Simplify org policies in resource management modules

blueprints/data-solutions/data-playground/main.tf

@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -83,8 +83,8 @@ module "project" {
   }
 
   org_policies = {
-    # "constraints/compute.requireOsLogin" = {
-    #   enforce = false
+    # "compute.requireOsLogin" = {
+    #   rules = [{ enforce = false }]
     # }
     # Example of applying a project wide policy, mainly useful for Composer 1
   }

blueprints/data-solutions/shielded-folder/data/org-policies/compute.yaml

@@ -3,71 +3,90 @@
 # sample subset of useful organization policies, edit to suit requirements
 
 compute.disableGuestAttributesAccess:
-  enforce: true
+  rules:
+  - enforce: true
 
 compute.requireOsLogin:
-  enforce: true
+  rules:
+  - enforce: true
 
 compute.restrictLoadBalancerCreationForTypes:
-  allow:
-    values:
-    - in:INTERNAL
+  rules:
+  - allow:
+      values:
+      - in:INTERNAL
 
 compute.skipDefaultNetworkCreation:
-  enforce: true
+  rules:
+  - enforce: true
 
 compute.vmExternalIpAccess:
-  deny:
-    all: true
+  rules:
+  - deny:
+      all: true
 
 
 # compute.disableInternetNetworkEndpointGroup:
-#   enforce: true
+#   rules:
+#   - enforce: true
 
 # compute.disableNestedVirtualization:
-#   enforce: true
+#   rules:
+#   - enforce: true
 
 # compute.disableSerialPortAccess:
-#   enforce: true
+#   rules:
+#   - enforce: true
 
 # compute.restrictCloudNATUsage:
-#   deny:
-#     all: true
+#   rules:
+#   - deny:
+#       all: true
 
 # compute.restrictDedicatedInterconnectUsage:
-#   deny:
-#     all: true
+#   rules:
+#   - deny:
+#       all: true
 
 # compute.restrictPartnerInterconnectUsage:
-#   deny:
-#     all: true
+#   rules:
+#   - deny:
+#       all: true
 
 # compute.restrictProtocolForwardingCreationForTypes:
-#   deny:
-#     all: true
+#   rules:
+#   - deny:
+#       all: true
 
 # compute.restrictSharedVpcHostProjects:
-#   deny:
-#     all: true
+#   rules:
+#   - deny:
+#       all: true
 
 # compute.restrictSharedVpcSubnetworks:
-#   deny:
-#     all: true
+#   rules:
+#   - deny:
+#       all: true
 
 # compute.restrictVpcPeering:
-#   deny:
-#     all: true
+#   rules:
+#   - deny:
+#       all: true
 
 # compute.restrictVpnPeerIPs:
-#   deny:
-#     all: true
+#   rules:
+#   - deny:
+#       all: true
 
 # compute.restrictXpnProjectLienRemoval:
-#   enforce: true
+#   rules:
+#   - enforce: true
 
 # compute.setNewProjectDefaultToZonalDNSOnly:
-#   enforce: true
+#   rules:
+#   - enforce: true
 
 # compute.vmCanIpForward:
-#   deny:
-#     all: true
+#   rules:
+#   - deny:
+#       all: true

blueprints/data-solutions/shielded-folder/data/org-policies/iam.yaml

@@ -3,10 +3,13 @@
 # sample subset of useful organization policies, edit to suit requirements
 
 iam.automaticIamGrantsForDefaultServiceAccounts:
-  enforce: true
+  rules:
+  - enforce: true
 
 iam.disableServiceAccountKeyCreation:
-  enforce: true
+  rules:
+  - enforce: true
 
 iam.disableServiceAccountKeyUpload:
-  enforce: true
+  rules:
+  - enforce: true

blueprints/data-solutions/shielded-folder/data/org-policies/serverless.yaml

@@ -3,24 +3,29 @@
 # sample subset of useful organization policies, edit to suit requirements
 
 run.allowedIngress:
-  allow:
-    values:
-    - is:internal
+  rules:
+  - allow:
+      values:
+      - is:internal
 
 # run.allowedVPCEgress:
-#   allow:
-#     values:
+#   rules:
+#   - allow:
+#       values:
 #       - is:private-ranges-only
 
 # cloudfunctions.allowedIngressSettings:
-#   allow:
-#     values:
-#     - is:ALLOW_INTERNAL_ONLY
+#   rules:
+#   - allow:
+#       values:
+#       - is:ALLOW_INTERNAL_ONLY
 
