Skip to content

Commit

Permalink
Add parameters to google_org_policy_policy (GoogleCloudPlatform#1…
Browse files Browse the repository at this point in the history
  • Loading branch information
nehalk-tf authored and amanMahendroo committed Dec 17, 2024
1 parent 7dc3058 commit 74ce8bc
Show file tree
Hide file tree
Showing 3 changed files with 138 additions and 0 deletions.
17 changes: 17 additions & 0 deletions mmv1/products/orgpolicy/Policy.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,9 @@ examples:
- name: 'org_policy_policy_dry_run_spec'
primary_resource_id: 'primary'
exclude_test: true
- name: 'org_policy_policy_parameters_enforce'
primary_resource_id: 'primary'
exclude_test: true
parameters:
- name: 'parent'
type: String
Expand Down Expand Up @@ -121,6 +124,13 @@ properties:
send_empty_value: true
custom_flatten: 'templates/terraform/custom_flatten/enum_bool.go.tmpl'
custom_expand: 'templates/terraform/custom_expand/enum_bool.go.tmpl'
- name: 'parameters'
description: 'Optional. Required for Managed Constraints if parameters defined in constraints. Pass parameter values when policy enforcement is enabled. Ensure that parameter value types match those defined in the constraint definition. For example: { \"allowedLocations\" : [\"us-east1\", \"us-west1\"], \"allowAll\" : true }'
custom_flatten: 'templates/terraform/custom_flatten/json_schema.tmpl'
custom_expand: 'templates/terraform/custom_expand/json_schema.tmpl'
state_func: 'func(v interface{}) string { s, _ := structure.NormalizeJsonString(v); return s }'
validation:
function: 'validation.StringIsJSON'
- name: 'condition'
type: NestedObject
description: 'A condition which determines whether this rule is used in the evaluation of the policy. When set, the `expression` field in the `Expr'' must include from 1 to 10 subexpressions, joined by the "||" or "&&" operators. Each subexpression must be of the form "resource.matchTag(''/tag_key_short_name, ''tag_value_short_name'')". or "resource.matchTagId(''tagKeys/key_id'', ''tagValues/value_id'')". where key_name and value_name are the resource names for Label Keys and Values. These names are available from the Tag Manager Service. An example expression is: "resource.matchTag(''123456789/environment, ''prod'')". or "resource.matchTagId(''tagKeys/123'', ''tagValues/456'')".'
Expand Down Expand Up @@ -197,6 +207,13 @@ properties:
send_empty_value: true
custom_flatten: 'templates/terraform/custom_flatten/enum_bool.go.tmpl'
custom_expand: 'templates/terraform/custom_expand/enum_bool.go.tmpl'
- name: 'parameters'
description: 'Optional. Required for Managed Constraints if parameters defined in constraints. Pass parameter values when policy enforcement is enabled. Ensure that parameter value types match those defined in the constraint definition. For example: { \"allowedLocations\" : [\"us-east1\", \"us-west1\"], \"allowAll\" : true }'
custom_flatten: 'templates/terraform/custom_flatten/json_schema.tmpl'
custom_expand: 'templates/terraform/custom_expand/json_schema.tmpl'
state_func: 'func(v interface{}) string { s, _ := structure.NormalizeJsonString(v); return s }'
validation:
function: 'validation.StringIsJSON'
- name: 'condition'
type: NestedObject
description: 'A condition which determines whether this rule is used in the evaluation of the policy. When set, the `expression` field in the `Expr'' must include from 1 to 10 subexpressions, joined by the "||" or "&&" operators. Each subexpression must be of the form "resource.matchTag(''/tag_key_short_name, ''tag_value_short_name'')". or "resource.matchTagId(''tagKeys/key_id'', ''tagValues/value_id'')". where key_name and value_name are the resource names for Label Keys and Values. These names are available from the Tag Manager Service. An example expression is: "resource.matchTag(''123456789/environment, ''prod'')". or "resource.matchTagId(''tagKeys/123'', ''tagValues/456'')".'
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
resource "google_org_policy_policy" "primary" {
name = "projects/${google_project.basic.name}/policies/compute.managed.restrictDiskCreation"
parent = "projects/${google_project.basic.name}"

