mirror of
https://github.com/letic/terraform-provider-google.git
synced 2024-07-08 19:18:30 +00:00
Added support for restoring default organization policies (#1477)
* Added support for restoring default organization policies * Added support for restoring default folder/project organization policies * Refactored code * Fixes #1239 * Clarify docs * Clarify docs * Clarify docs
This commit is contained in:
parent
f40eff9076
commit
8a77e42698
|
@ -52,6 +52,7 @@ func resourceGoogleFolderOrganizationPolicyRead(d *schema.ResourceData, meta int
|
||||||
d.Set("constraint", policy.Constraint)
|
d.Set("constraint", policy.Constraint)
|
||||||
d.Set("boolean_policy", flattenBooleanOrganizationPolicy(policy.BooleanPolicy))
|
d.Set("boolean_policy", flattenBooleanOrganizationPolicy(policy.BooleanPolicy))
|
||||||
d.Set("list_policy", flattenListOrganizationPolicy(policy.ListPolicy))
|
d.Set("list_policy", flattenListOrganizationPolicy(policy.ListPolicy))
|
||||||
|
d.Set("restore_policy", flattenRestoreOrganizationPolicy(policy.RestoreDefault))
|
||||||
d.Set("version", policy.Version)
|
d.Set("version", policy.Version)
|
||||||
d.Set("etag", policy.Etag)
|
d.Set("etag", policy.Etag)
|
||||||
d.Set("update_time", policy.UpdateTime)
|
d.Set("update_time", policy.UpdateTime)
|
||||||
|
@ -85,18 +86,25 @@ func resourceGoogleFolderOrganizationPolicyDelete(d *schema.ResourceData, meta i
|
||||||
func setFolderOrganizationPolicy(d *schema.ResourceData, meta interface{}) error {
|
func setFolderOrganizationPolicy(d *schema.ResourceData, meta interface{}) error {
|
||||||
config := meta.(*Config)
|
config := meta.(*Config)
|
||||||
folder := canonicalFolderId(d.Get("folder").(string))
|
folder := canonicalFolderId(d.Get("folder").(string))
|
||||||
|
|
||||||
listPolicy, err := expandListOrganizationPolicy(d.Get("list_policy").([]interface{}))
|
listPolicy, err := expandListOrganizationPolicy(d.Get("list_policy").([]interface{}))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
restoreDefault, err := expandRestoreOrganizationPolicy(d.Get("restore_policy").([]interface{}))
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
_, err = config.clientResourceManager.Folders.SetOrgPolicy(folder, &cloudresourcemanager.SetOrgPolicyRequest{
|
_, err = config.clientResourceManager.Folders.SetOrgPolicy(folder, &cloudresourcemanager.SetOrgPolicyRequest{
|
||||||
Policy: &cloudresourcemanager.OrgPolicy{
|
Policy: &cloudresourcemanager.OrgPolicy{
|
||||||
Constraint: canonicalOrgPolicyConstraint(d.Get("constraint").(string)),
|
Constraint: canonicalOrgPolicyConstraint(d.Get("constraint").(string)),
|
||||||
BooleanPolicy: expandBooleanOrganizationPolicy(d.Get("boolean_policy").([]interface{})),
|
BooleanPolicy: expandBooleanOrganizationPolicy(d.Get("boolean_policy").([]interface{})),
|
||||||
ListPolicy: listPolicy,
|
ListPolicy: listPolicy,
|
||||||
Version: int64(d.Get("version").(int)),
|
RestoreDefault: restoreDefault,
|
||||||
Etag: d.Get("etag").(string),
|
Version: int64(d.Get("version").(int)),
|
||||||
|
Etag: d.Get("etag").(string),
|
||||||
},
|
},
|
||||||
}).Do()
|
}).Do()
|
||||||
|
|
||||||
|
|
|
@ -129,6 +129,24 @@ func TestAccFolderOrganizationPolicy_list_update(t *testing.T) {
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestAccFolderOrganizationPolicy_restore_defaultTrue(t *testing.T) {
|
||||||
|
t.Parallel()
|
||||||
|
|
||||||
|
folder := acctest.RandomWithPrefix("tf-test")
|
||||||
|
org := getTestOrgFromEnv(t)
|
||||||
|
resource.Test(t, resource.TestCase{
|
||||||
|
PreCheck: func() { testAccPreCheck(t) },
|
||||||
|
Providers: testAccProviders,
|
||||||
|
CheckDestroy: testAccCheckGoogleOrganizationPolicyDestroy,
|
||||||
|
Steps: []resource.TestStep{
|
||||||
|
{
|
||||||
|
Config: testAccFolderOrganizationPolicy_restore_defaultTrue(org, folder),
|
||||||
|
