Document that a policy must be defined. (#3611)

Signed-off-by: Modular Magician <magic-modules@google.com>
2024-06-29 06:42:36 +00:00 · 2019-05-16 13:10:44 -07:00 · 2019-05-16 13:10:44 -07:00 · f34848f974
commit f34848f974
parent de550575be
7 changed files with 86 additions and 9 deletions
--- a/google/resource_google_folder_organization_policy.go
+++ b/google/resource_google_folder_organization_policy.go
@ -51,12 +51,16 @@ func resourceFolderOrgPolicyImporter(d *schema.ResourceData, meta interface{}) (
 }

 func resourceGoogleFolderOrganizationPolicyCreate(d *schema.ResourceData, meta interface{}) error {
+	d.SetId(fmt.Sprintf("%s:%s", d.Get("folder"), d.Get("constraint")))
+
+	if isOrganizationPolicyUnset(d) {
+		return resourceGoogleFolderOrganizationPolicyDelete(d, meta)
+	}
+
 	if err := setFolderOrganizationPolicy(d, meta); err != nil {
 		return err
 	}

-	d.SetId(fmt.Sprintf("%s:%s", d.Get("folder"), d.Get("constraint")))
-
 	return resourceGoogleFolderOrganizationPolicyRead(d, meta)
 }

@ -84,6 +88,10 @@ func resourceGoogleFolderOrganizationPolicyRead(d *schema.ResourceData, meta int
 }

 func resourceGoogleFolderOrganizationPolicyUpdate(d *schema.ResourceData, meta interface{}) error {
+	if isOrganizationPolicyUnset(d) {
+		return resourceGoogleFolderOrganizationPolicyDelete(d, meta)
+	}
+
 	if err := setFolderOrganizationPolicy(d, meta); err != nil {
 		return err
 	}
--- a/google/resource_google_organization_policy.go
+++ b/google/resource_google_organization_policy.go
@ -144,12 +144,16 @@ func resourceGoogleOrganizationPolicy() *schema.Resource {
 }

 func resourceGoogleOrganizationPolicyCreate(d *schema.ResourceData, meta interface{}) error {
+	d.SetId(fmt.Sprintf("%s:%s", d.Get("org_id"), d.Get("constraint").(string)))
+
+	if isOrganizationPolicyUnset(d) {
+		return resourceGoogleOrganizationPolicyDelete(d, meta)
+	}
+
 	if err := setOrganizationPolicy(d, meta); err != nil {
 		return err
 	}

-	d.SetId(fmt.Sprintf("%s:%s", d.Get("org_id"), d.Get("constraint").(string)))
-
 	return resourceGoogleOrganizationPolicyRead(d, meta)
 }

@ -177,6 +181,10 @@ func resourceGoogleOrganizationPolicyRead(d *schema.ResourceData, meta interface
 }

 func resourceGoogleOrganizationPolicyUpdate(d *schema.ResourceData, meta interface{}) error {
+	if isOrganizationPolicyUnset(d) {
+		return resourceGoogleOrganizationPolicyDelete(d, meta)
+	}
+
 	if err := setOrganizationPolicy(d, meta); err != nil {
 		return err
 	}
@ -211,6 +219,19 @@ func resourceGoogleOrganizationPolicyImportState(d *schema.ResourceData, meta in
 	return []*schema.ResourceData{d}, nil
 }