 # cloudfunctions.allowedVpcConnectorEgressSettings:
-#   allow:
-#     values:
-#     - is:PRIVATE_RANGES_ONLY
+#   rules:
+#   - allow:
+#       values:
+#       - is:PRIVATE_RANGES_ONLY
 
 # cloudfunctions.requireVPCConnector:
-#   enforce: true
+#   rules:
+#   - enforce: true

blueprints/data-solutions/shielded-folder/data/org-policies/sql.yaml

@@ -3,7 +3,9 @@
 # sample subset of useful organization policies, edit to suit requirements
 
 sql.restrictAuthorizedNetworks:
-  enforce: true
+  rules:
+  - enforce: true
 
 sql.restrictPublicIp:
-  enforce: true
+  rules:
+  - enforce: true

blueprints/data-solutions/shielded-folder/data/org-policies/storage.yaml

@@ -3,4 +3,5 @@
 # sample subset of useful organization policies, edit to suit requirements
 
 storage.uniformBucketLevelAccess:
-  enforce: true
+  rules:
+  - enforce: true

blueprints/data-solutions/vertex-mlops/main.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -112,7 +112,7 @@ module "gcs-bucket" {
   encryption_key = try(local.service_encryption_keys.storage, null)
 }
 
-# Default bucket for Cloud Build to prevent error: "'us' violates constraint ‘constraints/gcp.resourceLocations’"
+# Default bucket for Cloud Build to prevent error: "'us' violates constraint ‘gcp.resourceLocations’"
 # https://stackoverflow.com/questions/53206667/cloud-build-fails-with-resource-location-constraint
 module "gcs-bucket-cloudbuild" {
   source         = "../../../modules/gcs"
@@ -230,8 +230,8 @@ module "project" {
 
   org_policies = {
     # Example of applying a project wide policy
-    # "constraints/compute.requireOsLogin" = {
-    #   enforce = false
+    # "compute.requireOsLogin" = {
+    #   rules = [{ enforce = false }]
     # }
   }
 

blueprints/factories/project-factory/README.md

@@ -156,15 +156,18 @@ labels:
 
 # [opt] Org policy overrides defined at project level
 org_policies:
-  constraints/compute.disableGuestAttributesAccess:
-    enforce: true
-  constraints/compute.trustedImageProjects:
-    allow:
-      values:
+  compute.disableGuestAttributesAccess:
+    rules:
+    - enforce: true
+  compute.trustedImageProjects:
+    rules:
+    - allow:
+        values:
         - projects/fast-dev-iac-core-0
-  constraints/compute.vmExternalIpAccess:
-    deny:
-      all: true
+  compute.vmExternalIpAccess:
+    rules:
+    - deny:
+        all: true
 
