Added org policy policy resource. (#5199) (#10111)

* Added org policy policy resource. * Added additional comments. * Allow resources to use the normal terraform ID process by default - DCL by override. * Added a way to expand and flatten between terraform strings and dcl booleans. * Updated GA version of policy.yaml. * Ran make upgrade-dcl (and added missing tab to tf go.mod). * Added NO_SWEEPER override for orgpolicy policy and formatting for id construction errors. Co-authored-by: Nathan Mckinley <[email protected]> Signed-off-by: Modular Magician <[email protected]> Co-authored-by: Nathan Mckinley <[email protected]>
hashicorp · Sep 20, 2021 · df046c3 · df046c3
1 parent b8f779f
commit df046c3
Show file tree

Hide file tree

Showing 24 changed files with 1,357 additions and 13 deletions.
diff --git a/.changelog/5199.txt b/.changelog/5199.txt
@@ -0,0 +1,3 @@
+```release-note:new-resource
+`google_org_policy_policy`
+```
diff --git a/go.mod b/go.mod
@@ -1,7 +1,7 @@
 module github.com/hashicorp/terraform-provider-google
 require (
 	cloud.google.com/go/bigtable v1.10.1
-	github.com/GoogleCloudPlatform/declarative-resource-client-library v0.0.0-20210914194833-2626db3d194d
+	github.com/GoogleCloudPlatform/declarative-resource-client-library v0.0.0-20210918014849-ef8e2b337288
 	github.com/apparentlymart/go-cidr v1.1.0
 	github.com/client9/misspell v0.3.4
 	github.com/davecgh/go-spew v1.1.1

diff --git a/go.sum b/go.sum
@@ -1405,3 +1405,7 @@ rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
 sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o=
+github.com/GoogleCloudPlatform/declarative-resource-client-library v0.0.0-20210918014849-ef8e2b337288 h1:mMwzB+vf5cvKCKAl1RocM5CqHhr8NtEKpP8ioSDVhO4=
+github.com/GoogleCloudPlatform/declarative-resource-client-library v0.0.0-20210918014849-ef8e2b337288/go.mod h1:oEeBHikdF/NrnUy0ornVaY1OT+jGvTqm+LQS0+ZDKzU=
+github.com/GoogleCloudPlatform/declarative-resource-client-library v0.0.0-20210918014849-ef8e2b337288 h1:mMwzB+vf5cvKCKAl1RocM5CqHhr8NtEKpP8ioSDVhO4=
+github.com/GoogleCloudPlatform/declarative-resource-client-library v0.0.0-20210918014849-ef8e2b337288/go.mod h1:oEeBHikdF/NrnUy0ornVaY1OT+jGvTqm+LQS0+ZDKzU=
diff --git a/google/config.go b/google/config.go
@@ -168,9 +168,11 @@ type Config struct {
 
 	// start DCLBasePaths
 	// dataprocBasePath is implemented in mm
-	AssuredWorkloadsBasePath string
-	EventarcBasePath         string
-	GkeHubBasePath           string
+	AssuredWorkloadsBasePath     string
+	CloudResourceManagerBasePath string
+	EventarcBasePath             string
+	GkeHubBasePath               string
+	OrgPolicyBasePath            string
 }
 
 const AccessApprovalBasePathKey = "AccessApproval"

diff --git a/google/expanders.go b/google/expanders.go
@@ -46,3 +46,20 @@ func convertIntegerArr(v []interface{}) []int64 {
 	}
 	return vi
 }
+
+// Returns the DCL representation of a three-state boolean value represented by a string in terraform.
+func expandEnumBool(v interface{}) *bool {
+	s, ok := v.(string)
+	if !ok {
+		return nil
+	}
+	switch s {
+	case "TRUE":
+		b := true
+		return &b
+	case "FALSE":
+		b := false
+		return &b
+	}
+	return nil
+}
diff --git a/google/flatteners.go b/google/flatteners.go
@@ -0,0 +1,13 @@
+package google
+
+// Returns the terraform representation of a three-state boolean value represented by a pointer to bool in DCL.
+func flattenEnumBool(v interface{}) string {
+	b, ok := v.(*bool)
+	if !ok || b == nil {
+		return ""
+	}
+	if *b {
+		return "TRUE"
+	}
+	return "FALSE"
+}
diff --git a/google/orgpolicy_utils.go b/google/orgpolicy_utils.go
@@ -0,0 +1,28 @@
+package google
+
+import (
+	"fmt"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+)
+
+// OrgPolicyPolicy has a custom import method because the parent field needs to allow an additional forward slash
+// to represent the type of parent (e.g. projects/{project_id}).
+func resourceOrgPolicyPolicyCustomImport(d *schema.ResourceData, meta interface{}) error {
+	config := meta.(*Config)
+	if err := parseImportId([]string{
+		"^(?P<parent>[^/]+/?[^/]*)/policies/(?P<name>[^/]+)",
+		"^(?P<parent>[^/]+/?[^/]*)/(?P<name>[^/]+)",
+	}, d, config); err != nil {
+		return err
+	}
+
+	// Replace import id for the resource id
+	id, err := replaceVarsRecursive(d, config, "{{parent}}/policies/{{name}}", false, 0)
+	if err != nil {
+		return fmt.Errorf("Error constructing id: %s", err)
+	}
+	d.SetId(id)
+
+	return nil
+}
diff --git a/google/provider.go b/google/provider.go
@@ -695,8 +695,10 @@ func Provider() *schema.Provider {
 
