| audit_data_users |
Google Workspace or Cloud Identity group that have access to audit logs. |
string |
n/a |
yes |
| audit_logs_table_delete_contents_on_destroy |
(Optional) If set to true, delete all the tables in the dataset when destroying the resource; otherwise, destroying the resource will fail if tables are present. |
bool |
false |
no |
| audit_logs_table_expiration_days |
Period before tables expire for all audit logs in milliseconds. Default is 30 days. |
number |
30 |
no |
| base_net_hub_project_alert_pubsub_topic |
The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of projects/{project_id}/topics/{topic_id} for the base net hub project. |
string |
null |
no |
| base_net_hub_project_alert_spent_percents |
A list of percentages of the budget to alert on when threshold is exceeded for the base net hub project. |
list(number) |
[
0.5,
0.75,
0.9,
0.95
] |
no |
| base_net_hub_project_budget_amount |
The amount to use as the budget for the base net hub project. |
number |
1000 |
no |
| billing_account |
The ID of the billing account to associate this project with |
string |
n/a |
yes |
| billing_data_users |
Google Workspace or Cloud Identity group that have access to billing data set. |
string |
n/a |
yes |
| create_access_context_manager_access_policy |
Whether to create access context manager access policy |
bool |
true |
no |
| data_access_logs_enabled |
Enable Data Access logs of types DATA_READ, DATA_WRITE and ADMIN_READ for all GCP services. Enabling Data Access logs might result in your organization being charged for the additional logs usage. See https://cloud.google.com/logging/docs/audit#data-access |
bool |
true |
no |
| default_region |
Default region for BigQuery resources. |
string |
n/a |
yes |
| dns_hub_project_alert_pubsub_topic |
The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of projects/{project_id}/topics/{topic_id} for the DNS hub project. |
string |
null |
no |
| dns_hub_project_alert_spent_percents |
A list of percentages of the budget to alert on when threshold is exceeded for the DNS hub project. |
list(number) |
[
0.5,
0.75,
0.9,
0.95
] |
no |
| dns_hub_project_budget_amount |
The amount to use as the budget for the DNS hub project. |
number |
1000 |
no |
| domains_to_allow |
The list of domains to allow users from in IAM. Used by Domain Restricted Sharing Organization Policy. Must include the domain of the organization you are deploying the foundation. To add other domains you must also grant access to these domains to the terraform service account used in the deploy. |
list(string) |
n/a |
yes |
| enable_hub_and_spoke |
Enable Hub-and-Spoke architecture. |
bool |
false |
no |
| enable_os_login_policy |
Enable OS Login Organization Policy. |
bool |
false |
no |
| folder_prefix |
Name prefix to use for folders created. Should be the same in all steps. |
string |
"fldr" |
no |
| gcp_audit_viewer |
Members are part of an audit team and view audit logs in the logging project. |
string |
null |
no |
| gcp_billing_admin_user |
Identity that has billing administrator permissions |
string |
null |
no |
| gcp_billing_creator_user |
Identity that can create billing accounts. |
string |
null |
no |
| gcp_global_secrets_admin |
G Suite or Cloud Identity group that members are responsible for putting secrets into Secrets Manager. |
string |
null |
no |
| gcp_network_viewer |
G Suite or Cloud Identity group that members are part of the networking team and review network configurations |
string |
null |
no |
| gcp_org_admin_user |
Identity that has organization administrator permissions. |
string |
null |
no |
| gcp_platform_viewer |
G Suite or Cloud Identity group that have the ability to view resource information across the Google Cloud organization. |
string |
null |
no |
| gcp_scc_admin |
G Suite or Cloud Identity group that can administer Security Command Center. |
string |
null |
no |
| gcp_security_reviewer |
G Suite or Cloud Identity group that members are part of the security team responsible for reviewing cloud security. |
string |
null |
no |
| interconnect_project_alert_pubsub_topic |
The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of projects/{project_id}/topics/{topic_id} for the Dedicated Interconnect project. |
string |
null |
no |
| interconnect_project_alert_spent_percents |
A list of percentages of the budget to alert on when threshold is exceeded for the Dedicated Interconnect project. |
list(number) |
[
0.5,
0.75,
0.9,
0.95
] |
no |
| interconnect_project_budget_amount |
The amount to use as the budget for the Dedicated Interconnect project. |
number |
1000 |
no |
| log_export_storage_force_destroy |
(Optional) If set to true, delete all contents when destroying the resource; otherwise, destroying the resource will fail if contents are present. |
