Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add parameters to google_org_policy_policy #20647

Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .changelog/12008.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:enhancement
orgpolicy: added `parameters` fields to `google_org_policy_policy` resource (beta)
```
101 changes: 91 additions & 10 deletions google/services/orgpolicy/resource_org_policy_policy.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@
package orgpolicy

import (
"encoding/json"
"fmt"
"log"
"net/http"
Expand All @@ -27,6 +28,8 @@ import (
"time"

"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/structure"
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"

"github.com/hashicorp/terraform-provider-google/google/tpgresource"
transport_tpg "github.com/hashicorp/terraform-provider-google/google/transport"
Expand Down Expand Up @@ -139,6 +142,13 @@ func ResourceOrgPolicyPolicy() *schema.Resource {
Optional: true,
Description: `If '"TRUE"', then the 'Policy' is enforced. If '"FALSE"', then any configuration is acceptable. This field can be set only in Policies for boolean constraints.`,
},
"parameters": {
Type: schema.TypeString,
Optional: true,
ValidateFunc: validation.StringIsJSON,
StateFunc: func(v interface{}) string { s, _ := structure.NormalizeJsonString(v); return s },
Description: `Optional. Required for Managed Constraints if parameters defined in constraints. Pass parameter values when policy enforcement is enabled. Ensure that parameter value types match those defined in the constraint definition. For example: { \"allowedLocations\" : [\"us-east1\", \"us-west1\"], \"allowAll\" : true }`,
},
"values": {
Type: schema.TypeList,
Optional: true,
Expand Down Expand Up @@ -250,6 +260,13 @@ func ResourceOrgPolicyPolicy() *schema.Resource {
Optional: true,
Description: `If '"TRUE"', then the 'Policy' is enforced. If '"FALSE"', then any configuration is acceptable. This field can be set only in Policies for boolean constraints.`,
},
"parameters": {
Type: schema.TypeString,
Optional: true,
ValidateFunc: validation.StringIsJSON,
StateFunc: func(v interface{}) string { s, _ := structure.NormalizeJsonString(v); return s },
Description: `Optional. Required for Managed Constraints if parameters defined in constraints. Pass parameter values when policy enforcement is enabled. Ensure that parameter value types match those defined in the constraint definition. For example: { \"allowedLocations\" : [\"us-east1\", \"us-west1\"], \"allowAll\" : true }`,
},
"values": {
Type: schema.TypeList,
Optional: true,
Expand Down Expand Up @@ -609,11 +626,12 @@ func flattenOrgPolicyPolicySpecRules(v interface{}, d *schema.ResourceData, conf
continue
}
transformed = append(transformed, map[string]interface{}{
"values": flattenOrgPolicyPolicySpecRulesValues(original["values"], d, config),
"allow_all": flattenOrgPolicyPolicySpecRulesAllowAll(original["allowAll"], d, config),
"deny_all": flattenOrgPolicyPolicySpecRulesDenyAll(original["denyAll"], d, config),
"enforce": flattenOrgPolicyPolicySpecRulesEnforce(original["enforce"], d, config),
"condition": flattenOrgPolicyPolicySpecRulesCondition(original["condition"], d, config),
"values": flattenOrgPolicyPolicySpecRulesValues(original["values"], d, config),
"allow_all": flattenOrgPolicyPolicySpecRulesAllowAll(original["allowAll"], d, config),
"deny_all": flattenOrgPolicyPolicySpecRulesDenyAll(original["denyAll"], d, config),
"enforce": flattenOrgPolicyPolicySpecRulesEnforce(original["enforce"], d, config),
"parameters": flattenOrgPolicyPolicySpecRulesParameters(original["parameters"], d, config),
"condition": flattenOrgPolicyPolicySpecRulesCondition(original["condition"], d, config),
})
}
return transformed
Expand Down Expand Up @@ -662,6 +680,18 @@ func flattenOrgPolicyPolicySpecRulesEnforce(v interface{}, d *schema.ResourceDat
return strings.ToUpper(strconv.FormatBool(v.(bool)))
}

func flattenOrgPolicyPolicySpecRulesParameters(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
if v == nil {
return nil
}
b, err := json.Marshal(v)
if err != nil {
// TODO: return error once https://github.com/GoogleCloudPlatform/magic-modules/issues/3257 is fixed.