 			// dcl
 			AssuredWorkloadsEndpointEntryKey:             AssuredWorkloadsEndpointEntry,
+			CloudResourceManagerEndpointEntryKey:         CloudResourceManagerEndpointEntry,
 			EventarcEndpointEntryKey:                     EventarcEndpointEntry,
 			GkeHubFeatureCustomEndpointEntryKey:          GkeHubFeatureCustomEndpointEntry,
+			OrgPolicyEndpointEntryKey:                    OrgPolicyEndpointEntry,
 			PrivatecaCertificateTemplateEndpointEntryKey: PrivatecaCertificateTemplateCustomEndpointEntry,
 		},
 
@@ -1204,6 +1206,7 @@ func ResourceMapWithErrors() (map[string]*schema.Resource, error) {
 			"google_compute_firewall_policy_rule":        resourceComputeFirewallPolicyRule(),
 			"google_dataproc_workflow_template":          resourceDataprocWorkflowTemplate(),
 			"google_eventarc_trigger":                    resourceEventarcTrigger(),
+			"google_org_policy_policy":                   resourceOrgPolicyPolicy(),
 			"google_privateca_certificate_template":      resourcePrivatecaCertificateTemplate(),
 		},
 		// ------------------------------------
@@ -1431,8 +1434,10 @@ func providerConfigure(ctx context.Context, d *schema.ResourceData, p *schema.Pr
 
 	// dcl
 	config.AssuredWorkloadsBasePath = d.Get(AssuredWorkloadsEndpointEntryKey).(string)
+	config.CloudResourceManagerBasePath = d.Get(CloudResourceManagerEndpointEntryKey).(string)
 	config.EventarcBasePath = d.Get(EventarcEndpointEntryKey).(string)
 	config.GkeHubBasePath = d.Get(GkeHubFeatureCustomEndpointEntryKey).(string)
+	config.OrgPolicyBasePath = d.Get(OrgPolicyEndpointEntryKey).(string)
 	config.PrivatecaBasePath = d.Get(PrivatecaCertificateTemplateEndpointEntryKey).(string)
 
 	stopCtx, ok := schema.StopContext(ctx)

diff --git a/google/provider_dcl_client_creation.go b/google/provider_dcl_client_creation.go
@@ -19,9 +19,11 @@ import (
 	dcl "github.com/GoogleCloudPlatform/declarative-resource-client-library/dcl"
 
 	assuredworkloads "github.com/GoogleCloudPlatform/declarative-resource-client-library/services/google/assuredworkloads"
+	cloudresourcemanager "github.com/GoogleCloudPlatform/declarative-resource-client-library/services/google/cloudresourcemanager"
 	compute "github.com/GoogleCloudPlatform/declarative-resource-client-library/services/google/compute"
 	dataproc "github.com/GoogleCloudPlatform/declarative-resource-client-library/services/google/dataproc"
 	eventarc "github.com/GoogleCloudPlatform/declarative-resource-client-library/services/google/eventarc"
+	orgpolicy "github.com/GoogleCloudPlatform/declarative-resource-client-library/services/google/orgpolicy"
 	privateca "github.com/GoogleCloudPlatform/declarative-resource-client-library/services/google/privateca"
 )
 
@@ -44,6 +46,25 @@ func NewDCLAssuredWorkloadsClient(config *Config, userAgent, billingProject stri
 	return assuredworkloads.NewClient(dclConfig)
 }
 
+func NewDCLCloudResourceManagerClient(config *Config, userAgent, billingProject string) *cloudresourcemanager.Client {
+	configOptions := []dcl.ConfigOption{
+		dcl.WithHTTPClient(config.client),
+		dcl.WithUserAgent(userAgent),
+		dcl.WithLogger(dclLogger{}),
+		dcl.WithBasePath(config.CloudResourceManagerBasePath),
+	}
+
+	if config.UserProjectOverride {
+		configOptions = append(configOptions, dcl.WithUserProjectOverride())
+		if billingProject != "" {
+			configOptions = append(configOptions, dcl.WithBillingProject(billingProject))
+		}
+	}
+
+	dclConfig := dcl.NewConfig(configOptions...)
+	return cloudresourcemanager.NewClient(dclConfig)
+}
+
 func NewDCLComputeClient(config *Config, userAgent, billingProject string) *compute.Client {
 	configOptions := []dcl.ConfigOption{
 		dcl.WithHTTPClient(config.client),
@@ -101,6 +122,25 @@ func NewDCLEventarcClient(config *Config, userAgent, billingProject string) *eve
 	return eventarc.NewClient(dclConfig)
 }
 
