GCP — Organisation, folder and project level policies: How do you deploy with Terraform?

Introduction

Managing access control in Google Cloud Platform (GCP) is crucial for maintaining security and compliance. GCP Identity and Access Management (IAM) allows you to grant granular access to resources. Using Terraform, an Infrastructure as Code (IaC) tool, you can automate and manage these IAM policies efficiently.

This blog will explore scenarios where you might allow or deny access and demonstrate how to manage GCP IAM policies using Terraform.

Understanding IAM Policies

IAM policies in GCP consist of roles and permissions assigned to members (users, service accounts, groups). You can:

• Allow access using bindings that grant roles to members.
• Deny access using IAM Deny Policies, which explicitly block access regardless of other permissions.

Scenarios for Allowing and Denying Access

1. Allow Access:

• Granting developers access to specific resources (e.g., Compute Engine, BigQuery).
• Providing read-only access to auditors for compliance reviews.

2. Deny Access:

• Preventing external service accounts from accessing sensitive data.
• Blocking access to specific APIs for certain teams to reduce costs or risks.

Managing IAM Policies with Terraform

Terraform simplifies IAM management by codifying policies in configuration files. Here’s how to define both allow and deny policies.

Example 1: Deny Access at Organization Level with google_iam_deny_policy

resource "google_iam_deny_policy" "deny_external_access_org" {
  name   = "deny-external-access-org"
  parent = "organizations/1234567890"

  rules {
    deny_rule {
      denied_principals = ["user:externaluser@example.com"]
      denial_condition {
        expression = "resource.name.startsWith('projects/')"
      }
      denied_permissions = [
        "storage.objects.get",
        "bigquery.tables.get"
      ]
    }
  }
}

• Explanation: This policy denies an external user access to GCS objects and BigQuery tables across the entire organization.

Example 2: Allow Access at Folder Level with google_folder_iam_binding

resource "google_folder_iam_binding" "folder_admin_binding" {
  folder = "folders/9876543210"
  role   = "roles/resourcemanager.folderAdmin"

  members = [
    "group:admin-group@example.com"
  ]
}

Explanation: This code grants the roles/resourcemanager.folderAdmin role to an admin group at the folder level.

Example 3: Allow Access at Project Level with google_project_iam_binding

provider "google" {
  project = "my-gcp-project"
  region  = "us-central1"
}

resource "google_project_iam_binding" "developer_binding" {
  project = "my-gcp-project"
  role    = "roles/editor"
  members = [
    "user:developer@example.com",
    "serviceAccount:app-sa@my-gcp-project.iam.gserviceaccount.com"
  ]
}

Explanation: This code grants the roles/editor role to a user and a service account at the project level.

One more example is below!

# Configure the Google Cloud provider
terraform {
  required_providers {
    google = {
      source  = "hashicorp/google"
      version = "~> 5.0" # Or your preferred version
    }
  }
}

provider "google" {
  # Your project ID (for provider level, can be overridden at resource level)
  project = "your-root-project-id" # For org-level policies, this doesn't matter much

  # Credentials (choose your preferred authentication method)
  # credentials = file("path/to/your/credentials.json")  # Example using service account
}


# --- Organization Level Policy ---
resource "google_organization_policy" "org_policy_example" {
  constraint     = "constraints/compute.disableExternalIPs" # Example constraint
  policy_type    = "LIST" # or "BOOLEAN" depending on the constraint
  org_id         = "your-organization-id" # Replace with your Organization ID

  list_policy {
    allow {
      all = true # Or list specific values if policy_type is LIST
    }
  }
}



# --- Folder Level Policy ---
resource "google_folder_organization_policy" "folder_policy_example" {
  constraint     = "constraints/compute.requireOsLogin" # Example constraint
  policy_type    = "BOOLEAN" # or "LIST"
  folder_id      = "your-folder-id" # Replace with your Folder ID

  boolean_policy {
    enforced = true  # or false, or leave empty if you don't want to override
  }
}


# --- Project Level Policy ---
resource "google_project_organization_policy" "project_policy_example" {
  constraint     = "constraints/iam.disableServiceAccountKeyCreation"  # Example
  policy_type    = "BOOLEAN" # or "LIST"
  project      = "your-project-id" # Replace with your Project ID

  boolean_policy {
    enforced = true # or false
  }

 depends_on = [
    google_organization_policy.org_policy_example, # Optional: Ensure org policy is applied first
    google_folder_organization_policy.folder_policy_example, # Optional: Ensure folder policy is applied first
  ]
}