spec {
rules {
enforce = "TRUE"
parameters = jsonencode({"isSizeLimitCheck" : true, "allowedDiskTypes" : ["pd-ssd", "pd-standard"]})
}
}
}

resource "google_project" "basic" {
project_id = "id"
name = "id"
org_id = "123456789"
deletion_policy = "DELETE"
}
Original file line number Diff line number Diff line change
Expand Up @@ -458,3 +458,106 @@ func testAccCheckOrgPolicyPolicyDestroyProducer(t *testing.T) func(s *terraform.
return nil
}
}
func TestAccOrgPolicyPolicy_EnforceParameterizedMCPolicy(t *testing.T) {
// Skip this test as no constraints yet launched in production, verified functionality with manual testing.
t.Skip()
t.Parallel()

context := map[string]interface{}{
"org_id": envvar.GetTestOrgFromEnv(t),
"random_suffix": acctest.RandString(t, 10),
}

acctest.VcrTest(t, resource.TestCase{
PreCheck: func() { acctest.AccTestPreCheck(t) },
ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
CheckDestroy: testAccCheckOrgPolicyPolicyDestroyProducer(t),
Steps: []resource.TestStep{
{
Config: testAccOrgPolicyPolicy_EnforceParameterizedMCPolicy(context),
},
{
ResourceName: "google_org_policy_policy.primary",
ImportState: true,
ImportStateVerify: true,
ImportStateVerifyIgnore: []string{"name", "spec.0.rules.0.condition.0.expression"},
},
},
})
}
func testAccOrgPolicyPolicy_EnforceParameterizedMCPolicy(context map[string]interface{}) string {
return acctest.Nprintf(`
resource "google_org_policy_policy" "primary" {
name = "projects/${google_project.basic.name}/policies/essentialcontacts.managed.allowedContactDomains"
parent = "projects/${google_project.basic.name}"
spec {
rules {
enforce = "TRUE"
parameters = "{\"allowedDomains\": [\"@google.com\"]}"
}
}
}
resource "google_project" "basic" {
project_id = "tf-test-id%{random_suffix}"
name = "tf-test-id%{random_suffix}"
org_id = "%{org_id}"
deletion_policy = "DELETE"
}
`, context)
}

func TestAccOrgPolicyPolicy_EnforceParameterizedMCDryRunPolicy(t *testing.T) {
// Skip this test as no constraints yet launched in production, verified functionality with manual testing.
t.Skip()
t.Parallel()

context := map[string]interface{}{
"org_id": envvar.GetTestOrgFromEnv(t),
"random_suffix": acctest.RandString(t, 10),
}

acctest.VcrTest(t, resource.TestCase{
PreCheck: func() { acctest.AccTestPreCheck(t) },
ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
CheckDestroy: testAccCheckOrgPolicyPolicyDestroyProducer(t),
Steps: []resource.TestStep{
{
Config: testAccOrgPolicyPolicy_EnforceParameterizedMCDryRunPolicy(context),
},
{
ResourceName: "google_org_policy_policy.primary",
ImportState: true,
ImportStateVerify: true,
ImportStateVerifyIgnore: []string{"name", "spec.0.rules.0.condition.0.expression"},
},
},
})
}
func testAccOrgPolicyPolicy_EnforceParameterizedMCDryRunPolicy(context map[string]interface{}) string {
return acctest.Nprintf(`
resource "google_org_policy_policy" "primary" {
name = "projects/${google_project.basic.name}/policies/essentialcontacts.managed.allowedContactDomains"
parent = "projects/${google_project.basic.name}"
dry_run_spec {
rules {
enforce = "TRUE"
parameters = "{\"allowedDomains\": [\"@google.com\"]}"
}
}
}
resource "google_project" "basic" {
project_id = "tf-test-id%{random_suffix}"
name = "tf-test-id%{random_suffix}"
org_id = "%{org_id}"
deletion_policy = "DELETE"
}
`, context)
}

0 comments on commit 74ce8bc

Please sign in to comment.