Name | Description | Type | Default | Required |
---|---|---|---|---|
billing_export_dataset_location | The location of the dataset for billing data export. | string |
null |
no |
create_access_context_manager_access_policy | Whether to create access context manager access policy. | bool |
true |
no |
create_unique_tag_key | Creates unique organization-wide tag keys by adding a random suffix to each key. | bool |
false |
no |
domains_to_allow | The list of domains to allow users from in IAM. Used by Domain Restricted Sharing Organization Policy. Must include the domain of the organization you are deploying the foundation. To add other domains you must also grant access to these domains to the Terraform Service Account used in the deploy. | list(string) |
n/a | yes |
enable_hub_and_spoke | Enable Hub-and-Spoke architecture. | bool |
false |
no |
enable_scc_resources_in_terraform | Create Security Command Center resources in Terraform. If your organization has newly enabled any preview features for SCC and get an error related to the v2 API, you must set this variable to false because the v2 API does not yet support Terraform resources. See issue 1189 for context. | bool |
false |
no |
enforce_allowed_worker_pools | Whether to enforce the organization policy restriction on allowed worker pools for Cloud Build. | bool |
false |
no |
essential_contacts_domains_to_allow | The list of domains that email addresses added to Essential Contacts can have. | list(string) |
n/a | yes |
essential_contacts_language | Essential Contacts preferred language for notifications, as a ISO 639-1 language code. See Supported languages for a list of supported languages. | string |
"en" |
no |
folder_deletion_protection | Prevent Terraform from destroying or recreating the folder. | string |
true |
no |
gcp_groups | Groups to grant specific roles in the Organization. platform_viewer: Google Workspace or Cloud Identity group that have the ability to view resource information across the Google Cloud organization. security_reviewer: Google Workspace or Cloud Identity group that members are part of the security team responsible for reviewing cloud security network_viewer: Google Workspace or Cloud Identity group that members are part of the networking team and review network configurations. scc_admin: Google Workspace or Cloud Identity group that can administer Security Command Center. audit_viewer: Google Workspace or Cloud Identity group that members are part of an audit team and view audit logs in the logging project. global_secrets_admin: Google Workspace or Cloud Identity group that members are responsible for putting secrets into Secrets Manage |
object({ |
{} |
no |
log_export_storage_force_destroy | (Optional) If set to true, delete all contents when destroying the resource; otherwise, destroying the resource will fail if contents are present. | bool |
false |
no |
log_export_storage_location | The location of the storage bucket used to export logs. | string |
null |
no |
log_export_storage_retention_policy | Configuration of the bucket's data retention policy for how long objects in the bucket should be retained. | object({ |
null |
no |
log_export_storage_versioning | (Optional) Toggles bucket versioning, ability to retain a non-current object version when the live object version gets replaced or deleted. | bool |
false |
no |
project_budget | Budget configuration for projects. budget_amount: The amount to use as the budget. alert_spent_percents: A list of percentages of the budget to alert on when threshold is exceeded. alert_pubsub_topic: The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of projects/{project_id}/topics/{topic_id} .alert_spend_basis: The type of basis used to determine if spend has passed the threshold. Possible choices are CURRENT_SPEND or FORECASTED_SPEND (default). |
object({ |
{} |
no |
project_deletion_policy | The deletion policy for the project created. | string |
"PREVENT" |
no |
remote_state_bucket | Backend bucket to load Terraform Remote State Data from previous steps. | string |
n/a | yes |
scc_notification_filter | Filter used to create the Security Command Center Notification, you can see more details on how to create filters in https://cloud.google.com/security-command-center/docs/how-to-api-filter-notifications#create-filter | string |
"state = \"ACTIVE\"" |
no |
scc_notification_name | Name of the Security Command Center Notification. It must be unique in the organization. Run gcloud scc notifications describe <scc_notification_name> --organization=org_id to check if it already exists. |
string |
n/a | yes |
tfc_org_name | Name of the TFC organization | string |
"" |
no |
Name | Description |
---|---|
base_net_hub_project_id | The Base Network hub project ID |
billing_sink_names | The name of the sinks under billing account level. |
cai_monitoring_artifact_registry | CAI Monitoring Cloud Function Artifact Registry name. |
cai_monitoring_asset_feed | CAI Monitoring Cloud Function Organization Asset Feed name. |
cai_monitoring_bucket | CAI Monitoring Cloud Function Source Bucket name. |
cai_monitoring_topic | CAI Monitoring Cloud Function Pub/Sub Topic name. |
common_folder_name | The common folder name |
common_kms_project_id | The org Cloud Key Management Service (KMS) project ID |
dns_hub_project_id | The DNS hub project ID |
domains_to_allow | The list of domains to allow users from in IAM. |
interconnect_project_id | The Dedicated Interconnect project ID |
interconnect_project_number | The Dedicated Interconnect project number |
logs_export_project_linked_dataset_name | The resource name of the Log Bucket linked BigQuery dataset for the project destination. |
logs_export_project_logbucket_name | The resource name for the Log Bucket created for the project destination. |
logs_export_pubsub_topic | The Pub/Sub topic for destination of log exports |
logs_export_storage_bucket_name | The storage bucket for destination of log exports |
network_folder_name | The network folder name. |
org_audit_logs_project_id | The org audit logs project ID. |
org_billing_export_project_id | The org billing export project ID |
org_id | The organization id |
org_secrets_project_id | The org secrets project ID |
parent_resource_id | The parent resource id |
parent_resource_type | The parent resource type |
restricted_net_hub_project_id | The Restricted Network hub project ID |
restricted_net_hub_project_number | The Restricted Network hub project number |
scc_notification_name | Name of SCC Notification |
scc_notifications_project_id | The SCC notifications project ID |
shared_vpc_projects | Base and restricted shared VPC Projects info grouped by environment (development, nonproduction, production). |
tags | Tag Values to be applied on next steps. |