+func NewDCLOrgPolicyClient(config *Config, userAgent, billingProject string) *orgpolicy.Client {
+	configOptions := []dcl.ConfigOption{
+		dcl.WithHTTPClient(config.client),
+		dcl.WithUserAgent(userAgent),
+		dcl.WithLogger(dclLogger{}),
+		dcl.WithBasePath(config.OrgPolicyBasePath),
+	}
+
+	if config.UserProjectOverride {
+		configOptions = append(configOptions, dcl.WithUserProjectOverride())
+		if billingProject != "" {
+			configOptions = append(configOptions, dcl.WithBillingProject(billingProject))
+		}
+	}
+
+	dclConfig := dcl.NewConfig(configOptions...)
+	return orgpolicy.NewClient(dclConfig)
+}
+
 func NewDCLPrivatecaClient(config *Config, userAgent, billingProject string) *privateca.Client {
 	configOptions := []dcl.ConfigOption{
 		dcl.WithHTTPClient(config.client),

diff --git a/google/provider_dcl_endpoints.go b/google/provider_dcl_endpoints.go
@@ -31,6 +31,15 @@ var AssuredWorkloadsEndpointEntry = &schema.Schema{
 	}, ""),
 }
 
+var CloudResourceManagerEndpointEntryKey = "cloud_resource_manager_custom_endpoint"
+var CloudResourceManagerEndpointEntry = &schema.Schema{
+	Type:     schema.TypeString,
+	Optional: true,
+	DefaultFunc: schema.MultiEnvDefaultFunc([]string{
+		"GOOGLE_CLOUD_RESOURCE_MANAGER_CUSTOM_ENDPOINT",
+	}, ""),
+}
+
 var ComputeEndpointEntryKey = "compute_custom_endpoint"
 var ComputeEndpointEntry = &schema.Schema{
 	Type:     schema.TypeString,
@@ -49,6 +58,15 @@ var EventarcEndpointEntry = &schema.Schema{
 	}, ""),
 }
 
+var OrgPolicyEndpointEntryKey = "org_policy_custom_endpoint"
+var OrgPolicyEndpointEntry = &schema.Schema{
+	Type:     schema.TypeString,
+	Optional: true,
+	DefaultFunc: schema.MultiEnvDefaultFunc([]string{
+		"GOOGLE_ORG_POLICY_CUSTOM_ENDPOINT",
+	}, ""),
+}
+
 var PrivatecaEndpointEntryKey = "privateca_custom_endpoint"
 var PrivatecaEndpointEntry = &schema.Schema{
 	Type:     schema.TypeString,
@@ -60,18 +78,24 @@ var PrivatecaEndpointEntry = &schema.Schema{
 
 //Add new values to config.go.erb config object declaration
 //AssuredWorkloadsBasePath string
+//CloudResourceManagerBasePath string
 //ComputeBasePath string
 //EventarcBasePath string
+//OrgPolicyBasePath string
 //PrivatecaBasePath string
 
 //Add new values to provider.go.erb schema initialization
 // AssuredWorkloadsEndpointEntryKey:               AssuredWorkloadsEndpointEntry,
+// CloudResourceManagerEndpointEntryKey:               CloudResourceManagerEndpointEntry,
 // ComputeEndpointEntryKey:               ComputeEndpointEntry,
 // EventarcEndpointEntryKey:               EventarcEndpointEntry,
+// OrgPolicyEndpointEntryKey:               OrgPolicyEndpointEntry,
 // PrivatecaEndpointEntryKey:               PrivatecaEndpointEntry,
 