Check: getGoogleFolderOrganizationRestoreDefaultTrue("restore", &cloudresourcemanager.RestoreDefault{}),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
func testAccCheckGoogleFolderOrganizationPolicyDestroy(s *terraform.State) error {
|
func testAccCheckGoogleFolderOrganizationPolicyDestroy(s *terraform.State) error {
|
||||||
config := testAccProvider.Meta().(*Config)
|
config := testAccProvider.Meta().(*Config)
|
||||||
|
|
||||||
|
@ -222,6 +240,22 @@ func testAccCheckGoogleFolderOrganizationListPolicyDeniedValues(n string, values
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func getGoogleFolderOrganizationRestoreDefaultTrue(n string, policyDefault *cloudresourcemanager.RestoreDefault) resource.TestCheckFunc {
|
||||||
|
return func(s *terraform.State) error {
|
||||||
|
|
||||||
|
policy, err := getGoogleFolderOrganizationPolicyTestResource(s, n)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
if !reflect.DeepEqual(policy.RestoreDefault, policyDefault) {
|
||||||
|
return fmt.Errorf("Expected the restore default '%s', instead denied, %s", policyDefault, policy.RestoreDefault)
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
func getGoogleFolderOrganizationPolicyTestResource(s *terraform.State, n string) (*cloudresourcemanager.OrgPolicy, error) {
|
func getGoogleFolderOrganizationPolicyTestResource(s *terraform.State, n string) (*cloudresourcemanager.OrgPolicy, error) {
|
||||||
rn := "google_folder_organization_policy." + n
|
rn := "google_folder_organization_policy." + n
|
||||||
rs, ok := s.RootModule().Resources[rn]
|
rs, ok := s.RootModule().Resources[rn]
|
||||||
|
@ -249,7 +283,7 @@ resource "google_folder" "orgpolicy" {
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "google_folder_organization_policy" "bool" {
|
resource "google_folder_organization_policy" "bool" {
|
||||||
# Test numeric folder ID.
|
# Test numeric folder ID.
|
||||||
folder = "${replace(google_folder.orgpolicy.name, "folders/", "")}"
|
folder = "${replace(google_folder.orgpolicy.name, "folders/", "")}"
|
||||||
constraint = "constraints/compute.disableSerialPortAccess"
|
constraint = "constraints/compute.disableSerialPortAccess"
|
||||||
|
|
||||||
|
@ -322,3 +356,21 @@ resource "google_folder_organization_policy" "list" {
|
||||||
}
|
}
|
||||||
`, folder, "organizations/"+org)
|
`, folder, "organizations/"+org)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func testAccFolderOrganizationPolicy_restore_defaultTrue(org, folder string) string {
|
||||||
|
return fmt.Sprintf(`
|
||||||
|
resource "google_folder" "orgpolicy" {
|
||||||
|
display_name = "%s"
|
||||||
|
parent = "%s"
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "google_folder_organization_policy" "restore" {
|
||||||
|
folder = "${google_folder.orgpolicy.name}"
|
||||||
|
constraint = "serviceuser.services"
|
||||||
|
|
||||||
|
restore_policy {
|
||||||
|
default = true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
`, folder, "organizations/"+org)
|
||||||
|
}
|
||||||
|
|
|
@ -18,7 +18,7 @@ var schemaOrganizationPolicy = map[string]*schema.Schema{
|
||||||
Type: schema.TypeList,
|
Type: schema.TypeList,
|
||||||
Optional: true,
|
Optional: true,
|
||||||
MaxItems: 1,
|
MaxItems: 1,
|
||||||
ConflictsWith: []string{"list_policy"},
|
ConflictsWith: []string{"list_policy", "restore_policy"},
|
||||||
Elem: &schema.Resource{
|
Elem: &schema.Resource{
|
||||||
Schema: map[string]*schema.Schema{
|
Schema: map[string]*schema.Schema{
|
||||||
"enforced": {
|
"enforced": {
|
||||||
|
@ -32,7 +32,7 @@ var schemaOrganizationPolicy = map[string]*schema.Schema{
|
||||||
Type: schema.TypeList,
|
Type: schema.TypeList,
|
||||||
Optional: true,
|
Optional: true,
|
||||||
MaxItems: 1,
|
MaxItems: 1,
|
||||||
ConflictsWith: []string{"boolean_policy"},
|
ConflictsWith: []string{"boolean_policy", "restore_policy"},
|
||||||
