diff --git a/google/resource_google_organization_policy.go b/google/resource_google_organization_policy.go index 6e85947e..5922ad3a 100644 --- a/google/resource_google_organization_policy.go +++ b/google/resource_google_organization_policy.go @@ -2,9 +2,10 @@ package google import ( "fmt" + "strings" + "github.com/hashicorp/terraform/helper/schema" "google.golang.org/api/cloudresourcemanager/v1" - "strings" ) var schemaOrganizationPolicy = map[string]*schema.Schema{ @@ -83,6 +84,10 @@ var schemaOrganizationPolicy = map[string]*schema.Schema{ Optional: true, Computed: true, }, + "inherit_from_parent": { + Type: schema.TypeBool, + Optional: true, + }, }, }, }, @@ -295,7 +300,10 @@ func flattenListOrganizationPolicy(policy *cloudresourcemanager.ListPolicy) []ma return lPolicies } - listPolicy := map[string]interface{}{} + listPolicy := map[string]interface{}{ + "suggested_value": policy.SuggestedValue, + "inherit_from_parent": policy.InheritFromParent, + } switch { case policy.AllValues == "ALLOW": listPolicy["allow"] = []interface{}{map[string]interface{}{ @@ -359,10 +367,12 @@ func expandListOrganizationPolicy(configured []interface{}) (*cloudresourcemanag listPolicy := configured[0].(map[string]interface{}) return &cloudresourcemanager.ListPolicy{ - AllValues: allValues, - AllowedValues: allowedValues, - DeniedValues: deniedValues, - SuggestedValue: listPolicy["suggested_value"].(string), + AllValues: allValues, + AllowedValues: allowedValues, + DeniedValues: deniedValues, + SuggestedValue: listPolicy["suggested_value"].(string), + InheritFromParent: listPolicy["inherit_from_parent"].(bool), + ForceSendFields: []string{"InheritFromParent"}, }, nil } diff --git a/google/resource_google_organization_policy_test.go b/google/resource_google_organization_policy_test.go index b62a0bac..0088a01c 100644 --- a/google/resource_google_organization_policy_test.go +++ b/google/resource_google_organization_policy_test.go @@ -20,12 +20,13 @@ var DENIED_ORG_POLICIES = []string{ // avoid race conditions and aborted operations. func TestAccOrganizationPolicy(t *testing.T) { testCases := map[string]func(t *testing.T){ - "boolean": testAccOrganizationPolicy_boolean, - "list_allowAll": testAccOrganizationPolicy_list_allowAll, - "list_allowSome": testAccOrganizationPolicy_list_allowSome, - "list_denySome": testAccOrganizationPolicy_list_denySome, - "list_update": testAccOrganizationPolicy_list_update, - "restore_policy": testAccOrganizationPolicy_restore_defaultTrue, + "boolean": testAccOrganizationPolicy_boolean, + "list_allowAll": testAccOrganizationPolicy_list_allowAll, + "list_allowSome": testAccOrganizationPolicy_list_allowSome, + "list_denySome": testAccOrganizationPolicy_list_denySome, + "list_update": testAccOrganizationPolicy_list_update, + "list_inheritFromParent": testAccOrganizationPolicy_list_inheritFromParent, + "restore_policy": testAccOrganizationPolicy_restore_defaultTrue, } for name, tc := range testCases { @@ -166,6 +167,25 @@ func testAccOrganizationPolicy_list_update(t *testing.T) { }) } +func testAccOrganizationPolicy_list_inheritFromParent(t *testing.T) { + org := getTestOrgTargetFromEnv(t) + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckGoogleOrganizationPolicyDestroy, + Steps: []resource.TestStep{ + { + Config: testAccOrganizationPolicyConfig_list_inheritFromParent(org), + }, + { + ResourceName: "google_organization_policy.list", + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + func testAccOrganizationPolicy_restore_defaultTrue(t *testing.T) { org := getTestOrgTargetFromEnv(t) resource.Test(t, resource.TestCase{ @@ -377,6 +397,25 @@ resource "google_organization_policy" "list" { `, org) } +func testAccOrganizationPolicyConfig_list_inheritFromParent(org string) string { + return fmt.Sprintf(` +resource "google_organization_policy" "list" { + org_id = "%s" + constraint = "serviceuser.services" + + list_policy { + deny { + values = [ + "doubleclicksearch.googleapis.com", + "replicapoolupdater.googleapis.com", + ] + } + inherit_from_parent = true + } +} +`, org) +} + func testAccOrganizationPolicyConfig_restore_defaultTrue(org string) string { return fmt.Sprintf(` resource "google_organization_policy" "restore" { diff --git a/website/docs/r/google_folder_organization_policy.html.markdown b/website/docs/r/google_folder_organization_policy.html.markdown index f9c79b4e..0d7d211b 100644 --- a/website/docs/r/google_folder_organization_policy.html.markdown +++ b/website/docs/r/google_folder_organization_policy.html.markdown @@ -106,6 +106,9 @@ The `list_policy` block supports: * `suggested_values` - (Optional) The Google Cloud Console will try to default to a configuration that matches the value specified in this field. +* `inherit_from_parent` - (Optional) If set to true, the values from the effective Policy of the parent resource +are inherited, meaning the values set in this Policy are added to the values inherited up the hierarchy. + The `allow` or `deny` blocks support: * `all` - (Optional) The policy allows or denies all values. diff --git a/website/docs/r/google_organization_policy.html.markdown b/website/docs/r/google_organization_policy.html.markdown index ca0734c5..2e939fd4 100644 --- a/website/docs/r/google_organization_policy.html.markdown +++ b/website/docs/r/google_organization_policy.html.markdown @@ -104,6 +104,9 @@ The `list_policy` block supports: * `suggested_values` - (Optional) The Google Cloud Console will try to default to a configuration that matches the value specified in this field. +* `inherit_from_parent` - (Optional) If set to true, the values from the effective Policy of the parent resource +are inherited, meaning the values set in this Policy are added to the values inherited up the hierarchy. + The `allow` or `deny` blocks support: * `all` - (Optional) The policy allows or denies all values. diff --git a/website/docs/r/google_project_organization_policy.html.markdown b/website/docs/r/google_project_organization_policy.html.markdown index 8004fb8b..5be9eab0 100644 --- a/website/docs/r/google_project_organization_policy.html.markdown +++ b/website/docs/r/google_project_organization_policy.html.markdown @@ -105,6 +105,9 @@ The `list_policy` block supports: * `suggested_values` - (Optional) The Google Cloud Console will try to default to a configuration that matches the value specified in this field. +* `inherit_from_parent` - (Optional) If set to true, the values from the effective Policy of the parent resource +are inherited, meaning the values set in this Policy are added to the values inherited up the hierarchy. + The `allow` or `deny` blocks support: * `all` - (Optional) The policy allows or denies all values.