bool |
false |
no |
| log_export_storage_location |
The location of the storage bucket used to export logs. |
string |
"ASIA" |
no |
| log_export_storage_retention_policy |
Configuration of the bucket's data retention policy for how long objects in the bucket should be retained. |
object({
is_locked = bool
retention_period_days = number
}) |
null |
no |
| log_export_storage_versioning |
(Optional) Toggles bucket versioning, ability to retain a non-current object version when the live object version gets replaced or deleted. |
bool |
false |
no |
| org_audit_logs_project_alert_pubsub_topic |
The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of projects/{project_id}/topics/{topic_id} for the org audit logs project. |
string |
null |
no |
| org_audit_logs_project_alert_spent_percents |
A list of percentages of the budget to alert on when threshold is exceeded for the org audit logs project. |
list(number) |
[
0.5,
0.75,
0.9,
0.95
] |
no |
| org_audit_logs_project_budget_amount |
The amount to use as the budget for the org audit logs project. |
number |
1000 |
no |
| org_billing_logs_project_alert_pubsub_topic |
The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of projects/{project_id}/topics/{topic_id} for the org billing logs project. |
string |
null |
no |
| org_billing_logs_project_alert_spent_percents |
A list of percentages of the budget to alert on when threshold is exceeded for the org billing logs project. |
list(number) |
[
0.5,
0.75,
0.9,
0.95
] |
no |
| org_billing_logs_project_budget_amount |
The amount to use as the budget for the org billing logs project. |
number |
1000 |
no |
| org_id |
The organization id for the associated services |
string |
n/a |
yes |
| org_secrets_project_alert_pubsub_topic |
The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of projects/{project_id}/topics/{topic_id} for the org secrets project. |
string |
null |
no |
| org_secrets_project_alert_spent_percents |
A list of percentages of the budget to alert on when threshold is exceeded for the org secrets project. |
list(number) |
[
0.5,
0.75,
0.9,
0.95
] |
no |
| org_secrets_project_budget_amount |
The amount to use as the budget for the org secrets project. |
number |
1000 |
no |
| parent_folder |
Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. Must be the same value used in previous step. |
string |
"" |
no |
| project_prefix |
Name prefix to use for projects created. Should be the same in all steps. Max size is 3 characters. |
string |
"prj" |
no |
| restricted_net_hub_project_alert_pubsub_topic |
The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of projects/{project_id}/topics/{topic_id} for the restricted net hub project. |
string |
null |
no |
| restricted_net_hub_project_alert_spent_percents |
A list of percentages of the budget to alert on when threshold is exceeded for the restricted net hub project. |
list(number) |
[
0.5,
0.75,
0.9,
0.95
] |
no |
| restricted_net_hub_project_budget_amount |
The amount to use as the budget for the restricted net hub project. |
number |
1000 |
no |
| scc_notification_filter |
Filter used to create the Security Command Center Notification, you can see more details on how to create filters in https://cloud.google.com/security-command-center/docs/how-to-api-filter-notifications#create-filter |
string |
"state = \"ACTIVE\"" |
no |
| scc_notification_name |
Name of the Security Command Center Notification. It must be unique in the organization. Run gcloud scc notifications describe <scc_notification_name> --organization=org_id to check if it already exists. |
string |
n/a |
yes |
| scc_notifications_project_alert_pubsub_topic |
The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of projects/{project_id}/topics/{topic_id} for the SCC notifications project. |
string |
null |
no |
| scc_notifications_project_alert_spent_percents |
A list of percentages of the budget to alert on when threshold is exceeded for the SCC notifications project. |
list(number) |
[
0.5,
0.75,
0.9,
0.95
] |
no |
| scc_notifications_project_budget_amount |
The amount to use as the budget for the SCC notifications project. |
number |
1000 |
no |
| skip_gcloud_download |
Whether to skip downloading gcloud (assumes gcloud is already available outside the module. If set to true you, must ensure that Gcloud Alpha module is installed.) |
bool |
true |
no |
| terraform_service_account |
Service account email of the account to impersonate to run Terraform. |
string |
n/a |
yes |
| log_export_storage_retention_policy |
Configuration of the bucket's data retention policy for how long objects in the bucket should be retained. |
{
is_locked = bool
retention_period_days = number
} |
null |
|