2017-11-27 22:53:01 +00:00
|
|
|
package google
|
|
|
|
|
|
|
|
import (
|
|
|
|
"fmt"
|
2018-01-17 18:26:16 +00:00
|
|
|
"reflect"
|
2018-02-07 22:55:03 +00:00
|
|
|
"sort"
|
2018-01-17 18:26:16 +00:00
|
|
|
"testing"
|
|
|
|
|
2017-11-27 22:53:01 +00:00
|
|
|
"github.com/hashicorp/terraform/helper/acctest"
|
|
|
|
"github.com/hashicorp/terraform/helper/resource"
|
|
|
|
"github.com/hashicorp/terraform/terraform"
|
|
|
|
"google.golang.org/api/cloudresourcemanager/v1"
|
|
|
|
)
|
|
|
|
|
2018-02-23 23:14:24 +00:00
|
|
|
func TestAccFolderOrganizationPolicy_boolean(t *testing.T) {
|
2017-11-27 22:53:01 +00:00
|
|
|
t.Parallel()
|
|
|
|
|
|
|
|
folder := acctest.RandomWithPrefix("tf-test")
|
|
|
|
|
|
|
|
org := getTestOrgFromEnv(t)
|
|
|
|
resource.Test(t, resource.TestCase{
|
|
|
|
PreCheck: func() { testAccPreCheck(t) },
|
|
|
|
Providers: testAccProviders,
|
|
|
|
CheckDestroy: testAccCheckGoogleFolderOrganizationPolicyDestroy,
|
|
|
|
Steps: []resource.TestStep{
|
|
|
|
{
|
|
|
|
// Test creation of an enforced boolean policy
|
2018-02-23 23:14:24 +00:00
|
|
|
Config: testAccFolderOrganizationPolicy_boolean(org, folder, true),
|
2017-11-27 22:53:01 +00:00
|
|
|
Check: testAccCheckGoogleFolderOrganizationBooleanPolicy("bool", true),
|
|
|
|
},
|
|
|
|
{
|
|
|
|
// Test update from enforced to not
|
2018-02-23 23:14:24 +00:00
|
|
|
Config: testAccFolderOrganizationPolicy_boolean(org, folder, false),
|
2017-11-27 22:53:01 +00:00
|
|
|
Check: testAccCheckGoogleFolderOrganizationBooleanPolicy("bool", false),
|
|
|
|
},
|
|
|
|
{
|
|
|
|
Config: " ",
|
|
|
|
Destroy: true,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
// Test creation of a not enforced boolean policy
|
2018-02-23 23:14:24 +00:00
|
|
|
Config: testAccFolderOrganizationPolicy_boolean(org, folder, false),
|
2017-11-27 22:53:01 +00:00
|
|
|
Check: testAccCheckGoogleFolderOrganizationBooleanPolicy("bool", false),
|
|
|
|
},
|
|
|
|
{
|
|
|
|
// Test update from not enforced to enforced
|
2018-02-23 23:14:24 +00:00
|
|
|
Config: testAccFolderOrganizationPolicy_boolean(org, folder, true),
|
2017-11-27 22:53:01 +00:00
|
|
|
Check: testAccCheckGoogleFolderOrganizationBooleanPolicy("bool", true),
|
|
|
|
},
|
|
|
|
},
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
2018-02-23 23:14:24 +00:00
|
|
|
func TestAccFolderOrganizationPolicy_list_allowAll(t *testing.T) {
|
2017-11-27 22:53:01 +00:00
|
|
|
t.Parallel()
|
|
|
|
|
|
|
|
folder := acctest.RandomWithPrefix("tf-test")
|
|
|
|
|
|
|
|
org := getTestOrgFromEnv(t)
|
|
|
|
resource.Test(t, resource.TestCase{
|
|
|
|
PreCheck: func() { testAccPreCheck(t) },
|
|
|
|
Providers: testAccProviders,
|
|
|
|
CheckDestroy: testAccCheckGoogleFolderOrganizationPolicyDestroy,
|
|
|
|
Steps: []resource.TestStep{
|
|
|
|
{
|
2018-02-23 23:14:24 +00:00
|
|
|
Config: testAccFolderOrganizationPolicy_list_allowAll(org, folder),
|
2017-11-27 22:53:01 +00:00
|
|
|
Check: testAccCheckGoogleFolderOrganizationListPolicyAll("list", "ALLOW"),
|
|
|
|
},
|
|
|
|
},
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
2018-02-23 23:14:24 +00:00
|
|
|
func TestAccFolderOrganizationPolicy_list_allowSome(t *testing.T) {
|
2017-11-27 22:53:01 +00:00
|
|
|
t.Parallel()
|
|
|
|
|
|
|
|
folder := acctest.RandomWithPrefix("tf-test")
|
|
|
|
org := getTestOrgFromEnv(t)
|
|
|
|
project := getTestProjectFromEnv()
|
|
|
|
resource.Test(t, resource.TestCase{
|
|
|
|
PreCheck: func() { testAccPreCheck(t) },
|
|
|
|