# Example of Denying Specific Service Accounts at Project Level
resource "google_project_organization_policy" "project_deny_sa_creation" {
  constraint     = "constraints/iam.allowedPolicyMemberDomains"
  policy_type    = "LIST"
  project      = "your-project-id"

  list_policy {
    deny {
      values = [
        "domain:example.com", # Deny members from this domain
        "user:specific-user@example.com" # Deny this specific user
      ]
    }
  }
}


# Example of Allowing Specific Groups at Folder Level
resource "google_folder_organization_policy" "folder_allow_groups" {
  constraint     = "constraints/iam.allowedPolicyMemberDomains"
  policy_type    = "LIST"
  folder_id      = "your-folder-id"

  list_policy {
    allow {
      values = [
        "group:allowed-group@googlegroups.com", # Allow this Google Group
      ]
    }
  }
}


# Example: Allowing all service accounts in an organization
resource "google_organization_policy" "org_allow_all_sa" {
  constraint     = "constraints/iam.allowedPolicyMemberDomains"
  policy_type    = "LIST"
  org_id         = "your-organization-id"

  list_policy {
    allow {
      all = true
    }
  }
}

Best Practices

• Principle of Least Privilege: Grant only the permissions required.
• Use Custom Roles: When predefined roles are too broad.
• Version Control: Store Terraform code in version control for auditing changes.
• Policy Review: Regularly review and update IAM policies.

Conclusion

Managing GCP IAM policies with Terraform enhances security, consistency, and scalability. By defining both allow and deny policies as code at organization, folder, and project levels, you can streamline access control across your cloud environment. Incorporate these practices to secure your GCP resources effectively.

About Me

As the world increasingly adopts cloud-based solutions, I bring over 16 years of industry expertise to help businesses transition seamlessly to the cloud. Currently serving as a Google Cloud Principal Architect, I specialize in building highly scalable, secure, and efficient solutions on the Google Cloud Platform (GCP). My areas of expertise include cloud infrastructure design, zero-trust security, Google Cloud networking, and infrastructure automation using Terraform.

I am proud to hold multiple cloud certifications that Google Cloud, HashiCorp Terraform, Microsoft Azure, and Amazon AWS, reflecting my commitment to continuous learning and multi-cloud proficiency.

Multi-Cloud Certified

1. Google Cloud Certified — Cloud Digital Leader
2. Google Cloud Certified — Associate Cloud Engineer
3. Google Cloud Certified — Professional Cloud Architect
4. Google Cloud Certified — Professional Data Engineer
5. Google Cloud Certified — Professional Cloud Network Engineer
6. Google Cloud Certified — Professional Cloud Developer Engineer
7. Google Cloud Certified — Professional Cloud DevOps Engineer
8. Google Cloud Certified — Professional Security Engineer
9. Google Cloud Certified — Professional Database Engineer
10. Google Cloud Certified — Professional Workspace Administrator
11. Google Cloud Certified — Professional Machine Learning Engineer
12. HashiCorp Certified — Terraform Associate
13. Microsoft Azure AZ-900 Certified
14. Amazon AWS Certified Practitioner

Empowering Others

Beyond my professional work, I am passionate about helping professionals and students build successful careers in the cloud. Through my content and mentorship, I aim to demystify complex cloud technologies, making them accessible and practical for all skill levels. My areas of guidance include Google Cloud, AWS, Microsoft Azure, and Terraform.

I regularly share insights, tutorials, and resources on various platforms. Whether you’re preparing for a certification exam, exploring cloud architecture, or tackling DevOps challenges, my goal is to provide clear, actionable content that supports your learning journey.

Connect With Me

Stay updated with the latest in cloud computing by following me on these platforms:

• YouTube: Grow with Google Cloud
• Topmate: Consult with Me
• Medium: My Blogs
• Telegram: Community Channel
• Twitter: Follow Me
• Instagram: Connect on Instagram
• LinkedIn: Professional Profile
• GitHub: My Projects
• Facebook: Follow on Facebook
• Linktree: All Resources

I’m here to help — together, we can achieve great heights in the cloud.

Let’s connect and grow! 😊