])
restricted_net_hub_alert_pubsub_topic = optional(string, null)
restricted_net_hub_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")
restricted_network_budget_amount = optional(number, 1000)
restricted_network_alert_spent_percents = optional(list(number), [1.2])
restricted_network_alert_pubsub_topic = optional(string, null)
restricted_network_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")
interconnect_budget_amount = optional(number, 1000)
interconnect_alert_spent_percents = optional(list(number), [1.2])
interconnect_alert_pubsub_topic = optional(string, null)
interconnect_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")
org_secrets_budget_amount = optional(number, 1000)
org_secrets_alert_spent_percents = optional(list(number), [1.2])
org_secrets_alert_pubsub_topic = optional(string, null)
org_secrets_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")
org_billing_logs_budget_amount = optional(number, 1000)
org_billing_logs_alert_spent_percents = optional(list(number), [1.2])
org_billing_logs_alert_pubsub_topic = optional(string, null)
org_billing_logs_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")
org_audit_logs_budget_amount = optional(number, 1000)
org_audit_logs_alert_spent_percents = optional(list(number), [1.2])
org_audit_logs_alert_pubsub_topic = optional(string, null)
org_audit_logs_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")
org_kms_budget_amount = optional(number, 1000)
org_kms_alert_spent_percents = optional(list(number), [1.2])
org_kms_alert_pubsub_topic = optional(string, null)
org_kms_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")
scc_notifications_budget_amount = optional(number, 1000)
scc_notifications_alert_spent_percents = optional(list(number), [1.2])
scc_notifications_alert_pubsub_topic = optional(string, null)
scc_notifications_budget_alert_spend_basis = optional(string, "FORECASTED_SPEND")
})
{} no
remote_state_bucket Backend bucket to load Terraform Remote State Data from previous steps. string n/a yes
scc_notification_filter Filter used to create the Security Command Center Notification, you can see more details on how to create filters in https://cloud.google.com/security-command-center/docs/how-to-api-filter-notifications#create-filter string "state = \"ACTIVE\"" no
scc_notification_name Name of the Security Command Center Notification. It must be unique in the organization. Run gcloud scc notifications describe <scc_notification_name> --organization=org_id to check if it already exists. string n/a yes
tfc_org_name Name of the TFC organization string "" no

Outputs

Name Description
base_net_hub_project_id The Base Network hub project ID
cai_monitoring_artifact_registry CAI Monitoring Cloud Function Artifact Registry name.
cai_monitoring_asset_feed CAI Monitoring Cloud Function Organization Asset Feed name.
cai_monitoring_bucket CAI Monitoring Cloud Function Source Bucket name.
cai_monitoring_topic CAI Monitoring Cloud Function Pub/Sub Topic name.
common_folder_name The common folder name
dns_hub_project_id The DNS hub project ID
domains_to_allow The list of domains to allow users from in IAM.
interconnect_project_id The Dedicated Interconnect project ID
interconnect_project_number The Dedicated Interconnect project number
logs_export_logbucket_linked_dataset_name The resource name of the Log Bucket linked BigQuery dataset created for Log Analytics. See https://cloud.google.com/logging/docs/log-analytics .
logs_export_logbucket_name The log bucket for destination of log exports. See https://cloud.google.com/logging/docs/routing/overview#buckets .
logs_export_pubsub_topic The Pub/Sub topic for destination of log exports
logs_export_storage_bucket_name The storage bucket for destination of log exports
network_folder_name The network folder name.
org_audit_logs_project_id The org audit logs project ID.
org_billing_logs_project_id The org billing logs project ID
org_id The organization id
org_kms_project_id The org Cloud Key Management Service (KMS) project ID
org_secrets_project_id The org secrets project ID
parent_resource_id The parent resource id
parent_resource_type The parent resource type
restricted_net_hub_project_id The Restricted Network hub project ID
restricted_net_hub_project_number The Restricted Network hub project number
scc_notification_name Name of SCC Notification
scc_notifications_project_id The SCC notifications project ID
shared_vpc_projects Base and restricted shared VPC Projects info grouped by environment (development, non-production, production).
tags Tag Values to be applied on next steps.