log.Printf("[ERROR] failed to marshal schema to JSON: %v", err)
}
return string(b)
}

func flattenOrgPolicyPolicySpecRulesCondition(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
if v == nil {
return nil
Expand Down Expand Up @@ -747,11 +777,12 @@ func flattenOrgPolicyPolicyDryRunSpecRules(v interface{}, d *schema.ResourceData
continue
}
transformed = append(transformed, map[string]interface{}{
"values": flattenOrgPolicyPolicyDryRunSpecRulesValues(original["values"], d, config),
"allow_all": flattenOrgPolicyPolicyDryRunSpecRulesAllowAll(original["allowAll"], d, config),
"deny_all": flattenOrgPolicyPolicyDryRunSpecRulesDenyAll(original["denyAll"], d, config),
"enforce": flattenOrgPolicyPolicyDryRunSpecRulesEnforce(original["enforce"], d, config),
"condition": flattenOrgPolicyPolicyDryRunSpecRulesCondition(original["condition"], d, config),
"values": flattenOrgPolicyPolicyDryRunSpecRulesValues(original["values"], d, config),
"allow_all": flattenOrgPolicyPolicyDryRunSpecRulesAllowAll(original["allowAll"], d, config),
"deny_all": flattenOrgPolicyPolicyDryRunSpecRulesDenyAll(original["denyAll"], d, config),
"enforce": flattenOrgPolicyPolicyDryRunSpecRulesEnforce(original["enforce"], d, config),
"parameters": flattenOrgPolicyPolicyDryRunSpecRulesParameters(original["parameters"], d, config),
"condition": flattenOrgPolicyPolicyDryRunSpecRulesCondition(original["condition"], d, config),
})
}
return transformed
Expand Down Expand Up @@ -800,6 +831,18 @@ func flattenOrgPolicyPolicyDryRunSpecRulesEnforce(v interface{}, d *schema.Resou
return strings.ToUpper(strconv.FormatBool(v.(bool)))
}

func flattenOrgPolicyPolicyDryRunSpecRulesParameters(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
if v == nil {
return nil
}
b, err := json.Marshal(v)
if err != nil {
// TODO: return error once https://github.com/GoogleCloudPlatform/magic-modules/issues/3257 is fixed.
log.Printf("[ERROR] failed to marshal schema to JSON: %v", err)
}
return string(b)
}

func flattenOrgPolicyPolicyDryRunSpecRulesCondition(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
if v == nil {
return nil
Expand Down Expand Up @@ -944,6 +987,13 @@ func expandOrgPolicyPolicySpecRules(v interface{}, d tpgresource.TerraformResour
transformed["enforce"] = transformedEnforce
}

transformedParameters, err := expandOrgPolicyPolicySpecRulesParameters(original["parameters"], d, config)
if err != nil {
return nil, err
} else if val := reflect.ValueOf(transformedParameters); val.IsValid() && !tpgresource.IsEmptyValue(val) {
transformed["parameters"] = transformedParameters
}

transformedCondition, err := expandOrgPolicyPolicySpecRulesCondition(original["condition"], d, config)
if err != nil {
return nil, err
Expand Down Expand Up @@ -1026,6 +1076,18 @@ func expandOrgPolicyPolicySpecRulesEnforce(v interface{}, d tpgresource.Terrafor
return b, nil
}

func expandOrgPolicyPolicySpecRulesParameters(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
b := []byte(v.(string))
if len(b) == 0 {
return nil, nil
}
m := make(map[string]interface{})
if err := json.Unmarshal(b, &m); err != nil {
return nil, err
}
return m, nil
}

func expandOrgPolicyPolicySpecRulesCondition(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
l := v.([]interface{})
if len(l) == 0 || l[0] == nil {
Expand Down Expand Up @@ -1183,6 +1245,13 @@ func expandOrgPolicyPolicyDryRunSpecRules(v interface{}, d tpgresource.Terraform
transformed["enforce"] = transformedEnforce
}

transformedParameters, err := expandOrgPolicyPolicyDryRunSpecRulesParameters(original["parameters"], d, config)
if err != nil {
return nil, err
} else if val := reflect.ValueOf(transformedParameters); val.IsValid() && !tpgresource.IsEmptyValue(val) {
transformed["parameters"] = transformedParameters
}

transformedCondition, err := expandOrgPolicyPolicyDryRunSpecRulesCondition(original["condition"], d, config)
if err != nil {
return nil, err
Expand Down Expand Up @@ -1265,6 +1334,18 @@ func expandOrgPolicyPolicyDryRunSpecRulesEnforce(v interface{}, d tpgresource.Te
return b, nil
}

func expandOrgPolicyPolicyDryRunSpecRulesParameters(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
b := []byte(v.(string))