Providers: testAccProviders,
|
|
|
|
CheckDestroy: testAccCheckGoogleFolderOrganizationPolicyDestroy,
|
|
|
|
Steps: []resource.TestStep{
|
|
|
|
{
|
2018-02-23 23:14:24 +00:00
|
|
|
Config: testAccFolderOrganizationPolicy_list_allowSome(org, folder, project),
|
2018-03-12 20:18:39 +00:00
|
|
|
Check: testAccCheckGoogleFolderOrganizationListPolicyAllowedValues("list", []string{"projects/" + project}),
|
2017-11-27 22:53:01 +00:00
|
|
|
},
|
|
|
|
},
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
2018-02-23 23:14:24 +00:00
|
|
|
func TestAccFolderOrganizationPolicy_list_denySome(t *testing.T) {
|
2017-11-27 22:53:01 +00:00
|
|
|
t.Parallel()
|
|
|
|
|
|
|
|
folder := acctest.RandomWithPrefix("tf-test")
|
|
|
|
org := getTestOrgFromEnv(t)
|
|
|
|
resource.Test(t, resource.TestCase{
|
|
|
|
PreCheck: func() { testAccPreCheck(t) },
|
|
|
|
Providers: testAccProviders,
|
|
|
|
CheckDestroy: testAccCheckGoogleFolderOrganizationPolicyDestroy,
|
|
|
|
Steps: []resource.TestStep{
|
|
|
|
{
|
2018-02-23 23:14:24 +00:00
|
|
|
Config: testAccFolderOrganizationPolicy_list_denySome(org, folder),
|
2017-11-27 22:53:01 +00:00
|
|
|
Check: testAccCheckGoogleFolderOrganizationListPolicyDeniedValues("list", DENIED_ORG_POLICIES),
|
|
|
|
},
|
|
|
|
},
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
2018-02-23 23:14:24 +00:00
|
|
|
func TestAccFolderOrganizationPolicy_list_update(t *testing.T) {
|
2017-11-27 22:53:01 +00:00
|
|
|
t.Parallel()
|
|
|
|
|
|
|
|
folder := acctest.RandomWithPrefix("tf-test")
|
|
|
|
org := getTestOrgFromEnv(t)
|
|
|
|
resource.Test(t, resource.TestCase{
|
|
|
|
PreCheck: func() { testAccPreCheck(t) },
|
|
|
|
Providers: testAccProviders,
|
|
|
|
CheckDestroy: testAccCheckGoogleFolderOrganizationPolicyDestroy,
|
|
|
|
Steps: []resource.TestStep{
|
|
|
|
{
|
2018-02-23 23:14:24 +00:00
|
|
|
Config: testAccFolderOrganizationPolicy_list_allowAll(org, folder),
|
2017-11-27 22:53:01 +00:00
|
|
|
Check: testAccCheckGoogleFolderOrganizationListPolicyAll("list", "ALLOW"),
|
|
|
|
},
|
|
|
|
{
|
2018-02-23 23:14:24 +00:00
|
|
|
Config: testAccFolderOrganizationPolicy_list_denySome(org, folder),
|
2017-11-27 22:53:01 +00:00
|
|
|
Check: testAccCheckGoogleFolderOrganizationListPolicyDeniedValues("list", DENIED_ORG_POLICIES),
|
|
|
|
},
|
|
|
|
},
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
func testAccCheckGoogleFolderOrganizationPolicyDestroy(s *terraform.State) error {
|
|
|
|
config := testAccProvider.Meta().(*Config)
|
|
|
|
|
|
|
|
for _, rs := range s.RootModule().Resources {
|
|
|
|
if rs.Type != "google_folder_organization_policy" {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
2018-01-17 18:26:16 +00:00
|
|
|
folder := canonicalFolderId(rs.Primary.Attributes["folder"])
|
2017-11-27 22:53:01 +00:00
|
|
|
constraint := canonicalOrgPolicyConstraint(rs.Primary.Attributes["constraint"])
|
|
|
|
policy, err := config.clientResourceManager.Folders.GetOrgPolicy(folder, &cloudresourcemanager.GetOrgPolicyRequest{
|
|
|
|
Constraint: constraint,
|
|
|
|
}).Do()
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
if policy.ListPolicy != nil || policy.BooleanPolicy != nil {
|
|
|
|
return fmt.Errorf("Org policy with constraint '%s' hasn't been cleared", constraint)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func testAccCheckGoogleFolderOrganizationBooleanPolicy(n string, enforced bool) resource.TestCheckFunc {
|
|
|
|
return func(s *terraform.State) error {
|
|
|
|
