This module helps create several folders under the same parent, enforcing consistent permissions, and with a common naming convention.
The resources/services/activations/deletions that this module will create/trigger are:
- Create folders with the provided names
- Assign the defined permissions to the provided list of users or groups.
This module is meant for use with Terraform 0.13+ and tested using Terraform 1.0+. If you find incompatibilities using Terraform >=0.13, please open an issue. If you haven't upgraded and need a Terraform 0.12.x-compatible version of this module, the last released version intended for Terraform 0.12.x is 2.0.2.
Basic usage of this module is as follows:
module "folders" {
source = "terraform-google-modules/folders/google"
version = "~> 5.0"
parent = "folders/65552901371"
names = [
"dev",
"staging",
"production",
]
set_roles = true
per_folder_admins = {
dev = {
members = [
"group:gcp-developers@domain.com"
],
},
staging = {
members = [
"group:gcp-qa@domain.com"
],
}
production = {
members = [
"group:gcp-ops@domain.com"
],
}
}
all_folder_admins = [
"group:gcp-security@domain.com",
]
}
Functional examples are included in the examples directory.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| all_folder_admins | List of IAM-style members that will get the extended permissions across all the folders. | list(string) |
[] |
no |
| deletion_protection | Prevent Terraform from destroying or recreating the folder. | bool |
true |
no |
| folder_admin_roles | List of roles that will be applied to a folder if roles are not explictly specified in per_folder_admins | list(string) |
[ |
no |
| names | Folder names. | list(string) |
[] |
no |
| parent | The resource name of the parent Folder or Organization. Must be of the form folders/folder_id or organizations/org_id | string |
n/a | yes |
| per_folder_admins | IAM-style roles per members per folder who will get extended permissions. If roles are not provided for a folder/member combination, the list provided as folder_admin_roles will be applied as default. |
map(object({ |
{} |
no |
| prefix | Optional prefix to enforce uniqueness of folder names. | string |
"" |
no |
| set_roles | Enable setting roles via the folder admin variables. | bool |
false |
no |
| Name | Description |
|---|---|
| folder | Folder resource (for single use). |
| folders | Folder resources as list. |
| folders_map | Folder resources by name. |
| id | Folder id (for single use). |
| ids | Folder ids. |
| ids_list | List of folder ids. |
| name | Folder name (for single use). |
| names | Folder names. |
| names_list | List of folder names. |
| per_folder_admins | IAM-style members per folder who will get extended permissions. |
These sections describe requirements for using this module.
The following dependencies must be available:
- Terraform v1.3+
- Terraform Provider for GCP plugin v6
A service account with the following roles must be used to provision the resources of this module:
- Folder Creator:
roles/resourcemanager.folderCreator
The Project Factory module and the IAM module may be used in combination to provision a service account with the necessary roles applied.
A project with the following APIs enabled must be used to host the resources of this module:
- Cloud Resource Manager API:
cloudresourcemanager.googleapis.com
The Project Factory module can be used to provision a project with the necessary APIs enabled.
Refer to the contribution guidelines for information on contributing to this module.