if len(b) == 0 {
return nil, nil
}
m := make(map[string]interface{})
if err := json.Unmarshal(b, &m); err != nil {
return nil, err
}
return m, nil
}

func expandOrgPolicyPolicyDryRunSpecRulesCondition(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
l := v.([]interface{})
if len(l) == 0 || l[0] == nil {
Expand Down
103 changes: 103 additions & 0 deletions google/services/orgpolicy/resource_org_policy_policy_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -460,3 +460,106 @@ func testAccCheckOrgPolicyPolicyDestroyProducer(t *testing.T) func(s *terraform.
return nil
}
}
func TestAccOrgPolicyPolicy_EnforceParameterizedMCPolicy(t *testing.T) {
// Skip this test as no constraints yet launched in production, verified functionality with manual testing.
t.Skip()
t.Parallel()

context := map[string]interface{}{
"org_id": envvar.GetTestOrgFromEnv(t),
"random_suffix": acctest.RandString(t, 10),
}

acctest.VcrTest(t, resource.TestCase{
PreCheck: func() { acctest.AccTestPreCheck(t) },
ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
CheckDestroy: testAccCheckOrgPolicyPolicyDestroyProducer(t),
Steps: []resource.TestStep{
{
Config: testAccOrgPolicyPolicy_EnforceParameterizedMCPolicy(context),
},
{
ResourceName: "google_org_policy_policy.primary",
ImportState: true,
ImportStateVerify: true,
ImportStateVerifyIgnore: []string{"name", "spec.0.rules.0.condition.0.expression"},
},
},
})
}
func testAccOrgPolicyPolicy_EnforceParameterizedMCPolicy(context map[string]interface{}) string {
return acctest.Nprintf(`
resource "google_org_policy_policy" "primary" {
name = "projects/${google_project.basic.name}/policies/essentialcontacts.managed.allowedContactDomains"
parent = "projects/${google_project.basic.name}"

spec {
rules {
enforce = "TRUE"
parameters = "{\"allowedDomains\": [\"@google.com\"]}"
}
}
}

resource "google_project" "basic" {
project_id = "tf-test-id%{random_suffix}"
name = "tf-test-id%{random_suffix}"
org_id = "%{org_id}"
deletion_policy = "DELETE"
}


`, context)
}

func TestAccOrgPolicyPolicy_EnforceParameterizedMCDryRunPolicy(t *testing.T) {
// Skip this test as no constraints yet launched in production, verified functionality with manual testing.
t.Skip()
t.Parallel()

context := map[string]interface{}{
"org_id": envvar.GetTestOrgFromEnv(t),
"random_suffix": acctest.RandString(t, 10),
}

acctest.VcrTest(t, resource.TestCase{
PreCheck: func() { acctest.AccTestPreCheck(t) },
ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
CheckDestroy: testAccCheckOrgPolicyPolicyDestroyProducer(t),
Steps: []resource.TestStep{
{
Config: testAccOrgPolicyPolicy_EnforceParameterizedMCDryRunPolicy(context),
},
{
ResourceName: "google_org_policy_policy.primary",
ImportState: true,
ImportStateVerify: true,
ImportStateVerifyIgnore: []string{"name", "spec.0.rules.0.condition.0.expression"},
},
},
})
}
func testAccOrgPolicyPolicy_EnforceParameterizedMCDryRunPolicy(context map[string]interface{}) string {
return acctest.Nprintf(`
resource "google_org_policy_policy" "primary" {
name = "projects/${google_project.basic.name}/policies/essentialcontacts.managed.allowedContactDomains"
parent = "projects/${google_project.basic.name}"

dry_run_spec {
rules {
enforce = "TRUE"
parameters = "{\"allowedDomains\": [\"@google.com\"]}"
}
}
}

resource "google_project" "basic" {
project_id = "tf-test-id%{random_suffix}"
name = "tf-test-id%{random_suffix}"
org_id = "%{org_id}"
deletion_policy = "DELETE"
}


`, context)
}
31 changes: 31 additions & 0 deletions website/docs/r/org_policy_policy.html.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -157,6 +157,29 @@ resource "google_org_policy_policy" "primary" {
}
}
```
## Example Usage - Org Policy Policy Parameters Enforce


```hcl
resource "google_org_policy_policy" "primary" {
name = "projects/${google_project.basic.name}/policies/compute.managed.restrictDiskCreation"
parent = "projects/${google_project.basic.name}"

spec {
rules {
enforce = "TRUE"
parameters = jsonencode({"isSizeLimitCheck" : true, "allowedDiskTypes" : ["pd-ssd", "pd-standard"]})
}
}
}

resource "google_project" "basic" {
project_id = "id"
name = "id"
org_id = "123456789"
deletion_policy = "DELETE"
}
```