Elem: &schema.Resource{
|
Elem: &schema.Resource{
|
||||||
Schema: map[string]*schema.Schema{
|
Schema: map[string]*schema.Schema{
|
||||||
"allow": {
|
"allow": {
|
||||||
|
@ -99,6 +99,20 @@ var schemaOrganizationPolicy = map[string]*schema.Schema{
|
||||||
Type: schema.TypeString,
|
Type: schema.TypeString,
|
||||||
Computed: true,
|
Computed: true,
|
||||||
},
|
},
|
||||||
|
"restore_policy": {
|
||||||
|
Type: schema.TypeList,
|
||||||
|
Optional: true,
|
||||||
|
MaxItems: 1,
|
||||||
|
ConflictsWith: []string{"boolean_policy", "list_policy"},
|
||||||
|
Elem: &schema.Resource{
|
||||||
|
Schema: map[string]*schema.Schema{
|
||||||
|
"default": {
|
||||||
|
Type: schema.TypeBool,
|
||||||
|
Required: true,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
func resourceGoogleOrganizationPolicy() *schema.Resource {
|
func resourceGoogleOrganizationPolicy() *schema.Resource {
|
||||||
|
@ -152,6 +166,7 @@ func resourceGoogleOrganizationPolicyRead(d *schema.ResourceData, meta interface
|
||||||
d.Set("version", policy.Version)
|
d.Set("version", policy.Version)
|
||||||
d.Set("etag", policy.Etag)
|
d.Set("etag", policy.Etag)
|
||||||
d.Set("update_time", policy.UpdateTime)
|
d.Set("update_time", policy.UpdateTime)
|
||||||
|
d.Set("restore_policy", flattenRestoreOrganizationPolicy(policy.RestoreDefault))
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
@ -200,13 +215,19 @@ func setOrganizationPolicy(d *schema.ResourceData, meta interface{}) error {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
restoreDefault, err := expandRestoreOrganizationPolicy(d.Get("restore_policy").([]interface{}))
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
_, err = config.clientResourceManager.Organizations.SetOrgPolicy(org, &cloudresourcemanager.SetOrgPolicyRequest{
|
_, err = config.clientResourceManager.Organizations.SetOrgPolicy(org, &cloudresourcemanager.SetOrgPolicyRequest{
|
||||||
Policy: &cloudresourcemanager.OrgPolicy{
|
Policy: &cloudresourcemanager.OrgPolicy{
|
||||||
Constraint: canonicalOrgPolicyConstraint(d.Get("constraint").(string)),
|
Constraint: canonicalOrgPolicyConstraint(d.Get("constraint").(string)),
|
||||||
BooleanPolicy: expandBooleanOrganizationPolicy(d.Get("boolean_policy").([]interface{})),
|
BooleanPolicy: expandBooleanOrganizationPolicy(d.Get("boolean_policy").([]interface{})),
|
||||||
ListPolicy: listPolicy,
|
ListPolicy: listPolicy,
|
||||||
Version: int64(d.Get("version").(int)),
|
RestoreDefault: restoreDefault,
|
||||||
Etag: d.Get("etag").(string),
|
Version: int64(d.Get("version").(int)),
|
||||||
|
Etag: d.Get("etag").(string),
|
||||||
},
|
},
|
||||||
}).Do()
|
}).Do()
|
||||||
|
|
||||||
|
@ -227,6 +248,20 @@ func flattenBooleanOrganizationPolicy(policy *cloudresourcemanager.BooleanPolicy
|
||||||
return bPolicies
|
return bPolicies
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func flattenRestoreOrganizationPolicy(restore_policy *cloudresourcemanager.RestoreDefault) []map[string]interface{} {
|
||||||
|
rp := make([]map[string]interface{}, 0, 1)
|
||||||
|
|
||||||
|
if restore_policy == nil {
|
||||||
|
return rp
|
||||||
|
}
|
||||||
|
|
||||||
|
rp = append(rp, map[string]interface{}{
|
||||||
|
"default": true,
|
||||||
|
})
|
||||||
|
|
||||||
|
return rp
|
||||||
|
}
|
||||||
|
|
||||||
func expandBooleanOrganizationPolicy(configured []interface{}) *cloudresourcemanager.BooleanPolicy {
|
func expandBooleanOrganizationPolicy(configured []interface{}) *cloudresourcemanager.BooleanPolicy {
|
||||||
if len(configured) == 0 {
|
if len(configured) == 0 {
|
||||||
return nil
|
return nil
|
||||||
|
@ -238,6 +273,21 @@ func expandBooleanOrganizationPolicy(configured []interface{}) *cloudresourceman
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func expandRestoreOrganizationPolicy(configured []interface{}) (*cloudresourcemanager.RestoreDefault, error) {
