Name | Description | Type | Default | Required |
---|---|---|---|---|
billing_export_dataset_location | The location of the dataset for billing data export. | string |
"US" |
no |
cai_monitoring_kms_force_destroy | If set to true, delete KMS keyring and keys when destroying the module; otherwise, destroying the module will fail if KMS keys are present. | bool |
false |
no |
create_access_context_manager_access_policy | Whether to create access context manager access policy. | bool |
true |
no |
create_unique_tag_key | Creates unique organization-wide tag keys by adding a random suffix to each key. | bool |
false |
no |
data_access_logs_enabled | Enable Data Access logs of types DATA_READ, DATA_WRITE for all GCP services. Enabling Data Access logs might result in your organization being charged for the additional logs usage. See https://cloud.google.com/logging/docs/audit#data-access The ADMIN_READ logs are enabled by default. | bool |
false |
no |
domains_to_allow | The list of domains to allow users from in IAM. Used by Domain Restricted Sharing Organization Policy. Must include the domain of the organization you are deploying the foundation. To add other domains you must also grant access to these domains to the Terraform Service Account used in the deploy. | list(string) |
n/a | yes |
enable_hub_and_spoke | Enable Hub-and-Spoke architecture. | bool |
false |
no |
enforce_allowed_worker_pools | Whether to enforce the organization policy restriction on allowed worker pools for Cloud Build. | bool |
false |
no |
essential_contacts_domains_to_allow | The list of domains that email addresses added to Essential Contacts can have. | list(string) |
n/a | yes |
essential_contacts_language | Essential Contacts preferred language for notifications, as a ISO 639-1 language code. See Supported languages for a list of supported languages. | string |
"en" |
no |
gcp_groups | Groups to grant specific roles in the Organization. platform_viewer: Google Workspace or Cloud Identity group that have the ability to view resource information across the Google Cloud organization. security_reviewer: Google Workspace or Cloud Identity group that members are part of the security team responsible for reviewing cloud security network_viewer: Google Workspace or Cloud Identity group that members are part of the networking team and review network configurations. scc_admin: Google Workspace or Cloud Identity group that can administer Security Command Center. audit_viewer: Google Workspace or Cloud Identity group that members are part of an audit team and view audit logs in the logging project. global_secrets_admin: Google Workspace or Cloud Identity group that members are responsible for putting secrets into Secrets Manage |
object({ |
{} |
no |
log_export_storage_force_destroy | (Optional) If set to true, delete all contents when destroying the resource; otherwise, destroying the resource will fail if contents are present. | bool |
false |
no |
log_export_storage_location | The location of the storage bucket used to export logs. | string |
"US" |
no |
log_export_storage_retention_policy | Configuration of the bucket's data retention policy for how long objects in the bucket should be retained. | object({ |
null |
no |
log_export_storage_versioning | (Optional) Toggles bucket versioning, ability to retain a non-current object version when the live object version gets replaced or deleted. | bool |
false |
no |
project_budget | Budget configuration for projects. budget_amount: The amount to use as the budget. alert_spent_percents: A list of percentages of the budget to alert on when threshold is exceeded. alert_pubsub_topic: The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of projects/{project_id}/topics/{topic_id} .alert_spend_basis: The type of basis used to determine if spend has passed the threshold. Possible choices are CURRENT_SPEND or FORECASTED_SPEND (default). |
object({ |
{} |
no |
remote_state_bucket | Backend bucket to load Terraform Remote State Data from previous steps. | string |
n/a | yes |
scc_notification_filter | Filter used to create the Security Command Center Notification, you can see more details on how to create filters in https://cloud.google.com/security-command-center/docs/how-to-api-filter-notifications#create-filter | string |
"state = \"ACTIVE\"" |
no |
scc_notification_name | Name of the Security Command Center Notification. It must be unique in the organization. Run gcloud scc notifications describe <scc_notification_name> --organization=org_id to check if it already exists. |
string |
n/a | yes |
tfc_org_name | Name of the TFC organization | string |
"" |
no |
Name | Description |
---|---|
base_net_hub_project_id | The Base Network hub project ID |
cai_monitoring_artifact_registry | CAI Monitoring Cloud Function Artifact Registry name. |
cai_monitoring_asset_feed | CAI Monitoring Cloud Function Organization Asset Feed name. |
cai_monitoring_bucket | CAI Monitoring Cloud Function Source Bucket name. |
cai_monitoring_topic | CAI Monitoring Cloud Function Pub/Sub Topic name. |
common_folder_name | The common folder name |
dns_hub_project_id | The DNS hub project ID |
domains_to_allow | The list of domains to allow users from in IAM. |
interconnect_project_id | The Dedicated Interconnect project ID |
interconnect_project_number | The Dedicated Interconnect project number |
logs_export_logbucket_linked_dataset_name | The resource name of the Log Bucket linked BigQuery dataset created for Log Analytics. See https://cloud.google.com/logging/docs/log-analytics . |
logs_export_logbucket_name | The log bucket for destination of log exports. See https://cloud.google.com/logging/docs/routing/overview#buckets . |
logs_export_pubsub_topic | The Pub/Sub topic for destination of log exports |
logs_export_storage_bucket_name | The storage bucket for destination of log exports |
network_folder_name | The network folder name. |
org_audit_logs_project_id | The org audit logs project ID. |
org_billing_logs_project_id | The org billing logs project ID |
org_id | The organization id |
org_kms_project_id | The org Cloud Key Management Service (KMS) project ID |
org_secrets_project_id | The org secrets project ID |
parent_resource_id | The parent resource id |
parent_resource_type | The parent resource type |
restricted_net_hub_project_id | The Restricted Network hub project ID |
restricted_net_hub_project_number | The Restricted Network hub project number |
scc_notification_name | Name of SCC Notification |
scc_notifications_project_id | The SCC notifications project ID |
shared_vpc_projects | Base and restricted shared VPC Projects info grouped by environment (development, non-production, production). |
tags | Tag Values to be applied on next steps. |