Merge branch 'master' into master

slevenick · May 31, 2019 · dda3128 · dda3128
2 parents 965231f + 4ab789f
commit dda3128
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 23 deletions.
diff --git a/docs/resources/google_organization_policy.md b/docs/resources/google_organization_policy.md
@@ -5,26 +5,19 @@ platform: gcp
 
 # google\_organization\_policy
 
-Use the `google_organization_policy` InSpec audit resource to test properties of a GCP organization.  
+Use the `google_organization_policy` InSpec audit resource to test constraints set on a GCP organization.
 
 <br>
 
 ## Syntax
 
-Google organization have a name, display name (or domain) and lifecycle state. For more info, please see [here](https://cloud.google.com/resource-manager/docs/creating-managing-organization).
+Google organization policies can restrict certain GCP services. For more information see https://cloud.google.com/resource-manager/docs/organization-policy/understanding-constraints
 
-A `google_organization` resource block declares the tests for a single GCP organization identified by `display_name` or `name`:
+A `google_organization_policy` resource block declares the tests for a single GCP organization constraint identified by the pair of the `name` of the organization and the `constraint`:
 
-    describe google_organization(display_name: 'google.com') do
+    describe google_organization_policy(name: 'organizations/123456', constraint: 'constraints/compute.disableGuestAttributesAccess') do
       it { should exist }
-      its('name') { should eq 'organizations/1234'  }
-      its('display_name') { should eq 'google.com' }
-    end
-
-    describe google_organization(name: 'organizations/1234') do
-      it { should exist }
-      its('name') { should eq 'google.com'  }
-      its('lifecycle_state') { should eq 'ACTIVE' }
+      its('boolean_policy.enforced') { should be true }
     end
 
 <br>
@@ -33,23 +26,37 @@ A `google_organization` resource block declares the tests for a single GCP organ
 
 The following examples show how to use this InSpec audit resource.
 
-### Test that a GCP organization has the expected name
+### Test that a GCP organization has a specific constraint enforced
 
-    describe google_organization(name: 'organizations/1234') do
-      its('name') { should eq 'organizations/1234' }
+    describe google_organization_policy(name: 'organizations/123456', constraint: 'constraints/compute.disableGuestAttributesAccess') do
+      it { should exist }
+      its('boolean_policy.enforced') { should be true }
     end
 
-### Test that a GCP organization has the expected lifecycle state e.g. "ACTIVE"
+### Test that a GCP organization has certain values allowed for a list constraint
 
-    describe google_organization(display_name: 'google.com') do
-      its('lifecycle_state') { should eq "ACTIVE" }
+    describe google_organization_policy(name: 'organizations/123456', constraint: 'constraints/someListConstraint') do
+      it { should exist }
+      its('list_policy.allowed_values') { should include 'included_val' }
+      its('list_policy.allowed_values') { should_not include 'excluded' }
+      its('list_policy.denied_values') { should include 'denied' }
     end
 
 <br>
 
 ## Properties
 
-*  `name`, `display_name`, `lifecycle_state`
+  * `update_time`: The time stamp this policy was last updated.
+
+  * `boolean_policy`: Only available for constraints that are boolean policies.
+
+    * `enforced`: Boolean for if this policy is enforced.
+
+  * `list_policy`: Available for list policies.
+
+    * `allowed_values`: List of values allowed at this resource.
+
+    * `denied_values`: List of values denied at this resource.
 
 <br>
 

diff --git a/libraries/google_organization_policy.rb b/libraries/google_organization_policy.rb
@@ -8,11 +8,9 @@ class GoogleOrganizationPolicy < GcpResourceBase
     desc 'Verifies configuration of an organization policy'
 
     example "
-      describe google_organization(name: 'google.com') do
+      describe google_organization_policy(name: 'organizations/123456', constraint: 'constraints/compute.disableGuestAttributesAccess') do
         it { should exist }
-        its('name') { should eq 'organizations/1234' }
-        its('display_name') { should eq 'google.com' }
-        its('lifecycle_state') { should eq 'ACTIVE' }
+        its('boolean_policy.enforced') { should be true }
       end
     "
     def initialize(opts = {})