|
||||||
|
if len(configured) == 0 {
|
||||||
|
return nil, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
restoreDefaultMap := configured[0].(map[string]interface{})
|
||||||
|
default_value := restoreDefaultMap["default"].(bool)
|
||||||
|
|
||||||
|
if default_value {
|
||||||
|
return &cloudresourcemanager.RestoreDefault{}, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil, fmt.Errorf("Invalid value for restore_policy. Expecting default = true")
|
||||||
|
}
|
||||||
|
|
||||||
func flattenListOrganizationPolicy(policy *cloudresourcemanager.ListPolicy) []map[string]interface{} {
|
func flattenListOrganizationPolicy(policy *cloudresourcemanager.ListPolicy) []map[string]interface{} {
|
||||||
lPolicies := make([]map[string]interface{}, 0, 1)
|
lPolicies := make([]map[string]interface{}, 0, 1)
|
||||||
|
|
||||||
|
|
|
@ -25,6 +25,7 @@ func TestAccOrganizationPolicy(t *testing.T) {
|
||||||
"list_allowSome": testAccOrganizationPolicy_list_allowSome,
|
"list_allowSome": testAccOrganizationPolicy_list_allowSome,
|
||||||
"list_denySome": testAccOrganizationPolicy_list_denySome,
|
"list_denySome": testAccOrganizationPolicy_list_denySome,
|
||||||
"list_update": testAccOrganizationPolicy_list_update,
|
"list_update": testAccOrganizationPolicy_list_update,
|
||||||
|
"restore_policy": testAccOrganizationPolicy_restore_defaultTrue,
|
||||||
}
|
}
|
||||||
|
|
||||||
for name, tc := range testCases {
|
for name, tc := range testCases {
|
||||||
|
@ -165,6 +166,26 @@ func testAccOrganizationPolicy_list_update(t *testing.T) {
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func testAccOrganizationPolicy_restore_defaultTrue(t *testing.T) {
|
||||||
|
org := getTestOrgTargetFromEnv(t)
|
||||||
|
resource.Test(t, resource.TestCase{
|
||||||
|
PreCheck: func() { testAccPreCheck(t) },
|
||||||
|
Providers: testAccProviders,
|
||||||
|
CheckDestroy: testAccCheckGoogleOrganizationPolicyDestroy,
|
||||||
|
Steps: []resource.TestStep{
|
||||||
|
{
|
||||||
|
Config: testAccOrganizationPolicyConfig_restore_defaultTrue(org),
|
||||||
|
Check: testAccCheckGoogleOrganizationRestoreDefaultTrue("restore", &cloudresourcemanager.RestoreDefault{}),
|
||||||
|
},
|
||||||
|
{
|
||||||
|
ResourceName: "google_organization_policy.restore",
|
||||||
|
ImportState: true,
|
||||||
|
ImportStateVerify: true,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
func testAccCheckGoogleOrganizationPolicyDestroy(s *terraform.State) error {
|
func testAccCheckGoogleOrganizationPolicyDestroy(s *terraform.State) error {
|
||||||
config := testAccProvider.Meta().(*Config)
|
config := testAccProvider.Meta().(*Config)
|
||||||
|
|
||||||
|
@ -258,6 +279,22 @@ func testAccCheckGoogleOrganizationListPolicyDeniedValues(n string, values []str
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func testAccCheckGoogleOrganizationRestoreDefaultTrue(n string, policyDefault *cloudresourcemanager.RestoreDefault) resource.TestCheckFunc {
|
||||||
|
return func(s *terraform.State) error {
|
||||||
|
|
||||||
|
policy, err := getGoogleOrganizationPolicyTestResource(s, n)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
if !reflect.DeepEqual(policy.RestoreDefault, policyDefault) {
|
||||||
|
return fmt.Errorf("Expected the restore default '%s', instead denied, %s", policyDefault, policy.RestoreDefault)
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
func getGoogleOrganizationPolicyTestResource(s *terraform.State, n string) (*cloudresourcemanager.OrgPolicy, error) {
|
func getGoogleOrganizationPolicyTestResource(s *terraform.State, n string) (*cloudresourcemanager.OrgPolicy, error) {
|
||||||
rn := "google_organization_policy." + n
|
rn := "google_organization_policy." + n
|
||||||
rs, ok := s.RootModule().Resources[rn]
|
rs, ok := s.RootModule().Resources[rn]
|
||||||
|