 //Add new values to provider.go.erb - provider block read
 // config.AssuredWorkloadsBasePath = d.Get(AssuredWorkloadsEndpointEntryKey).(string)
+// config.CloudResourceManagerBasePath = d.Get(CloudResourceManagerEndpointEntryKey).(string)
 // config.ComputeBasePath = d.Get(ComputeEndpointEntryKey).(string)
 // config.EventarcBasePath = d.Get(EventarcEndpointEntryKey).(string)
+// config.OrgPolicyBasePath = d.Get(OrgPolicyEndpointEntryKey).(string)
 // config.PrivatecaBasePath = d.Get(PrivatecaEndpointEntryKey).(string)
diff --git a/google/resource_assured_workloads_workload.go b/google/resource_assured_workloads_workload.go
@@ -209,7 +209,7 @@ func resourceAssuredWorkloadsWorkloadCreate(d *schema.ResourceData, meta interfa
 
 	id, err := replaceVarsForId(d, config, "organizations/{{organization}}/locations/{{location}}/workloads/{{name}}")
 	if err != nil {
-		return fmt.Errorf("Error constructing id: %s", err)
+		return fmt.Errorf("error constructing id: %s", err)
 	}
 	d.SetId(id)
 	createDirective := CreateDirective

diff --git a/google/resource_compute_firewall_policy.go b/google/resource_compute_firewall_policy.go
@@ -122,7 +122,7 @@ func resourceComputeFirewallPolicyCreate(d *schema.ResourceData, meta interface{
 
 	id, err := replaceVars(d, config, "locations/global/firewallPolicies/{{name}}")
 	if err != nil {
-		return fmt.Errorf("Error constructing id: %s", err)
+		return fmt.Errorf("error constructing id: %s", err)
 	}
 	d.SetId(id)
 	createDirective := CreateDirective

diff --git a/google/resource_compute_firewall_policy_association.go b/google/resource_compute_firewall_policy_association.go
@@ -86,7 +86,7 @@ func resourceComputeFirewallPolicyAssociationCreate(d *schema.ResourceData, meta
 
 	id, err := replaceVarsForId(d, config, "locations/global/firewallPolicies/{{firewall_policy}}/associations/{{name}}")
 	if err != nil {
-		return fmt.Errorf("Error constructing id: %s", err)
+		return fmt.Errorf("error constructing id: %s", err)
 	}
 	d.SetId(id)
 	createDirective := CreateDirective

diff --git a/google/resource_compute_firewall_policy_rule.go b/google/resource_compute_firewall_policy_rule.go
@@ -192,7 +192,7 @@ func resourceComputeFirewallPolicyRuleCreate(d *schema.ResourceData, meta interf
 
 	id, err := replaceVarsForId(d, config, "locations/global/firewallPolicies/{{firewall_policy}}/rules/{{priority}}")
 	if err != nil {
-		return fmt.Errorf("Error constructing id: %s", err)
+		return fmt.Errorf("error constructing id: %s", err)
 	}
 	d.SetId(id)
 	createDirective := CreateDirective

diff --git a/google/resource_compute_forwarding_rule.go b/google/resource_compute_forwarding_rule.go
@@ -259,7 +259,7 @@ func resourceComputeForwardingRuleCreate(d *schema.ResourceData, meta interface{
 
 	id, err := replaceVarsForId(d, config, "projects/{{project}}/regions/{{region}}/forwardingRules/{{name}}")
 	if err != nil {
-		return fmt.Errorf("Error constructing id: %s", err)
+		return fmt.Errorf("error constructing id: %s", err)
 	}
 	d.SetId(id)
 	createDirective := CreateDirective

diff --git a/google/resource_compute_global_forwarding_rule.go b/google/resource_compute_global_forwarding_rule.go
@@ -222,7 +222,7 @@ func resourceComputeGlobalForwardingRuleCreate(d *schema.ResourceData, meta inte
 
 	id, err := replaceVarsForId(d, config, "projects/{{project}}/global/forwardingRules/{{name}}")
 	if err != nil {
-		return fmt.Errorf("Error constructing id: %s", err)
+		return fmt.Errorf("error constructing id: %s", err)
 	}
 	d.SetId(id)
 	createDirective := CreateDirective

diff --git a/google/resource_dataproc_workflow_template.go b/google/resource_dataproc_workflow_template.go
@@ -1735,7 +1735,7 @@ func resourceDataprocWorkflowTemplateCreate(d *schema.ResourceData, meta interfa
 
 	id, err := replaceVarsForId(d, config, "projects/{{project}}/locations/{{location}}/workflowTemplates/{{name}}")
 	if err != nil {
-		return fmt.Errorf("Error constructing id: %s", err)
+		return fmt.Errorf("error constructing id: %s", err)
 	}
 	d.SetId(id)
 	createDirective := CreateDirective

diff --git a/google/resource_eventarc_trigger.go b/google/resource_eventarc_trigger.go
@@ -253,7 +253,7 @@ func resourceEventarcTriggerCreate(d *schema.ResourceData, meta interface{}) err
 
 	id, err := replaceVarsForId(d, config, "projects/{{project}}/locations/{{location}}/triggers/{{name}}")
 	if err != nil {
-		return fmt.Errorf("Error constructing id: %s", err)
+		return fmt.Errorf("error constructing id: %s", err)
 	}
 	d.SetId(id)
 	createDirective := CreateDirective