 # [opt] Service account to create for the project and their roles on the project
 # in name => [roles] format
@@ -223,8 +226,8 @@ vpc:
 | name | description | type | required | default |
 |---|---|:---:|:---:|:---:|
 | [billing_account_id](variables.tf#L17) | Billing account id. | <code>string</code> | ✓ |  |
-| [prefix](variables.tf#L157) | Prefix used for resource names. | <code>string</code> | ✓ |  |
-| [project_id](variables.tf#L166) | Project id. | <code>string</code> | ✓ |  |
+| [prefix](variables.tf#L144) | Prefix used for resource names. | <code>string</code> | ✓ |  |
+| [project_id](variables.tf#L153) | Project id. | <code>string</code> | ✓ |  |
 | [billing_alert](variables.tf#L22) | Billing alert configuration. | <code title="object&#40;&#123;&#10;  amount &#61; number&#10;  thresholds &#61; object&#40;&#123;&#10;    current    &#61; list&#40;number&#41;&#10;    forecasted &#61; list&#40;number&#41;&#10;  &#125;&#41;&#10;  credit_treatment &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
 | [defaults](variables.tf#L35) | Project factory default values. | <code title="object&#40;&#123;&#10;  billing_account_id &#61; string&#10;  billing_alert &#61; object&#40;&#123;&#10;    amount &#61; number&#10;    thresholds &#61; object&#40;&#123;&#10;      current    &#61; list&#40;number&#41;&#10;      forecasted &#61; list&#40;number&#41;&#10;    &#125;&#41;&#10;    credit_treatment &#61; string&#10;  &#125;&#41;&#10;  environment_dns_zone  &#61; string&#10;  essential_contacts    &#61; list&#40;string&#41;&#10;  labels                &#61; map&#40;string&#41;&#10;  notification_channels &#61; list&#40;string&#41;&#10;  shared_vpc_self_link  &#61; string&#10;  vpc_host_project      &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
 | [descriptive_name](variables.tf#L57) | Name of the project name. Used for project name instead of `name` variable. | <code>string</code> |  | <code>null</code> |
@@ -237,15 +240,15 @@ vpc:
 | [iam_additive](variables.tf#L99) | Custom additive IAM settings in role => [principal] format. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [kms_service_agents](variables.tf#L105) | KMS IAM configuration in as service => [key]. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [labels](variables.tf#L111) | Labels to be assigned at project level. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> |
-| [org_policies](variables.tf#L117) | Org-policy overrides at project level. | <code title="map&#40;object&#40;&#123;&#10;  inherit_from_parent &#61; optional&#40;bool&#41; &#35; for list policies only.&#10;  reset               &#61; optional&#40;bool&#41;&#10;  allow &#61; optional&#40;object&#40;&#123;&#10;    all    &#61; optional&#40;bool&#41;&#10;    values &#61; optional&#40;list&#40;string&#41;&#41;&#10;  &#125;&#41;&#41;&#10;  deny &#61; optional&#40;object&#40;&#123;&#10;    all    &#61; optional&#40;bool&#41;&#10;    values &#61; optional&#40;list&#40;string&#41;&#41;&#10;  &#125;&#41;&#41;&#10;  enforce &#61; optional&#40;bool, true&#41; &#35; for boolean policies only.&#10;  rules &#61; optional&#40;list&#40;object&#40;&#123;&#10;    allow &#61; optional&#40;object&#40;&#123;&#10;      all    &#61; optional&#40;bool&#41;&#10;      values &#61; optional&#40;list&#40;string&#41;&#41;&#10;    &#125;&#41;&#41;&#10;    deny &#61; optional&#40;object&#40;&#123;&#10;      all    &#61; optional&#40;bool&#41;&#10;      values &#61; optional&#40;list&#40;string&#41;&#41;&#10;    &#125;&#41;&#41;&#10;    enforce &#61; optional&#40;bool, true&#41; &#35; for boolean policies only.&#10;    condition &#61; object&#40;&#123;&#10;      description &#61; optional&#40;string&#41;&#10;      expression  &#61; optional&#40;string&#41;&#10;      location    &#61; optional&#40;string&#41;&#10;      title       &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#10;  &#125;&#41;&#41;, &#91;&#93;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [service_accounts](variables.tf#L171) | Service accounts to be created, and roles assigned them on the project. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [service_accounts_additive](variables.tf#L177) | Service accounts to be created, and roles assigned them on the project additively. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [service_accounts_iam](variables.tf#L183) | IAM bindings on service account resources. Format is KEY => {ROLE => [MEMBERS]}. | <code>map&#40;map&#40;list&#40;string&#41;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [service_accounts_iam_additive](variables.tf#L190) | IAM additive bindings on service account resources. Format is KEY => {ROLE => [MEMBERS]}. | <code>map&#40;map&#40;list&#40;string&#41;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [service_identities_iam](variables.tf#L197) | Custom IAM settings for service identities in service => [role] format. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [service_identities_iam_additive](variables.tf#L204) | Custom additive IAM settings for service identities in service => [role] format. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [services](variables.tf#L211) | Services to be enabled for the project. | <code>list&#40;string&#41;</code> |  | <code>&#91;&#93;</code> |
-| [vpc](variables.tf#L218) | VPC configuration for the project. | <code title="object&#40;&#123;&#10;  host_project &#61; string&#10;  gke_setup &#61; object&#40;&#123;&#10;    enable_security_admin     &#61; bool&#10;    enable_host_service_agent &#61; bool&#10;  &#125;&#41;&#10;  subnets_iam &#61; map&#40;list&#40;string&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
+| [org_policies](variables.tf#L117) | Org-policy overrides at project level. | <code title="map&#40;object&#40;&#123;&#10;  inherit_from_parent &#61; optional&#40;bool&#41; &#35; for list policies only.&#10;  reset               &#61; optional&#40;bool&#41;&#10;  rules &#61; optional&#40;list&#40;object&#40;&#123;&#10;    allow &#61; optional&#40;object&#40;&#123;&#10;      all    &#61; optional&#40;bool&#41;&#10;      values &#61; optional&#40;list&#40;string&#41;&#41;&#10;    &#125;&#41;&#41;&#10;    deny &#61; optional&#40;object&#40;&#123;&#10;      all    &#61; optional&#40;bool&#41;&#10;      values &#61; optional&#40;list&#40;string&#41;&#41;&#10;    &#125;&#41;&#41;&#10;    enforce &#61; optional&#40;bool&#41; &#35; for boolean policies only.&#10;    condition &#61; optional&#40;object&#40;&#123;&#10;      description &#61; optional&#40;string&#41;&#10;      expression  &#61; optional&#40;string&#41;&#10;      location    &#61; optional&#40;string&#41;&#10;      title       &#61; optional&#40;string&#41;&#10;    &#125;&#41;, &#123;&#125;&#41;&#10;  &#125;&#41;&#41;, &#91;&#93;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [service_accounts](variables.tf#L158) | Service accounts to be created, and roles assigned them on the project. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [service_accounts_additive](variables.tf#L164) | Service accounts to be created, and roles assigned them on the project additively. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [service_accounts_iam](variables.tf#L170) | IAM bindings on service account resources. Format is KEY => {ROLE => [MEMBERS]}. | <code>map&#40;map&#40;list&#40;string&#41;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [service_accounts_iam_additive](variables.tf#L177) | IAM additive bindings on service account resources. Format is KEY => {ROLE => [MEMBERS]}. | <code>map&#40;map&#40;list&#40;string&#41;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [service_identities_iam](variables.tf#L184) | Custom IAM settings for service identities in service => [role] format. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [service_identities_iam_additive](variables.tf#L191) | Custom additive IAM settings for service identities in service => [role] format. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [services](variables.tf#L198) | Services to be enabled for the project. | <code>list&#40;string&#41;</code> |  | <code>&#91;&#93;</code> |
+| [vpc](variables.tf#L205) | VPC configuration for the project. | <code title="object&#40;&#123;&#10;  host_project &#61; string&#10;  gke_setup &#61; object&#40;&#123;&#10;    enable_security_admin     &#61; bool&#10;    enable_host_service_agent &#61; bool&#10;  &#125;&#41;&#10;  subnets_iam &#61; map&#40;list&#40;string&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
 