## Argument Reference

Expand Down Expand Up @@ -229,6 +252,10 @@ The following arguments are supported:
(Optional)
If `"TRUE"`, then the `Policy` is enforced. If `"FALSE"`, then any configuration is acceptable. This field can be set only in Policies for boolean constraints.

* `parameters` -
(Optional)
Optional. Required for Managed Constraints if parameters defined in constraints. Pass parameter values when policy enforcement is enabled. Ensure that parameter value types match those defined in the constraint definition. For example: { \"allowedLocations\" : [\"us-east1\", \"us-west1\"], \"allowAll\" : true }

* `condition` -
(Optional)
A condition which determines whether this rule is used in the evaluation of the policy. When set, the `expression` field in the `Expr' must include from 1 to 10 subexpressions, joined by the "||" or "&&" operators. Each subexpression must be of the form "resource.matchTag('/tag_key_short_name, 'tag_value_short_name')". or "resource.matchTagId('tagKeys/key_id', 'tagValues/value_id')". where key_name and value_name are the resource names for Label Keys and Values. These names are available from the Tag Manager Service. An example expression is: "resource.matchTag('123456789/environment, 'prod')". or "resource.matchTagId('tagKeys/123', 'tagValues/456')".
Expand Down Expand Up @@ -306,6 +333,10 @@ The following arguments are supported:
(Optional)
If `"TRUE"`, then the `Policy` is enforced. If `"FALSE"`, then any configuration is acceptable. This field can be set only in Policies for boolean constraints.

* `parameters` -
(Optional)
Optional. Required for Managed Constraints if parameters defined in constraints. Pass parameter values when policy enforcement is enabled. Ensure that parameter value types match those defined in the constraint definition. For example: { \"allowedLocations\" : [\"us-east1\", \"us-west1\"], \"allowAll\" : true }

* `condition` -
(Optional)
A condition which determines whether this rule is used in the evaluation of the policy. When set, the `expression` field in the `Expr' must include from 1 to 10 subexpressions, joined by the "||" or "&&" operators. Each subexpression must be of the form "resource.matchTag('/tag_key_short_name, 'tag_value_short_name')". or "resource.matchTagId('tagKeys/key_id', 'tagValues/value_id')". where key_name and value_name are the resource names for Label Keys and Values. These names are available from the Tag Manager Service. An example expression is: "resource.matchTag('123456789/environment, 'prod')". or "resource.matchTagId('tagKeys/123', 'tagValues/456')".
Expand Down
Loading