diff --git a/google/resource_google_folder_organization_policy.go b/google/resource_google_folder_organization_policy.go index 8e4b2bea9ac..ebf367fdc0f 100644 --- a/google/resource_google_folder_organization_policy.go +++ b/google/resource_google_folder_organization_policy.go @@ -51,12 +51,16 @@ func resourceFolderOrgPolicyImporter(d *schema.ResourceData, meta interface{}) ( } func resourceGoogleFolderOrganizationPolicyCreate(d *schema.ResourceData, meta interface{}) error { + d.SetId(fmt.Sprintf("%s:%s", d.Get("folder"), d.Get("constraint"))) + + if isOrganizationPolicyUnset(d) { + return resourceGoogleFolderOrganizationPolicyDelete(d, meta) + } + if err := setFolderOrganizationPolicy(d, meta); err != nil { return err } - d.SetId(fmt.Sprintf("%s:%s", d.Get("folder"), d.Get("constraint"))) - return resourceGoogleFolderOrganizationPolicyRead(d, meta) } @@ -84,6 +88,10 @@ func resourceGoogleFolderOrganizationPolicyRead(d *schema.ResourceData, meta int } func resourceGoogleFolderOrganizationPolicyUpdate(d *schema.ResourceData, meta interface{}) error { + if isOrganizationPolicyUnset(d) { + return resourceGoogleFolderOrganizationPolicyDelete(d, meta) + } + if err := setFolderOrganizationPolicy(d, meta); err != nil { return err } diff --git a/google/resource_google_organization_policy.go b/google/resource_google_organization_policy.go index 5922ad3adb8..2c7f96e185e 100644 --- a/google/resource_google_organization_policy.go +++ b/google/resource_google_organization_policy.go @@ -144,12 +144,16 @@ func resourceGoogleOrganizationPolicy() *schema.Resource { } func resourceGoogleOrganizationPolicyCreate(d *schema.ResourceData, meta interface{}) error { + d.SetId(fmt.Sprintf("%s:%s", d.Get("org_id"), d.Get("constraint").(string))) + + if isOrganizationPolicyUnset(d) { + return resourceGoogleOrganizationPolicyDelete(d, meta) + } + if err := setOrganizationPolicy(d, meta); err != nil { return err } - d.SetId(fmt.Sprintf("%s:%s", d.Get("org_id"), d.Get("constraint").(string))) - return resourceGoogleOrganizationPolicyRead(d, meta) } @@ -177,6 +181,10 @@ func resourceGoogleOrganizationPolicyRead(d *schema.ResourceData, meta interface } func resourceGoogleOrganizationPolicyUpdate(d *schema.ResourceData, meta interface{}) error { + if isOrganizationPolicyUnset(d) { + return resourceGoogleOrganizationPolicyDelete(d, meta) + } + if err := setOrganizationPolicy(d, meta); err != nil { return err } @@ -211,6 +219,19 @@ func resourceGoogleOrganizationPolicyImportState(d *schema.ResourceData, meta in return []*schema.ResourceData{d}, nil } +// Organization policies can be "inherited from parent" the UI, and this is the default +// state of the resource without any policy set. In order to revert to this state the current +// resource cannot be updated it must instead be Deleted. This allows Terraform to assert that +// no policy has been set even if previously one had. +// See https://github.com/terraform-providers/terraform-provider-google/issues/3607 +func isOrganizationPolicyUnset(d *schema.ResourceData) bool { + listPolicy := d.Get("list_policy").([]interface{}) + booleanPolicy := d.Get("boolean_policy").([]interface{}) + restorePolicy := d.Get("restore_policy").([]interface{}) + + return len(listPolicy)+len(booleanPolicy)+len(restorePolicy) == 0 +} + func setOrganizationPolicy(d *schema.ResourceData, meta interface{}) error { config := meta.(*Config) org := "organizations/" + d.Get("org_id").(string) diff --git a/google/resource_google_project_organization_policy.go b/google/resource_google_project_organization_policy.go index c72c0f74df0..f509782ab28 100644 --- a/google/resource_google_project_organization_policy.go +++ b/google/resource_google_project_organization_policy.go @@ -50,12 +50,16 @@ func resourceProjectOrgPolicyImporter(d *schema.ResourceData, meta interface{}) } func resourceGoogleProjectOrganizationPolicyCreate(d *schema.ResourceData, meta interface{}) error { + d.SetId(fmt.Sprintf("%s:%s", d.Get("project"), d.Get("constraint"))) + + if isOrganizationPolicyUnset(d) { + return resourceGoogleProjectOrganizationPolicyDelete(d, meta) + } + if err := setProjectOrganizationPolicy(d, meta); err != nil { return err } - d.SetId(fmt.Sprintf("%s:%s", d.Get("project"), d.Get("constraint"))) - return resourceGoogleProjectOrganizationPolicyRead(d, meta) } @@ -83,6 +87,10 @@ func resourceGoogleProjectOrganizationPolicyRead(d *schema.ResourceData, meta in } func resourceGoogleProjectOrganizationPolicyUpdate(d *schema.ResourceData, meta interface{}) error { + if isOrganizationPolicyUnset(d) { + return resourceGoogleProjectOrganizationPolicyDelete(d, meta) + } + if err := setProjectOrganizationPolicy(d, meta); err != nil { return err } diff --git a/google/resource_google_project_organization_policy_test.go b/google/resource_google_project_organization_policy_test.go index 319b92d1dd1..415dfcb5351 100644 --- a/google/resource_google_project_organization_policy_test.go +++ b/google/resource_google_project_organization_policy_test.go @@ -22,6 +22,7 @@ func TestAccProjectOrganizationPolicy(t *testing.T) { "list_denySome": testAccProjectOrganizationPolicy_list_denySome, "list_update": testAccProjectOrganizationPolicy_list_update, "restore_policy": testAccProjectOrganizationPolicy_restore_defaultTrue, + "empty_policy": testAccProjectOrganizationPolicy_none, } for name, tc := range testCases { @@ -179,6 +180,27 @@ func testAccProjectOrganizationPolicy_restore_defaultTrue(t *testing.T) { }) } +func testAccProjectOrganizationPolicy_none(t *testing.T) { + projectId := getTestProjectFromEnv() + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckGoogleProjectOrganizationPolicyDestroy, + Steps: []resource.TestStep{ + { + Config: testAccProjectOrganizationPolicyConfig_none(projectId), + Check: testAccCheckGoogleProjectOrganizationPolicyDestroy, + }, + { + ResourceName: "google_project_organization_policy.none", + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + func testAccCheckGoogleProjectOrganizationPolicyDestroy(s *terraform.State) error { config := testAccProvider.Meta().(*Config) @@ -387,6 +409,15 @@ resource "google_project_organization_policy" "restore" { `, pid) } +func testAccProjectOrganizationPolicyConfig_none(pid string) string { + return fmt.Sprintf(` +resource "google_project_organization_policy" "none" { + project = "%s" + constraint = "constraints/serviceuser.services" +} +`, pid) +} + func canonicalProjectId(project string) string { if strings.HasPrefix(project, "projects/") { return project diff --git a/website/docs/r/google_folder_organization_policy.html.markdown b/website/docs/r/google_folder_organization_policy.html.markdown index 3ada600a742..99461b418eb 100644 --- a/website/docs/r/google_folder_organization_policy.html.markdown +++ b/website/docs/r/google_folder_organization_policy.html.markdown @@ -94,6 +94,9 @@ can also be used to allow or deny all values. Structure is documented below. * `restore_policy` - (Optional) A restore policy is a constraint to restore the default policy. Structure is documented below. +~> **Note:** If none of [`boolean_policy`, `list_policy`, `restore_policy`] are defined the policy for a given constraint will +effectively be unset. This is represented in the UI as the constraint being 'Inherited'. + - - - The `boolean_policy` block supports: diff --git a/website/docs/r/google_organization_policy.html.markdown b/website/docs/r/google_organization_policy.html.markdown index 2e939fd4c9a..424c094ac18 100644 --- a/website/docs/r/google_organization_policy.html.markdown +++ b/website/docs/r/google_organization_policy.html.markdown @@ -86,11 +86,14 @@ The following arguments are supported: * `version` - (Optional) Version of the Policy. Default version is 0. -* `boolean_policy` - (Optional) A boolean policy is a constraint that is either enforced or not. Structure is documented below. +* `boolean_policy` - (Optional) A boolean policy is a constraint that is either enforced or not. Structure is documented below. * `list_policy` - (Optional) A policy that can define specific values that are allowed or denied for the given constraint. It can also be used to allow or deny all values. Structure is documented below. -* `restore_policy` - (Optional) A restore policy is a constraint to restore the default policy. Structure is documented below. +* `restore_policy` - (Optional) A restore policy is a constraint to restore the default policy. Structure is documented below. + +~> **Note:** If none of [`boolean_policy`, `list_policy`, `restore_policy`] are defined the policy for a given constraint will +effectively be unset. This is represented in the UI as the constraint being 'Inherited'. - - - @@ -122,7 +125,7 @@ The `restore_policy` block supports: In addition to the arguments listed above, the following computed attributes are exported: -* `etag` - (Computed) The etag of the organization policy. `etag` is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other. +* `etag` - (Computed) The etag of the organization policy. `etag` is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other. * `update_time` - (Computed) The timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds, representing when the variable was last updated. Example: "2016-10-09T12:33:37.578138407Z". diff --git a/website/docs/r/google_project_organization_policy.html.markdown b/website/docs/r/google_project_organization_policy.html.markdown index 07c266f8d44..7c45da318c9 100644 --- a/website/docs/r/google_project_organization_policy.html.markdown +++ b/website/docs/r/google_project_organization_policy.html.markdown @@ -93,6 +93,9 @@ The following arguments are supported: * `restore_policy` - (Optional) A restore policy is a constraint to restore the default policy. Structure is documented below. +~> **Note:** If none of [`boolean_policy`, `list_policy`, `restore_policy`] are defined the policy for a given constraint will +effectively be unset. This is represented in the UI as the constraint being 'Inherited'. + - - - The `boolean_policy` block supports: