Merge pull request #626 from inspec/CHEF-7347-V3-MAGIC-MODULE-orgpoli…

…cy_v2-Folders__constraint

CHEF-7347-V3-MAGIC-MODULE-orgpolicy_v2-Folders__constraint - Resource Implementation

README.md

@@ -316,6 +316,8 @@ The following resources are available in the InSpec GCP Profile
 | [google_memcache_instance](docs/resources/google_memcache_instance.md)                                               | [google_memcache_instances](docs/resources/google_memcache_instances.md)                                                       |
 | [google_ml_engine_model](docs/resources/google_ml_engine_model.md)                                                   | [google_ml_engine_models](docs/resources/google_ml_engine_models.md)                                                           |
 | [google_organization](docs/resources/google_organization.md)                                                         | [google_organizations](docs/resources/google_organizations.md)                                                                 |
+| No Singular Resource                                                |              [google_orgpolicy_folder_constraints](docs/resources/google_orgpolicy_folder_constraints.md)                                                                                                |
+| No Singular Resource                                                |              [google_orgpolicy_organization_constraints](docs/resources/google_orgpolicy_project_constraints.md)                                                                                                |
 | [google_orgpolicy_organization_policy](docs/resources/google_orgpolicy_organization_policy.md)   | [google_orgpolicy_organization_policies](docs/resources/google_orgpolicy_organization_policies.md)                                                                 |
 | No Singular Resource                                                |              [google_orgpolicy_project_constraints](docs/resources/google_orgpolicy_project_constraints.md)                                                                                                |
 | [google_organization_iam_binding](docs/resources/google_organization_iam_binding.md)                                 | No Plural Resource                                                                                                             |

docs/resources/google_orgpolicy_folder_constraints.md

@@ -0,0 +1,50 @@
+---
+title: About the google_orgpolicy_folder_constraints resource
+platform: gcp
+---
+
+## Syntax
+A `google_orgpolicy_folder_constraints` is used to test a Google FolderConstraint resource
+
+## Examples
+```
+  describe google_orgpolicy_folder_constraints(parent: ' value_parent') do
+    it { should exist }
+    its('names') { should include 'value_name'}
+    its('display_names') { should include 'value_displayName'}
+    its('descriptions') { should include 'value_description'}
+    its('constraint_defaults') { should include 'value_constraint_default'}
+    its('list_constraints') { should include 'value_list_constraint'}
+  end
+```
+
+## Properties
+Properties that can be accessed from the `google_orgpolicy_folder_constraints` resource:
+
+  * `display_names`: The human readable name. Mutable.
+
+  * `descriptions`: Detailed description of what this constraint controls as well as how and where it is enforced. Mutable.
+
+  * `constraint_defaults`: The evaluation behavior of this constraint in the absence of a policy.
+  Possible values:
+    * CONSTRAINT_DEFAULT_UNSPECIFIED
+    * ALLOW
+    * DENY
+
+  * `supports_dry_runs`: Shows if dry run is supported for this constraint or not.
+
+  * `names`: Immutable. The resource name of the constraint. Must be in one of the following forms: * `projects/{project_number}/constraints/{constraint_name}` * `folders/{folder_id}/constraints/{constraint_name}` * `organizations/{organization_id}/constraints/{constraint_name}` For example, "/projects/123/constraints/compute.disableSerialPortAccess".
+
+  * `list_constraints`: A constraint that allows or disallows a list of string values, which are configured by an Organization Policy administrator with a policy.
+
+    * `supports_under`: Indicates whether subtrees of the Resource Manager resource hierarchy can be used in `Policy.allowed_values` and `Policy.denied_values`. For example, `"under:folders/123"` would match any resource under the 'folders/123' folder.
+
+    * `supports_in`: Indicates whether values grouped into categories can be used in `Policy.allowed_values` and `Policy.denied_values`. For example, `"in:Python"` would match any value in the 'Python' group.
+
+## Filter Criteria
+This resource supports all of the above properties as filter criteria, which can be used
+with `where` as a block or a method.
+
+## GCP Permissions
+
+Ensure the [https://orgpolicy.googleapis.com/](https://console.cloud.google.com/apis/library/orgpolicy.googleapis.com/) is enabled for the current project.

libraries/google_orgpolicy_folder_constraints.rb

@@ -0,0 +1,89 @@
+# frozen_string_literal: false
+
+# ----------------------------------------------------------------------------
+#
+#     ***     AUTO GENERATED CODE    ***    Type: MMv1     ***
+#
+# ----------------------------------------------------------------------------
+#
+#     This file is automatically generated by Magic Modules and manual
+#     changes will be clobbered when the file is regenerated.
+#
+#     Please read more about how to change this file in README.md and
+#     CONTRIBUTING.md located at the root of this package.
+#
+# ----------------------------------------------------------------------------
+require 'gcp_backend'
+require 'google/orgpolicy/property/list_constraint'
+class OrgpolicyFolderConstraints < GcpResourceBase
+  name 'google_orgpolicy_folder_constraints'
+  desc 'FolderConstraint plural resource'
+  supports platform: 'gcp'
+
+  attr_reader :table
+
+  filter_table_config = FilterTable.create
+
+  filter_table_config.add(:names, field: :name)
+  filter_table_config.add(:display_names, field: :displayName)
+  filter_table_config.add(:descriptions, field: :description)
+  filter_table_config.add(:constraint_defaults, field: :constraintDefault)
+  filter_table_config.add(:list_constraints, field: :listConstraint)
+  filter_table_config.add(:supports_dry_runs, field: :supportsDryRun)
+  filter_table_config.connect(self, :table)
+
+  def initialize(params = {})
+    super(params.merge({ use_http_transport: true }))
+    @params = params
+    @table = fetch_wrapped_resource('constraints')
+  end
+
+  def fetch_wrapped_resource(wrap_path)
+    # fetch_resource returns an array of responses (to handle pagination)
+    result = @connection.fetch_all(product_url, resource_base_url, @params, 'Get')
+    return if result.nil?
+
+    # Conversion of string -> object hash to symbol -> object hash that InSpec needs
+    converted = []
+    result.each do |response|
+      next if response.nil? || !response.key?(wrap_path)
+      response[wrap_path].each do |hash|
+        hash_with_symbols = {}
+        hash.each_key do |key|
+          name, value = transform(key, hash)
+          hash_with_symbols[name] = value
+        end
+        converted.push(hash_with_symbols)
+      end
+    end
+
+    converted
+  end
+
+  def transform(key, value)
+    return transformers[key].call(value) if transformers.key?(key)
+
+    [key.to_sym, value]
+  end
+
+  def transformers
+    {
+      'name' => ->(obj) { [:name, obj['name']] },
+      'displayName' => ->(obj) { [:displayName, obj['displayName']] },
+      'description' => ->(obj) { [:description, obj['description']] },
+      'constraintDefault' => ->(obj) { [:constraintDefault, obj['constraintDefault']] },
+      'supportsDryRun' => ->(obj) { [:supportsDryRun, obj['supportsDryRun']] },
+      'listConstraint' => ->(obj) { [:listConstraint, GoogleInSpec::Orgpolicy::Property::ListConstraint.new(obj['listConstraint'], to_s)] },
+    }
+  end
+
+  private
+
+  def product_url(_ = nil)
+    'https://orgpolicy.googleapis.com/v2/'
+  end
+
+  def resource_base_url
+    '{{parent}}/constraints'
+  end
+end

test/integration/verify/controls/google_orgpolicy_folder_constraints.rb

@@ -0,0 +1,41 @@
+# ----------------------------------------------------------------------------
+#
+#     ***     AUTO GENERATED CODE    ***    Type: MMv1     ***
+#
+# ----------------------------------------------------------------------------
+#
+#     This file is automatically generated by Magic Modules and manual
+#     changes will be clobbered when the file is regenerated.
+#
+#     Please read more about how to change this file in README.md and
+#     CONTRIBUTING.md located at the root of this package.
+#
+# ----------------------------------------------------------------------------
+
+title 'Test GCP google_orgpolicy_folder_constraints resource.'
+
+gcp_project_id = input(:gcp_project_id, value: 'gcp_project_id', description: 'The GCP project identifier.')
+
+  folder_constraint = input('folder_constraint', value: {
+  "parent": "organizations/827482578277",
+  "name": "organizations/827482578277/constraints/ainotebooks.accessMode",
+  "displayName": "Disable Create Default Service Account (Cloud Build)",
+  "description": "This boolean constraint, when enforced, prevents the legacy Cloud Build service account from being created.",
+  "constraintDefault": "DENY",
+  "listConstraint": {
+    "supportsUnder": true
+  }
+}, description: 'folder_constraint description')
+control 'google_orgpolicy_folder_constraints-1.0' do
+  impact 1.0
+  title 'google_orgpolicy_folder_constraints resource test'
+
+    describe google_orgpolicy_folder_constraints(parent: folder_constraint['parent']) do
+      it { should exist }
+      its('names') { should include folder_constraint['name']}
+      its('display_names') { should include folder_constraint['displayName']}
+      its('descriptions') { should include folder_constraint['description']}
+      its('constraint_defaults') { should include folder_constraint['constraintDefault']}
+      its('list_constraints.first.supports_under') { should be true }
+    end
+end