@ -279,12 +316,12 @@ func getGoogleOrganizationPolicyTestResource(s *terraform.State, n string) (*clo
|
||||||
func testAccOrganizationPolicyConfig_boolean(org string, enforced bool) string {
|
func testAccOrganizationPolicyConfig_boolean(org string, enforced bool) string {
|
||||||
return fmt.Sprintf(`
|
return fmt.Sprintf(`
|
||||||
resource "google_organization_policy" "bool" {
|
resource "google_organization_policy" "bool" {
|
||||||
org_id = "%s"
|
org_id = "%s"
|
||||||
constraint = "constraints/compute.disableSerialPortAccess"
|
constraint = "constraints/compute.disableSerialPortAccess"
|
||||||
|
|
||||||
boolean_policy {
|
boolean_policy {
|
||||||
enforced = %t
|
enforced = %t
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
`, org, enforced)
|
`, org, enforced)
|
||||||
}
|
}
|
||||||
|
@ -292,14 +329,14 @@ resource "google_organization_policy" "bool" {
|
||||||
func testAccOrganizationPolicyConfig_list_allowAll(org string) string {
|
func testAccOrganizationPolicyConfig_list_allowAll(org string) string {
|
||||||
return fmt.Sprintf(`
|
return fmt.Sprintf(`
|
||||||
resource "google_organization_policy" "list" {
|
resource "google_organization_policy" "list" {
|
||||||
org_id = "%s"
|
org_id = "%s"
|
||||||
constraint = "constraints/serviceuser.services"
|
constraint = "constraints/serviceuser.services"
|
||||||
|
|
||||||
list_policy {
|
list_policy {
|
||||||
allow {
|
allow {
|
||||||
all = true
|
all = true
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
`, org)
|
`, org)
|
||||||
}
|
}
|
||||||
|
@ -307,16 +344,16 @@ resource "google_organization_policy" "list" {
|
||||||
func testAccOrganizationPolicyConfig_list_allowSome(org, project string) string {
|
func testAccOrganizationPolicyConfig_list_allowSome(org, project string) string {
|
||||||
return fmt.Sprintf(`
|
return fmt.Sprintf(`
|
||||||
resource "google_organization_policy" "list" {
|
resource "google_organization_policy" "list" {
|
||||||
org_id = "%s"
|
org_id = "%s"
|
||||||
constraint = "constraints/compute.trustedImageProjects"
|
constraint = "constraints/compute.trustedImageProjects"
|
||||||
|
|
||||||
list_policy {
|
list_policy {
|
||||||
allow {
|
allow {
|
||||||
values = [
|
values = [
|
||||||
"projects/%s",
|
"projects/%s",
|
||||||
"projects/debian-cloud"
|
"projects/debian-cloud"
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
`, org, project)
|
`, org, project)
|
||||||
|
@ -325,17 +362,30 @@ resource "google_organization_policy" "list" {
|
||||||
func testAccOrganizationPolicyConfig_list_denySome(org string) string {
|
func testAccOrganizationPolicyConfig_list_denySome(org string) string {
|
||||||
return fmt.Sprintf(`
|
return fmt.Sprintf(`
|
||||||
resource "google_organization_policy" "list" {
|
resource "google_organization_policy" "list" {
|
||||||
org_id = "%s"
|
org_id = "%s"
|
||||||
constraint = "serviceuser.services"
|
constraint = "serviceuser.services"
|
||||||
|
|
||||||
list_policy {
|
list_policy {
|
||||||
deny {
|
deny {
|
||||||
values = [
|
values = [
|
||||||
"doubleclicksearch.googleapis.com",
|
"doubleclicksearch.googleapis.com",
|
||||||
"replicapoolupdater.googleapis.com",
|
"replicapoolupdater.googleapis.com",
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
`, org)
|
||||||
|
}
|
||||||
|
|
||||||
|
func testAccOrganizationPolicyConfig_restore_defaultTrue(org string) string {
|
||||||
|
return fmt.Sprintf(`
|
||||||
|
resource "google_organization_policy" "restore" {
|
||||||
|
org_id = "%s"
|
||||||
|
constraint = "serviceuser.services"
|
||||||
|
|
||||||
|
restore_policy {
|
||||||
|
default = true
|
||||||
|
}
|
||||||
}
|
}
|
||||||
`, org)
|
`, org)
|
||||||
}
|
}
|
||||||
|
|
|
@ -52,6 +52,7 @@ func resourceGoogleProjectOrganizationPolicyRead(d *schema.ResourceData, meta in
|
||||||
d.Set("constraint", policy.Constraint)
|
d.Set("constraint", policy.Constraint)
|
||||||
d.Set("boolean_policy", flattenBooleanOrganizationPolicy(policy.BooleanPolicy))
|
d.Set("boolean_policy", flattenBooleanOrganizationPolicy(policy.BooleanPolicy))
|
||||||
d.Set("list_policy", flattenListOrganizationPolicy(policy.ListPolicy))
|
d.Set("list_policy", flattenListOrganizationPolicy(policy.ListPolicy))
|
||||||
|
d.Set("restore_policy", flattenRestoreOrganizationPolicy(policy.RestoreDefault))
|
||||||
d.Set("version", policy.Version)
|
d.Set("version", policy.Version)
|
||||||
d.Set("etag", policy.Etag)
|
d.Set("etag", policy.Etag)
|
||||||
d.Set("update_time", policy.UpdateTime)
|
d.Set("update_time", policy.UpdateTime)
|
||||||
|
@ -85,18 +86,25 @@ func resourceGoogleProjectOrganizationPolicyDelete(d *schema.ResourceData, meta
|
||||||
func setProjectOrganizationPolicy(d *schema.ResourceData, meta interface{}) error {
|
func setProjectOrganizationPolicy(d *schema.ResourceData, meta interface{}) error {
|
||||||
config := meta.(*Config)
|
config := meta.(*Config)
|
||||||
project := prefixedProject(d.Get("project").(string))
|
project := prefixedProject(d.Get("project").(string))
|
||||||
|
|
||||||
listPolicy, err := expandListOrganizationPolicy(d.Get("list_policy").([]interface{}))
|
listPolicy, err := expandListOrganizationPolicy(d.Get("list_policy").([]interface{}))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
restore_default, err := expandRestoreOrganizationPolicy(d.Get("restore_policy").([]interface{}))
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
_, err = config.clientResourceManager.Projects.SetOrgPolicy(project, &cloudresourcemanager.SetOrgPolicyRequest{
|
_, err = config.clientResourceManager.Projects.SetOrgPolicy(project, &cloudresourcemanager.SetOrgPolicyRequest{
|
||||||
Policy: &cloudresourcemanager.OrgPolicy{
|
Policy: &cloudresourcemanager.OrgPolicy{
|
||||||
Constraint: canonicalOrgPolicyConstraint(d.Get("constraint").(string)),
|
Constraint: canonicalOrgPolicyConstraint(d.Get("constraint").(string)),
|
||||||
BooleanPolicy: expandBooleanOrganizationPolicy(d.Get("boolean_policy").([]interface{})),
|
BooleanPolicy: expandBooleanOrganizationPolicy(d.Get("boolean_policy").([]interface{})),
|
||||||
ListPolicy: listPolicy,
|
ListPolicy: listPolicy,
|
||||||
Version: int64(d.Get("version").(int)),
|
RestoreDefault: restore_default,
|
||||||
Etag: d.Get("etag").(string),
|
Version: int64(d.Get("version").(int)),
|
||||||
|
Etag: d.Get("etag").(string),
|
||||||
},
|
},
|
||||||
}).Do()
|
}).Do()
|
||||||
|
|
||||||
|
|
|
@ -122,6 +122,22 @@ func TestAccProjectOrganizationPolicy_list_update(t *testing.T) {
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestAccProjectOrganizationPolicy_restore_defaultTrue(t *testing.T) {
|
||||||
|
projectId := getTestProjectFromEnv()
|
||||||
|
|
||||||
|
resource.Test(t, resource.TestCase{
|
||||||
|
PreCheck: func() { testAccPreCheck(t) },
|
||||||
|
Providers: testAccProviders,
|
||||||
|
CheckDestroy: testAccCheckGoogleProjectOrganizationPolicyDestroy,
|
||||||
|
Steps: []resource.TestStep{
|
||||||
|
{
|
||||||
|
Config: testAccProjectOrganizationPolicy_restore_defaultTrue(projectId),
|
||||||
|
Check: getGoogleProjectOrganizationRestoreDefaultTrue("restore", &cloudresourcemanager.RestoreDefault{}),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
func testAccCheckGoogleProjectOrganizationPolicyDestroy(s *terraform.State) error {
|
func testAccCheckGoogleProjectOrganizationPolicyDestroy(s *terraform.State) error {
|
||||||
config := testAccProvider.Meta().(*Config)
|
config := testAccProvider.Meta().(*Config)
|
||||||
|
|
||||||
|
@ -219,6 +235,22 @@ func testAccCheckGoogleProjectOrganizationListPolicyDeniedValues(n string, value
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func getGoogleProjectOrganizationRestoreDefaultTrue(n string, policyDefault *cloudresourcemanager.RestoreDefault) resource.TestCheckFunc {
