Skip to content

terraform-google-modules/terraform-google-folders

Repository files navigation

terraform-google-folders

This module helps create several folders under the same parent, enforcing consistent permissions, and with a common naming convention.

The resources/services/activations/deletions that this module will create/trigger are:

  • Create folders with the provided names
  • Assign the defined permissions to the provided list of users or groups.

Compatibility

This module is meant for use with Terraform 0.13+ and tested using Terraform 1.0+. If you find incompatibilities using Terraform >=0.13, please open an issue. If you haven't upgraded and need a Terraform 0.12.x-compatible version of this module, the last released version intended for Terraform 0.12.x is 2.0.2.

Usage

Basic usage of this module is as follows:

module "folders" {
  source  = "terraform-google-modules/folders/google"
  version = "~> 5.0"

  parent  = "folders/65552901371"

  names = [
    "dev",
    "staging",
    "production",
  ]

  set_roles = true

  per_folder_admins = {
    dev = {
      members = [
        "group:gcp-developers@domain.com"
      ],
    },
    staging = {
      members = [
        "group:gcp-qa@domain.com"
      ],
    }
    production = {
      members = [
        "group:gcp-ops@domain.com"
      ],
    }
  }

  all_folder_admins = [
    "group:gcp-security@domain.com",
  ]
}

Functional examples are included in the examples directory.

Inputs

Name Description Type Default Required
all_folder_admins List of IAM-style members that will get the extended permissions across all the folders. list(string) [] no
deletion_protection Prevent Terraform from destroying or recreating the folder. bool true no
folder_admin_roles List of roles that will be applied to a folder if roles are not explictly specified in per_folder_admins list(string)
[
"roles/owner",
"roles/resourcemanager.folderViewer",
"roles/resourcemanager.projectCreator",
"roles/compute.networkAdmin"
]
no
names Folder names. list(string) [] no
parent The resource name of the parent Folder or Organization. Must be of the form folders/folder_id or organizations/org_id string n/a yes
per_folder_admins IAM-style roles per members per folder who will get extended permissions. If roles are not provided for a folder/member combination, the list provided as folder_admin_roles will be applied as default.
map(object({
members = list(string)
roles = optional(list(string))
}))
{} no
prefix Optional prefix to enforce uniqueness of folder names. string "" no
set_roles Enable setting roles via the folder admin variables. bool false no

Outputs

Name Description
folder Folder resource (for single use).
folders Folder resources as list.
folders_map Folder resources by name.
id Folder id (for single use).
ids Folder ids.
ids_list List of folder ids.
name Folder name (for single use).
names Folder names.
names_list List of folder names.
per_folder_admins IAM-style members per folder who will get extended permissions.

Requirements

These sections describe requirements for using this module.

Software

The following dependencies must be available:

Service Account

A service account with the following roles must be used to provision the resources of this module:

  • Folder Creator: roles/resourcemanager.folderCreator

The Project Factory module and the IAM module may be used in combination to provision a service account with the necessary roles applied.

APIs

A project with the following APIs enabled must be used to host the resources of this module:

  • Cloud Resource Manager API: cloudresourcemanager.googleapis.com

The Project Factory module can be used to provision a project with the necessary APIs enabled.

Contributing

Refer to the contribution guidelines for information on contributing to this module.