From 841060d145036cb8c31eb36c57d1c17bab96e99d Mon Sep 17 00:00:00 2001 From: Nehal Kathrotia Date: Fri, 4 Oct 2024 06:02:56 +0000 Subject: [PATCH 1/2] Add Policy Parameters support for Managed constraints --- mmv1/products/orgpolicy/Policy.yaml | 20 +++++++++++++++++ ...g_policy_policy_parameters_enforce.tf.tmpl | 22 +++++++++++++++++++ 2 files changed, 42 insertions(+) create mode 100644 mmv1/templates/terraform/examples/org_policy_policy_parameters_enforce.tf.tmpl diff --git a/mmv1/products/orgpolicy/Policy.yaml b/mmv1/products/orgpolicy/Policy.yaml index 4cab4df0b1b0..328565544704 100644 --- a/mmv1/products/orgpolicy/Policy.yaml +++ b/mmv1/products/orgpolicy/Policy.yaml @@ -54,6 +54,10 @@ examples: - name: 'org_policy_policy_dry_run_spec' primary_resource_id: 'primary' exclude_test: true + - name: 'org_policy_policy_parameters_enforce' + primary_resource_id: 'primary' + exclude_test: true + min_version: 'beta' parameters: - name: 'parent' type: String @@ -121,6 +125,14 @@ properties: send_empty_value: true custom_flatten: 'templates/terraform/custom_flatten/enum_bool.go.tmpl' custom_expand: 'templates/terraform/custom_expand/enum_bool.go.tmpl' + - name: 'parameters' + description: 'Optional. Required for Managed Constraints if parameters defined in constraints. Pass parameter values when policy enforcement is enabled. Ensure that parameter value types match those defined in the constraint definition. For example: { \"allowedLocations\" : [\"us-east1\", \"us-west1\"], \"allowAll\" : true }' + min_version: beta + custom_flatten: 'templates/terraform/custom_flatten/json_schema.tmpl' + custom_expand: 'templates/terraform/custom_expand/json_schema.tmpl' + state_func: 'func(v interface{}) string { s, _ := structure.NormalizeJsonString(v); return s }' + validation: + function: 'validation.StringIsJSON' - name: 'condition' type: NestedObject description: 'A condition which determines whether this rule is used in the evaluation of the policy. When set, the `expression` field in the `Expr'' must include from 1 to 10 subexpressions, joined by the "||" or "&&" operators. Each subexpression must be of the form "resource.matchTag(''/tag_key_short_name, ''tag_value_short_name'')". or "resource.matchTagId(''tagKeys/key_id'', ''tagValues/value_id'')". where key_name and value_name are the resource names for Label Keys and Values. These names are available from the Tag Manager Service. An example expression is: "resource.matchTag(''123456789/environment, ''prod'')". or "resource.matchTagId(''tagKeys/123'', ''tagValues/456'')".' @@ -197,6 +209,14 @@ properties: send_empty_value: true custom_flatten: 'templates/terraform/custom_flatten/enum_bool.go.tmpl' custom_expand: 'templates/terraform/custom_expand/enum_bool.go.tmpl' + - name: 'parameters' + description: 'Optional. Required for Managed Constraints if parameters defined in constraints. Pass parameter values when policy enforcement is enabled. Ensure that parameter value types match those defined in the constraint definition. For example: { \"allowedLocations\" : [\"us-east1\", \"us-west1\"], \"allowAll\" : true }' + min_version: beta + custom_flatten: 'templates/terraform/custom_flatten/json_schema.tmpl' + custom_expand: 'templates/terraform/custom_expand/json_schema.tmpl' + state_func: 'func(v interface{}) string { s, _ := structure.NormalizeJsonString(v); return s }' + validation: + function: 'validation.StringIsJSON' - name: 'condition' type: NestedObject description: 'A condition which determines whether this rule is used in the evaluation of the policy. When set, the `expression` field in the `Expr'' must include from 1 to 10 subexpressions, joined by the "||" or "&&" operators. Each subexpression must be of the form "resource.matchTag(''/tag_key_short_name, ''tag_value_short_name'')". or "resource.matchTagId(''tagKeys/key_id'', ''tagValues/value_id'')". where key_name and value_name are the resource names for Label Keys and Values. These names are available from the Tag Manager Service. An example expression is: "resource.matchTag(''123456789/environment, ''prod'')". or "resource.matchTagId(''tagKeys/123'', ''tagValues/456'')".' diff --git a/mmv1/templates/terraform/examples/org_policy_policy_parameters_enforce.tf.tmpl b/mmv1/templates/terraform/examples/org_policy_policy_parameters_enforce.tf.tmpl new file mode 100644 index 000000000000..8e6e71dafa68 --- /dev/null +++ b/mmv1/templates/terraform/examples/org_policy_policy_parameters_enforce.tf.tmpl @@ -0,0 +1,22 @@ +resource "google_org_policy_policy" "primary" { + provider = google-beta + name = "projects/${google_project.basic.name}/policies/iam.managed.disableServiceAccountKeyUpload" + parent = "projects/${google_project.basic.name}" + + spec { + rules { + enforce = "FALSE" + parameters { + "allowAll" : true + "allowedLocations" : ["us-east1", "us-west1"] + } + } + } +} + +resource "google_project" "basic" { + project_id = "id" + name = "id" + org_id = "123456789" + deletion_policy = "DELETE" +} From b3536a2f22ed90cd1e8449cfa4918a75814fb66f Mon Sep 17 00:00:00 2001 From: Nehal Kathrotia Date: Fri, 4 Oct 2024 06:02:56 +0000 Subject: [PATCH 2/2] Add Policy Parameters support for Managed constraints --- mmv1/products/orgpolicy/Policy.yaml | 20 +++++++++++++++++ ...g_policy_policy_parameters_enforce.tf.tmpl | 22 +++++++++++++++++++ .../resource_org_policy_policy_test.go | 1 + 3 files changed, 43 insertions(+) create mode 100644 mmv1/templates/terraform/examples/org_policy_policy_parameters_enforce.tf.tmpl diff --git a/mmv1/products/orgpolicy/Policy.yaml b/mmv1/products/orgpolicy/Policy.yaml index 6a5260d3efa6..2ed40d8f1f19 100644 --- a/mmv1/products/orgpolicy/Policy.yaml +++ b/mmv1/products/orgpolicy/Policy.yaml @@ -54,6 +54,10 @@ examples: - name: 'org_policy_policy_dry_run_spec' primary_resource_id: 'primary' exclude_test: true + - name: 'org_policy_policy_parameters_enforce' + primary_resource_id: 'primary' + exclude_test: true + min_version: 'beta' parameters: - name: 'parent' type: String @@ -121,6 +125,14 @@ properties: send_empty_value: true custom_flatten: 'templates/terraform/custom_flatten/enum_bool.go.tmpl' custom_expand: 'templates/terraform/custom_expand/enum_bool.go.tmpl' + - name: 'parameters' + description: 'Optional. Required for Managed Constraints if parameters defined in constraints. Pass parameter values when policy enforcement is enabled. Ensure that parameter value types match those defined in the constraint definition. For example: { \"allowedLocations\" : [\"us-east1\", \"us-west1\"], \"allowAll\" : true }' + min_version: beta + custom_flatten: 'templates/terraform/custom_flatten/json_schema.tmpl' + custom_expand: 'templates/terraform/custom_expand/json_schema.tmpl' + state_func: 'func(v interface{}) string { s, _ := structure.NormalizeJsonString(v); return s }' + validation: + function: 'validation.StringIsJSON' - name: 'condition' type: NestedObject description: 'A condition which determines whether this rule is used in the evaluation of the policy. When set, the `expression` field in the `Expr'' must include from 1 to 10 subexpressions, joined by the "||" or "&&" operators. Each subexpression must be of the form "resource.matchTag(''/tag_key_short_name, ''tag_value_short_name'')". or "resource.matchTagId(''tagKeys/key_id'', ''tagValues/value_id'')". where key_name and value_name are the resource names for Label Keys and Values. These names are available from the Tag Manager Service. An example expression is: "resource.matchTag(''123456789/environment, ''prod'')". or "resource.matchTagId(''tagKeys/123'', ''tagValues/456'')".' @@ -197,6 +209,14 @@ properties: send_empty_value: true custom_flatten: 'templates/terraform/custom_flatten/enum_bool.go.tmpl' custom_expand: 'templates/terraform/custom_expand/enum_bool.go.tmpl' + - name: 'parameters' + description: 'Optional. Required for Managed Constraints if parameters defined in constraints. Pass parameter values when policy enforcement is enabled. Ensure that parameter value types match those defined in the constraint definition. For example: { \"allowedLocations\" : [\"us-east1\", \"us-west1\"], \"allowAll\" : true }' + min_version: beta + custom_flatten: 'templates/terraform/custom_flatten/json_schema.tmpl' + custom_expand: 'templates/terraform/custom_expand/json_schema.tmpl' + state_func: 'func(v interface{}) string { s, _ := structure.NormalizeJsonString(v); return s }' + validation: + function: 'validation.StringIsJSON' - name: 'condition' type: NestedObject description: 'A condition which determines whether this rule is used in the evaluation of the policy. When set, the `expression` field in the `Expr'' must include from 1 to 10 subexpressions, joined by the "||" or "&&" operators. Each subexpression must be of the form "resource.matchTag(''/tag_key_short_name, ''tag_value_short_name'')". or "resource.matchTagId(''tagKeys/key_id'', ''tagValues/value_id'')". where key_name and value_name are the resource names for Label Keys and Values. These names are available from the Tag Manager Service. An example expression is: "resource.matchTag(''123456789/environment, ''prod'')". or "resource.matchTagId(''tagKeys/123'', ''tagValues/456'')".' diff --git a/mmv1/templates/terraform/examples/org_policy_policy_parameters_enforce.tf.tmpl b/mmv1/templates/terraform/examples/org_policy_policy_parameters_enforce.tf.tmpl new file mode 100644 index 000000000000..8e6e71dafa68 --- /dev/null +++ b/mmv1/templates/terraform/examples/org_policy_policy_parameters_enforce.tf.tmpl @@ -0,0 +1,22 @@ +resource "google_org_policy_policy" "primary" { + provider = google-beta + name = "projects/${google_project.basic.name}/policies/iam.managed.disableServiceAccountKeyUpload" + parent = "projects/${google_project.basic.name}" + + spec { + rules { + enforce = "FALSE" + parameters { + "allowAll" : true + "allowedLocations" : ["us-east1", "us-west1"] + } + } + } +} + +resource "google_project" "basic" { + project_id = "id" + name = "id" + org_id = "123456789" + deletion_policy = "DELETE" +} diff --git a/mmv1/third_party/terraform/services/orgpolicy/resource_org_policy_policy_test.go b/mmv1/third_party/terraform/services/orgpolicy/resource_org_policy_policy_test.go index f4cb03f24fde..1e0a65c8b97c 100644 --- a/mmv1/third_party/terraform/services/orgpolicy/resource_org_policy_policy_test.go +++ b/mmv1/third_party/terraform/services/orgpolicy/resource_org_policy_policy_test.go @@ -458,3 +458,4 @@ func testAccCheckOrgPolicyPolicyDestroyProducer(t *testing.T) func(s *terraform. return nil } } +