|
||||||
|
return func(s *terraform.State) error {
|
||||||
|
|
||||||
|
policy, err := getGoogleProjectOrganizationPolicyTestResource(s, n)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
if !reflect.DeepEqual(policy.RestoreDefault, policyDefault) {
|
||||||
|
return fmt.Errorf("Expected the restore default '%s', instead denied, %s", policyDefault, policy.RestoreDefault)
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
func getGoogleProjectOrganizationPolicyTestResource(s *terraform.State, n string) (*cloudresourcemanager.OrgPolicy, error) {
|
func getGoogleProjectOrganizationPolicyTestResource(s *terraform.State, n string) (*cloudresourcemanager.OrgPolicy, error) {
|
||||||
rn := "google_project_organization_policy." + n
|
rn := "google_project_organization_policy." + n
|
||||||
rs, ok := s.RootModule().Resources[rn]
|
rs, ok := s.RootModule().Resources[rn]
|
||||||
|
@ -301,6 +333,19 @@ resource "google_project_organization_policy" "list" {
|
||||||
`, pid)
|
`, pid)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func testAccProjectOrganizationPolicy_restore_defaultTrue(pid string) string {
|
||||||
|
return fmt.Sprintf(`
|
||||||
|
resource "google_project_organization_policy" "restore" {
|
||||||
|
project = "%s"
|
||||||
|
constraint = "constraints/serviceuser.services"
|
||||||
|
|
||||||
|
restore_policy {
|
||||||
|
default = true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
`, pid)
|
||||||
|
}
|
||||||
|
|
||||||
func canonicalProjectId(project string) string {
|
func canonicalProjectId(project string) string {
|
||||||
if strings.HasPrefix(project, "projects/") {
|
if strings.HasPrefix(project, "projects/") {
|
||||||
return project
|
return project
|
||||||
|
|
|
@ -62,6 +62,19 @@ resource "google_folder_organization_policy" "services_policy" {
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
|
To restore the default folder organization policy, use the following instead:
|
||||||
|
|
||||||
|
```hcl
|
||||||
|
resource "google_folder_organization_policy" "services_policy" {
|
||||||
|
folder = "folders/123456789"
|
||||||
|
constraint = "serviceuser.services"
|
||||||
|
|
||||||
|
restore_policy {
|
||||||
|
default = true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
## Argument Reference
|
## Argument Reference
|
||||||
|
|
||||||
The following arguments are supported:
|
The following arguments are supported:
|
||||||
|
@ -76,7 +89,10 @@ The following arguments are supported:
|
||||||
|
|
||||||
* `boolean_policy` - (Optional) A boolean policy is a constraint that is either enforced or not. Structure is documented below.
|
* `boolean_policy` - (Optional) A boolean policy is a constraint that is either enforced or not. Structure is documented below.
|
||||||
|
|
||||||
* `list_policy` - (Optional) A policy that can define specific values that are allowed or denied for the given constraint. It can also be used to allow or deny all values. Structure is documented below.
|
* `list_policy` - (Optional) A policy that can define specific values that are allowed or denied for the given constraint. It
|
||||||
|
can also be used to allow or deny all values. Structure is documented below.
|
||||||
|
|
||||||
|
* `restore_policy` - (Optional) A restore policy is a constraint to restore the default policy. Structure is documented below.
|
||||||
|
|
||||||
- - -
|
- - -
|
||||||
|
|
||||||
|
@ -96,6 +112,10 @@ The `allow` or `deny` blocks support:
|
||||||
|
|
||||||
* `values` - (Optional) The policy can define specific values that are allowed or denied.
|
* `values` - (Optional) The policy can define specific values that are allowed or denied.
|
||||||
|
|
||||||
|
The `restore_policy` block supports:
|
||||||
|
|
||||||
|
* `default` - (Required) May only be set to true. If set, then the default Policy is restored.
