Hello,
I’m fairly new to terraform so forgive any ignorance.
I need to determine if it’s possible to create a policy that forces users that if they don’t create tag for billing on the project, they cannot create any kind of resource in the project. This would be at the organization level. Billing for our company is done on a project basis and not the resources in the project. If I was creating the projects myself this would be a moot point, but unfortunately, it’s not.
What I’m seeing in examples online is for specific resource types, nothing that’s kind of a blanket for various types of resources. The example policy provided on Setting an organization policy with tags | Resource Manager Documentation | Google Cloud denies only sqladmin.googleapis.com if the tag doesn’t exist (not to mention only in the GUI). I’m not sure how to translate that to Terraform but for all types of resources (if possible).
Here is what I’ve written so far in Terraform (edited to remove company information)
resource "google_tags_tag_key" "billing" {
parent = "organizations/${var.org_id}"
short_name = "billing"
description = "billing"
}
resource "google_tags_tag_value" "billing_A" {
parent = "tagKeys/${google_tags_tag_key.costcenter.name}"
short_name = "A"
description = "A billing"
}
resource "google_tags_tag_value" "billing_B" {
parent = "tagKeys/${google_tags_tag_key.billing.name}"
short_name = "B"
description = "B billing"
}
resource "google_organization_policy" "tag_billing_policy" {
org_id = var.org_id
constraint = "gcp.restrictServiceUsage"
list_policy {
deny {
#need to deny on project creation if billing tag isn't set
}
}
}
This creates the tag on the org level and its values, no problem. Ultimately, I need to set this at an org level where users will have to choose one of the values. The policy code is incomplete and I’m not even sure I’m using the right resource type.
Any assistance can be provided or pointing me to the right direction?