Skip to content

Commit

Permalink
Add the organization iam policy, with suitable warnings. (hashicorp#1196
Browse files Browse the repository at this point in the history
)
  • Loading branch information
nat-henderson authored Mar 14, 2018
1 parent ded80f3 commit c6e948e
Show file tree
Hide file tree
Showing 2 changed files with 62 additions and 0 deletions.
59 changes: 59 additions & 0 deletions docs/r/google_organization_iam_policy.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
---
layout: "google"
page_title: "Google: google_organization_iam_policy"
sidebar_current: "docs-google-organization-iam-policy"
description: |-
Allows management of the entire IAM policy for a Google Cloud Platform Organization.
---

# google\_organization\_iam\_policy

Allows management of the entire IAM policy for an existing Google Cloud Platform Organization.

~> **Warning:** New organizations have several default policies which will,
without extreme caution, be **overwritten** by use of this resource.
The safest alternative is to use multiple `google_organization_iam_binding`
resources. It is easy to use this resource to remove your own access to
an organization, which will require a call to Google Support to have
fixed, and can take multiple days to resolve. If you do use this resource,
the best way to be sure that you are not making dangerous changes is to start
by importing your existing policy, and examining the diff very closely.

~> **Note:** This resource __must not__ be used in conjunction with
`google_organization_iam_member` or `google_organization_iam_binding`
or they will fight over what your policy should be.

## Example Usage

```hcl
resource "google_organization_iam_policy" "policy" {
org_id = "123456789"
policy_data = "${data.google_iam_policy.admin.policy_data}"
}
data "google_iam_policy" "admin" {
binding {
role = "roles/editor"
members = [
"user:[email protected]",
]
}
}
```

## Argument Reference

The following arguments are supported:

* `org_id` - (Required) The numeric ID of the organization in which you want to create a custom role.

* `policy_data` - (Required) The `google_iam_policy` data source that represents
the IAM policy that will be applied to the organization. This policy overrides any existing
policy applied to the organization.

## Import

```
$ terraform import google_organization_iam_policy.my_org your-org-id
```
3 changes: 3 additions & 0 deletions google.erb
Original file line number Diff line number Diff line change
Expand Up @@ -162,6 +162,9 @@
<li<%= sidebar_current("docs-google-organization-iam-member") %>>
<a href="/docs/providers/google/r/google_organization_iam_member.html">google_organization_iam_member</a>
</li>
<li<%= sidebar_current("docs-google-organization-iam-policy") %>>
<a href="/docs/providers/google/r/google_organization_iam_policy.html">google_organization_iam_policy</a>
</li>
<li<%= sidebar_current("docs-google-project-x") %>>
<a href="/docs/providers/google/r/google_project.html">google_project</a>
</li>
Expand Down

0 comments on commit c6e948e

Please sign in to comment.