|
||||||
|
|
||||||
## Attributes Reference
|
## Attributes Reference
|
||||||
|
|
||||||
In addition to the arguments listed above, the following computed attributes are
|
In addition to the arguments listed above, the following computed attributes are
|
||||||
|
|
|
@ -44,7 +44,6 @@ resource "google_organization_policy" "services_policy" {
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
Or to deny some services, use the following instead:
|
Or to deny some services, use the following instead:
|
||||||
|
|
||||||
```hcl
|
```hcl
|
||||||
|
@ -62,6 +61,19 @@ resource "google_organization_policy" "services_policy" {
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
|
To restore the default organization policy, use the following instead:
|
||||||
|
|
||||||
|
```hcl
|
||||||
|
resource "google_organization_policy" "services_policy" {
|
||||||
|
org_id = "123456789"
|
||||||
|
constraint = "serviceuser.services"
|
||||||
|
|
||||||
|
restore_policy {
|
||||||
|
default = true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
## Argument Reference
|
## Argument Reference
|
||||||
|
|
||||||
The following arguments are supported:
|
The following arguments are supported:
|
||||||
|
@ -78,6 +90,8 @@ The following arguments are supported:
|
||||||
|
|
||||||
* `list_policy` - (Optional) A policy that can define specific values that are allowed or denied for the given constraint. It can also be used to allow or deny all values. Structure is documented below.
|
* `list_policy` - (Optional) A policy that can define specific values that are allowed or denied for the given constraint. It can also be used to allow or deny all values. Structure is documented below.
|
||||||
|
|
||||||
|
* `restore_policy` - (Optional) A restore policy is a constraint to restore the default policy. Structure is documented below.
|
||||||
|
|
||||||
- - -
|
- - -
|
||||||
|
|
||||||
The `boolean_policy` block supports:
|
The `boolean_policy` block supports:
|
||||||
|
@ -96,6 +110,10 @@ The `allow` or `deny` blocks support:
|
||||||
|
|
||||||
* `values` - (Optional) The policy can define specific values that are allowed or denied.
|
* `values` - (Optional) The policy can define specific values that are allowed or denied.
|
||||||
|
|
||||||
|
The `restore_policy` block supports:
|
||||||
|
|
||||||
|
* `default` - (Required) May only be set to true. If set, then the default Policy is restored.
|
||||||
|
|
||||||
## Attributes Reference
|
## Attributes Reference
|
||||||
|
|
||||||
In addition to the arguments listed above, the following computed attributes are
|
In addition to the arguments listed above, the following computed attributes are
|
||||||
|
|
|
@ -62,6 +62,19 @@ resource "google_project_organization_policy" "services_policy" {
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
|
To restore the default project organization policy, use the following instead:
|
||||||
|
|
||||||
|
```hcl
|
||||||
|
resource "google_project_organization_policy" "services_policy" {
|
||||||
|
project = "your-project-id"
|
||||||
|
constraint = "serviceuser.services"
|
||||||
|
|
||||||
|
restore_policy {
|
||||||
|
default = true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
## Argument Reference
|
## Argument Reference
|
||||||
|
|
||||||
The following arguments are supported:
|
The following arguments are supported:
|
||||||
|
@ -78,6 +91,8 @@ The following arguments are supported:
|
||||||
|
|
||||||
* `list_policy` - (Optional) A policy that can define specific values that are allowed or denied for the given constraint. It can also be used to allow or deny all values. Structure is documented below.
|
* `list_policy` - (Optional) A policy that can define specific values that are allowed or denied for the given constraint. It can also be used to allow or deny all values. Structure is documented below.
|
||||||
|
|
||||||
|
* `restore_policy` - (Optional) A restore policy is a constraint to restore the default policy. Structure is documented below.
|
||||||
|
|
||||||
- - -
|
- - -
|
||||||
|
|
||||||
The `boolean_policy` block supports:
|
The `boolean_policy` block supports:
|
||||||
|
@ -96,6 +111,10 @@ The `allow` or `deny` blocks support:
|
||||||
|
|
||||||
* `values` - (Optional) The policy can define specific values that are allowed or denied.
|
* `values` - (Optional) The policy can define specific values that are allowed or denied.
|
||||||
|
|
||||||
|
The `restore_policy` block supports:
|
||||||
|
|
||||||
|
* `default` - (Required) May only be set to true. If set, then the default Policy is restored.
|
||||||
|
|
||||||
## Attributes Reference
|
## Attributes Reference
|
||||||
|
|
||||||
In addition to the arguments listed above, the following computed attributes are
|
In addition to the arguments listed above, the following computed attributes are
|
||||||
|
|
Loading…
Reference in New Issue
Block a user