policy, err := getGoogleFolderOrganizationPolicyTestResource(s, n)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
if policy.BooleanPolicy.Enforced != enforced {
|
|
|
|
return fmt.Errorf("Expected boolean policy enforcement to be '%t', got '%t'", enforced, policy.BooleanPolicy.Enforced)
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func testAccCheckGoogleFolderOrganizationListPolicyAll(n, policyType string) resource.TestCheckFunc {
|
|
|
|
return func(s *terraform.State) error {
|
|
|
|
policy, err := getGoogleFolderOrganizationPolicyTestResource(s, n)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
if len(policy.ListPolicy.AllowedValues) > 0 || len(policy.ListPolicy.DeniedValues) > 0 {
|
|
|
|
return fmt.Errorf("The `values` field shouldn't be set")
|
|
|
|
}
|
|
|
|
|
|
|
|
if policy.ListPolicy.AllValues != policyType {
|
|
|
|
return fmt.Errorf("The list policy should %s all values", policyType)
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func testAccCheckGoogleFolderOrganizationListPolicyAllowedValues(n string, values []string) resource.TestCheckFunc {
|
|
|
|
return func(s *terraform.State) error {
|
|
|
|
policy, err := getGoogleFolderOrganizationPolicyTestResource(s, n)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2018-02-07 22:55:03 +00:00
|
|
|
sort.Strings(policy.ListPolicy.AllowedValues)
|
|
|
|
sort.Strings(values)
|
2017-11-27 22:53:01 +00:00
|
|
|
if !reflect.DeepEqual(policy.ListPolicy.AllowedValues, values) {
|
|
|
|
return fmt.Errorf("Expected the list policy to allow '%s', instead allowed '%s'", values, policy.ListPolicy.AllowedValues)
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func testAccCheckGoogleFolderOrganizationListPolicyDeniedValues(n string, values []string) resource.TestCheckFunc {
|
|
|
|
return func(s *terraform.State) error {
|
|
|
|
policy, err := getGoogleFolderOrganizationPolicyTestResource(s, n)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2018-02-07 22:55:03 +00:00
|
|
|
sort.Strings(policy.ListPolicy.DeniedValues)
|
|
|
|
sort.Strings(values)
|
2017-11-27 22:53:01 +00:00
|
|
|
if !reflect.DeepEqual(policy.ListPolicy.DeniedValues, values) {
|
|
|
|
return fmt.Errorf("Expected the list policy to deny '%s', instead denied '%s'", values, policy.ListPolicy.DeniedValues)
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func getGoogleFolderOrganizationPolicyTestResource(s *terraform.State, n string) (*cloudresourcemanager.OrgPolicy, error) {
|
|
|
|
rn := "google_folder_organization_policy." + n
|
|
|
|
rs, ok := s.RootModule().Resources[rn]
|
|
|
|
if !ok {
|
|
|
|
return nil, fmt.Errorf("Not found: %s", rn)
|
|
|
|
}
|
|
|
|
|
|
|
|
if rs.Primary.ID == "" {
|
|
|
|
return nil, fmt.Errorf("No ID is set")
|
|
|
|
}
|
|
|
|
|
|
|
|
config := testAccProvider.Meta().(*Config)
|
2018-01-17 18:26:16 +00:00
|
|
|
folder := canonicalFolderId(rs.Primary.Attributes["folder"])
|
2017-11-27 22:53:01 +00:00
|
|
|
|
2018-01-17 18:26:16 +00:00
|
|
|
return config.clientResourceManager.Folders.GetOrgPolicy(folder, &cloudresourcemanager.GetOrgPolicyRequest{
|
2017-11-27 22:53:01 +00:00
|
|
|
Constraint: rs.Primary.Attributes["constraint"],
|
|
|
|
}).Do()
|
|
|
|
}
|
|
|
|
|
2018-02-23 23:14:24 +00:00
|
|
|
func testAccFolderOrganizationPolicy_boolean(org, folder string, enforced bool) string {
|
2017-11-27 22:53:01 +00:00
|
|
|
return fmt.Sprintf(`
|
|
|
|
resource "google_folder" "orgpolicy" {
|
|
|
|
display_name = "%s"
|
|
|
|
parent = "%s"
