README.md

Google Cloud Platform project Terraform module

This Terraform module provisions a Google Cloud Platform organization. It ships the following submodules:

• audit_config
• iam_memberships

Usage

module "gcp_project" {
  source  = "nephosolutions/organization/google"
  version = "~> 1.0.0"

  billing_account = "..."
  default_region  = "europe-west1"
  default_zone    = "europe-west1-b"
  labels          = {}
  org_id          = "..."
  project_name    = "My GCP Project"
}

Requirements

Name	Version
terraform	>= 0.13
google	>= 3.90

Providers

Name	Version
google	4.45.0

Modules

Name	Source	Version
audit_config	./modules/audit_config	n/a
bootstrap_project	nephosolutions/gcp-project/google	~> 7.1.0
cloud_identity_group	terraform-google-modules/group/google	~> 0.4
iam_memberships	./modules/iam_memberships	n/a

Resources

Name	Type
google_essential_contacts_contact.essential_contact	resource
google_organization_iam_binding.basic_role	resource
google_organization.org	data source

Inputs

Name	Description	Type	Default	Required
billing_account	The billing_account to which the projects should be attached to	string	n/a	yes
cloud_identity_groups	Contains the details of the Cloud Identity groups to be created.	object({ create_groups = bool billing_project = string required_groups = object({ audit_viewers = object({ id = string display_name = string description = string owners = list(string) managers = list(string) members = list(string) }) billing_admins = object({ id = string display_name = string description = string owners = list(string) managers = list(string) members = list(string) }) billing_data_users = object({ id = string display_name = string description = string owners = list(string) managers = list(string) members = list(string) }) monitoring_admins = object({ id = string display_name = string description = string owners = list(string) managers = list(string) members = list(string) }) network_viewers = object({ id = string display_name = string description = string owners = list(string) managers = list(string) members = list(string) }) org_admins = object({ id = string display_name = string description = string owners = list(string) managers = list(string) members = list(string) }) platform_viewers = object({ id = string display_name = string description = string owners = list(string) managers = list(string) members = list(string) }) scc_admins = object({ id = string display_name = string description = string owners = list(string) managers = list(string) members = list(string) }) secrets_admins = object({ id = string display_name = string description = string owners = list(string) managers = list(string) members = list(string) }) security_admins = object({ id = string display_name = string description = string owners = list(string) managers = list(string) members = list(string) }) security_reviewers = object({ id = string display_name = string description = string owners = list(string) managers = list(string) members = list(string) }) }) })	{ "billing_project": "", "create_groups": false, "required_groups": { "audit_viewers": { "description": "Members are part of an audit team and view audit logs in the logging project.", "display_name": "GCP Audit Viewers", "id": "[email protected]", "managers": [], "members": [], "owners": [] }, "billing_admins": { "description": "Billing admins are responsible for setting up billing accounts and monitoring their usage.", "display_name": "GCP Billing Admins", "id": "[email protected]", "managers": [], "members": [], "owners": [] }, "billing_data_users": { "description": "Members are authorized to view the spend on projects. Typical members are part of the finance team.", "display_name": "GCP Billing Data Users", "id": "[email protected]", "managers": [], "members": [], "owners": [] }, "monitoring_admins": { "description": "Members have access to Monitoring Workspaces.", "display_name": "GCP Monitoring Admins", "id": "[email protected]", "managers": [], "members": [], "owners": [] }, "network_viewers": { "description": "Members are part of the networking team and review network configurations.", "display_name": "GCP Network Viewers", "id": "[email protected]", "managers": [], "members": [], "owners": [] }, "org_admins": { "description": "Organization admins are responsible for organizing the structure of the resources used by the organization.", "display_name": "GCP Organization Admins", "id": "[email protected]", "managers": [], "members": [], "owners": [] }, "platform_viewers": { "description": "Members have the ability to view resource information across the Google Cloud organization.", "display_name": "GCP Platform Viewers", "id": "[email protected]", "managers": [], "members": [], "owners": [] }, "scc_admins": { "description": "Members can administer Security Command Center.", "display_name": "GCP Security Command Center Admins", "id": "[email protected]", "managers": [], "members": [], "owners": [] }, "secrets_admins": { "description": "Members are responsible for putting secrets into Secrets Manager.", "display_name": "GCP Secrets Manager Secrets Admins", "id": "[email protected]", "managers": [], "members": [], "owners": [] }, "security_admins": { "description": "Security admins are responsible for establishing and managing security policies for the entire organization, including access management and organization constraint policies.", "display_name": "GCP Security Admins", "id": "[email protected]", "managers": [], "members": [], "owners": [] }, "security_reviewers": { "description": "Members are part of the security team responsible for reviewing cloud security.", "display_name": "GCP Security Reviewers", "id": "[email protected]", "managers": [], "members": [], "owners": [] } } }	no
default_zone	The zone within a region used by default to create new resources	string	n/a	yes
editors	Identities that will be granted the basic role editor on the organization	list(string)	[]	no
essential_contacts_language	Essential Contacts preferred language for notifications, as a ISO 639-1 language code. See Supported languages for a list of supported languages.	string	"en"	no
iam_audit_config	Map of service APIs which will be enabled for audit logging, with a map of audit log types for which logging is to be configured, with an map of optional attributes including a list of identities that do not cause logging. google_folder_iam_audit_config	map(map(object({ exempted_members = list(string) })))	{}	no
org_id	The numeric ID of the Google Cloud organization.	string	n/a	yes
owners	Identities that will be granted the basic role owner on the organization	list(string)	[]	no
viewers	Identities that will be granted the basic role viewer on the organization	list(string)	[]	no

Outputs

Name	Description
bootstrap_project_id	Project where service accounts and core APIs will be enabled.
cloud_identity_groups	Map of Google Cloud Identity groups created.