Enable org policy service and add README notice to modules (#936)

* enable org policy service and add README notice to modules

* fix tests

blueprints/data-solutions/data-platform-foundations/03-orchestration.tf

@@ -84,6 +84,7 @@ module "orch-project" {
     "container.googleapis.com",
     "containerregistry.googleapis.com",
     "dataflow.googleapis.com",
+    "orgpolicy.googleapis.com",
     "pubsub.googleapis.com",
     "servicenetworking.googleapis.com",
     "storage.googleapis.com",

blueprints/data-solutions/data-platform-foundations/README.md

@@ -160,9 +160,10 @@ You can find more details and best practices on using DLP to De-identification a
 [Data Catalog](https://cloud.google.com/data-catalog) helps you to document your data entry at scale. Data Catalog relies on [tags](https://cloud.google.com/data-catalog/docs/tags-and-tag-templates#tags) and [tag template](https://cloud.google.com/data-catalog/docs/tags-and-tag-templates#tag-templates) to manage metadata for all data entries in a unified and centralized service. To implement [column-level security](https://cloud.google.com/bigquery/docs/column-level-security-intro) on BigQuery, we suggest to use `Tags` and `Tag templates`.
 
 The default configuration will implement 3 tags:
- - `3_Confidential`: policy tag for columns that include very sensitive information, such as credit card numbers.
- - `2_Private`: policy tag for columns that include sensitive personal identifiable information (PII) information, such as a person's first name.
- - `1_Sensitive`: policy tag for columns that include data that cannot be made public, such as the credit limit.
+
+- `3_Confidential`: policy tag for columns that include very sensitive information, such as credit card numbers.
+- `2_Private`: policy tag for columns that include sensitive personal identifiable information (PII) information, such as a person's first name.
+- `1_Sensitive`: policy tag for columns that include data that cannot be made public, such as the credit limit.
 
 Anything that is not tagged is available to all users who have access to the data warehouse.
 
@@ -222,7 +223,7 @@ module "data-platform" {
   prefix              = "myprefix"
 }
 
-# tftest modules=42 resources=315
+# tftest modules=42 resources=316
 ```
 
 ## Customizations
@@ -238,7 +239,7 @@ To do this, you need to remove IAM binging at project-level for the `data-analys
 
 ## Demo pipeline
 
-The application layer is out of scope of this script. As a demo purpuse only, several Cloud Composer DAGs are provided. Demos will import data from the `drop off` area to the `Data Warehouse Confidential` dataset suing different features. 
+The application layer is out of scope of this script. As a demo purpuse only, several Cloud Composer DAGs are provided. Demos will import data from the `drop off` area to the `Data Warehouse Confidential` dataset suing different features.
 
 You can find examples in the `[demo](./demo)` folder.
 <!-- BEGIN TFDOC -->

blueprints/data-solutions/data-playground/main.tf

@@ -35,6 +35,7 @@ module "project" {
     "dataflow.googleapis.com",
     "ml.googleapis.com",
     "notebooks.googleapis.com",
+    "orgpolicy.googleapis.com",
     "servicenetworking.googleapis.com",
     "stackdriver.googleapis.com",
     "storage.googleapis.com",

blueprints/factories/project-factory/README.md

@@ -74,7 +74,7 @@ module "projects" {
   service_identities_iam = try(each.value.service_identities_iam, {})
   vpc                    = try(each.value.vpc, null)
 }
-# tftest modules=7 resources=28
+# tftest modules=7 resources=29
 ```
 
 ### Projects configuration

blueprints/factories/project-factory/main.tf

@@ -56,7 +56,8 @@ locals {
   ))
   _services = concat([
     "billingbudgets.googleapis.com",
-    "essentialcontacts.googleapis.com"
+    "essentialcontacts.googleapis.com",
+    "orgpolicy.googleapis.com",
     ],
     length(var.dns_zones) > 0 ? ["dns.googleapis.com"] : [],
     try(var.vpc.gke_setup, null) != null ? ["container.googleapis.com"] : [],

modules/folder/README.md

@@ -26,6 +26,8 @@ module "folder" {
 
 ### Organization policies
 
+To manage organization policies, the `orgpolicy.googleapis.com` service should be enabled in the quota project.
+
 ```hcl
 module "folder" {
   source = "./fabric/modules/folder"

modules/organization/README.md

@@ -7,6 +7,8 @@ This module allows managing several organization properties:
 - audit logging configuration for services
 - organization policies
 
+To manage organization policies, the `orgpolicy.googleapis.com` service should be enabled in the quota project.
+
 ## Example
 
 ```hcl

modules/project/README.md

@@ -156,6 +156,8 @@ module "project" {
 
 ## Organization policies
 
+To manage organization policies, the `orgpolicy.googleapis.com` service should be enabled in the quota project.
+
 ```hcl
 module "project" {
   source          = "./fabric/modules/project"

tests/blueprints/data_solutions/data_platform_foundations/test_plan.py

@@ -12,16 +12,14 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-
 import os
 import pytest
 
-
 FIXTURES_DIR = os.path.join(os.path.dirname(__file__), 'fixture')
 
 
 def test_resources(e2e_plan_runner):
   "Test that plan works and the numbers of resources is as expected."
   modules, resources = e2e_plan_runner(FIXTURES_DIR)
   assert len(modules) == 41
-  assert len(resources) == 314
+  assert len(resources) == 315

tests/blueprints/data_solutions/data_playground/test_plan.py

@@ -12,15 +12,14 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-
 import os
 import pytest
 
-
 FIXTURES_DIR = os.path.join(os.path.dirname(__file__), 'fixture')
 
+
 def test_resources(e2e_plan_runner):
   "Test that plan works and the numbers of resources is as expected."
   modules, resources = e2e_plan_runner(FIXTURES_DIR)
   assert len(modules) == 7
-  assert len(resources) == 34
+  assert len(resources) == 35