|
|
|
|
}
|
|
|
|
|
|
|
|
resource "google_folder_organization_policy" "bool" {
|
2018-01-17 18:26:16 +00:00
|
|
|
# Test numeric folder ID.
|
|
|
|
folder = "${replace(google_folder.orgpolicy.name, "folders/", "")}"
|
2017-11-27 22:53:01 +00:00
|
|
|
constraint = "constraints/compute.disableSerialPortAccess"
|
|
|
|
|
|
|
|
boolean_policy {
|
|
|
|
enforced = %t
|
|
|
|
}
|
|
|
|
}
|
|
|
|
`, folder, "organizations/"+org, enforced)
|
|
|
|
}
|
|
|
|
|
2018-02-23 23:14:24 +00:00
|
|
|
func testAccFolderOrganizationPolicy_list_allowAll(org, folder string) string {
|
2017-11-27 22:53:01 +00:00
|
|
|
return fmt.Sprintf(`
|
|
|
|
resource "google_folder" "orgpolicy" {
|
|
|
|
display_name = "%s"
|
|
|
|
parent = "%s"
|
|
|
|
}
|
|
|
|
|
|
|
|
resource "google_folder_organization_policy" "list" {
|
|
|
|
folder = "${google_folder.orgpolicy.name}"
|
|
|
|
constraint = "constraints/serviceuser.services"
|
|
|
|
|
|
|
|
list_policy {
|
|
|
|
allow {
|
|
|
|
all = true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
`, folder, "organizations/"+org)
|
|
|
|
}
|
|
|
|
|
2018-02-23 23:14:24 +00:00
|
|
|
func testAccFolderOrganizationPolicy_list_allowSome(org, folder, project string) string {
|
2017-11-27 22:53:01 +00:00
|
|
|
return fmt.Sprintf(`
|
|
|
|
resource "google_folder" "orgpolicy" {
|
|
|
|
display_name = "%s"
|
|
|
|
parent = "%s"
|
|
|
|
}
|
|
|
|
|
|
|
|
resource "google_folder_organization_policy" "list" {
|
|
|
|
folder = "${google_folder.orgpolicy.name}"
|
|
|
|
constraint = "constraints/compute.trustedImageProjects"
|
|
|
|
|
|
|
|
list_policy {
|
|
|
|
allow {
|
2018-03-12 20:18:39 +00:00
|
|
|
values = ["projects/%s"]
|
2017-11-27 22:53:01 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
`, folder, "organizations/"+org, project)
|
|
|
|
}
|
|
|
|
|
2018-02-23 23:14:24 +00:00
|
|
|
func testAccFolderOrganizationPolicy_list_denySome(org, folder string) string {
|
2017-11-27 22:53:01 +00:00
|
|
|
return fmt.Sprintf(`
|
|
|
|
resource "google_folder" "orgpolicy" {
|
|
|
|
display_name = "%s"
|
|
|
|
parent = "%s"
|
|
|
|
}
|
|
|
|
|
|
|
|
resource "google_folder_organization_policy" "list" {
|
2018-02-07 22:55:03 +00:00
|
|
|
folder = "${google_folder.orgpolicy.name}"
|
2017-11-27 22:53:01 +00:00
|
|
|
constraint = "serviceuser.services"
|
|
|
|
|
|
|
|
list_policy {
|
|
|
|
deny {
|
|
|
|
values = [
|
2018-02-07 22:55:03 +00:00
|
|
|
"doubleclicksearch.googleapis.com",
|
|
|
|
"replicapoolupdater.googleapis.com",
|
2017-11-27 22:53:01 +00:00
|
|
|
]
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
`, folder, "organizations/"+org)
|
|
|
|
}
|