 ## Outputs
 

blueprints/factories/project-factory/sample-data/projects/project.yaml

@@ -48,15 +48,18 @@ labels:
 
 # [opt] Org policy overrides defined at project level
 org_policies:
-  constraints/compute.disableGuestAttributesAccess:
-    enforce: true
-  constraints/compute.trustedImageProjects:
-    allow:
-      values:
+  compute.disableGuestAttributesAccess:
+    rules:
+    - enforce: true
+  compute.trustedImageProjects:
+    rules:
+    - allow:
+        values:
         - projects/fast-dev-iac-core-0
-  constraints/compute.vmExternalIpAccess:
-    deny:
-      all: true
+  compute.vmExternalIpAccess:
+    rules:
+    - deny:
+        all: true
 
 # [opt] Prefix - overrides default if set
 prefix: test1

blueprints/factories/project-factory/variables.tf

@@ -119,19 +119,6 @@ variable "org_policies" {
   type = map(object({
     inherit_from_parent = optional(bool) # for list policies only.
     reset               = optional(bool)
-
-    # default (unconditional) values
-    allow = optional(object({
-      all    = optional(bool)
-      values = optional(list(string))
-    }))
-    deny = optional(object({
-      all    = optional(bool)
-      values = optional(list(string))
-    }))
-    enforce = optional(bool, true) # for boolean policies only.
-
-    # conditional values
     rules = optional(list(object({
       allow = optional(object({
         all    = optional(bool)
@@ -141,13 +128,13 @@ variable "org_policies" {
         all    = optional(bool)
         values = optional(list(string))
       }))
-      enforce = optional(bool, true) # for boolean policies only.
-      condition = object({
+      enforce = optional(bool) # for boolean policies only.
+      condition = optional(object({
         description = optional(string)
         expression  = optional(string)
         location    = optional(string)
         title       = optional(string)
-      })
+      }), {})
     })), [])
   }))
   default  = {}

blueprints/gke/multitenant-fleet/main.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -64,10 +64,10 @@ module "gke-project-0" {
   }
   # specify project-level org policies here if you need them
   # policy_boolean = {
-  #   "constraints/compute.disableGuestAttributesAccess" = true
+  #   "compute.disableGuestAttributesAccess" = true
   # }
   # policy_list = {
-  #   "constraints/compute.trustedImageProjects" = {
+  #   "compute.trustedImageProjects" = {
   #     inherit_from_parent = null
   #     suggested_value     = null
   #     status              = true