+// Organization policies can be "inherited from parent" the UI, and this is the default
+// state of the resource without any policy set. In order to revert to this state the current
+// resource cannot be updated it must instead be Deleted. This allows Terraform to assert that
+// no policy has been set even if previously one had.
+// See https://github.com/terraform-providers/terraform-provider-google/issues/3607
+func isOrganizationPolicyUnset(d *schema.ResourceData) bool {
+	listPolicy := d.Get("list_policy").([]interface{})
+	booleanPolicy := d.Get("boolean_policy").([]interface{})
+	restorePolicy := d.Get("restore_policy").([]interface{})
+
+	return len(listPolicy)+len(booleanPolicy)+len(restorePolicy) == 0
+}
+
 func setOrganizationPolicy(d *schema.ResourceData, meta interface{}) error {
 	config := meta.(*Config)
 	org := "organizations/" + d.Get("org_id").(string)
--- a/google/resource_google_project_organization_policy.go
+++ b/google/resource_google_project_organization_policy.go
@ -50,12 +50,16 @@ func resourceProjectOrgPolicyImporter(d *schema.ResourceData, meta interface{})
 }

 func resourceGoogleProjectOrganizationPolicyCreate(d *schema.ResourceData, meta interface{}) error {
+	d.SetId(fmt.Sprintf("%s:%s", d.Get("project"), d.Get("constraint")))
+
+	if isOrganizationPolicyUnset(d) {
+		return resourceGoogleProjectOrganizationPolicyDelete(d, meta)
+	}
+
 	if err := setProjectOrganizationPolicy(d, meta); err != nil {
 		return err
 	}

-	d.SetId(fmt.Sprintf("%s:%s", d.Get("project"), d.Get("constraint")))
-
 	return resourceGoogleProjectOrganizationPolicyRead(d, meta)
 }

@ -83,6 +87,10 @@ func resourceGoogleProjectOrganizationPolicyRead(d *schema.ResourceData, meta in
 }

 func resourceGoogleProjectOrganizationPolicyUpdate(d *schema.ResourceData, meta interface{}) error {
+	if isOrganizationPolicyUnset(d) {
+		return resourceGoogleProjectOrganizationPolicyDelete(d, meta)
+	}
+
 	if err := setProjectOrganizationPolicy(d, meta); err != nil {
 		return err
 	}
--- a/google/resource_google_project_organization_policy_test.go
+++ b/google/resource_google_project_organization_policy_test.go
@ -22,6 +22,7 @@ func TestAccProjectOrganizationPolicy(t *testing.T) {
 		"list_denySome":  testAccProjectOrganizationPolicy_list_denySome,
 		"list_update":    testAccProjectOrganizationPolicy_list_update,
 		"restore_policy": testAccProjectOrganizationPolicy_restore_defaultTrue,
+		"empty_policy":   testAccProjectOrganizationPolicy_none,
 	}

 	for name, tc := range testCases {
@ -179,6 +180,27 @@ func testAccProjectOrganizationPolicy_restore_defaultTrue(t *testing.T) {
 	})
 }

+func testAccProjectOrganizationPolicy_none(t *testing.T) {
+	projectId := getTestProjectFromEnv()
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckGoogleProjectOrganizationPolicyDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccProjectOrganizationPolicyConfig_none(projectId),
+				Check:  testAccCheckGoogleProjectOrganizationPolicyDestroy,
+			},
+			{
+				ResourceName:      "google_project_organization_policy.none",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
 func testAccCheckGoogleProjectOrganizationPolicyDestroy(s *terraform.State) error {
 	config := testAccProvider.Meta().(*Config)

@ -387,6 +409,15 @@ resource "google_project_organization_policy" "restore" {
 `, pid)
 }

+func testAccProjectOrganizationPolicyConfig_none(pid string) string {
+	return fmt.Sprintf(`
+resource "google_project_organization_policy" "none" {
+  project    = "%s"
+  constraint = "constraints/serviceuser.services"
+}
+`, pid)
+}
+
 func canonicalProjectId(project string) string {
 	if strings.HasPrefix(project, "projects/") {
 		return project
--- a/website/docs/r/google_folder_organization_policy.html.markdown
+++ b/website/docs/r/google_folder_organization_policy.html.markdown
@ -94,6 +94,9 @@ can also be used to allow or deny all values. Structure is documented below.

 * `restore_policy` - (Optional) A restore policy is a constraint to restore the default policy. Structure is documented below.

+~> **Note:** If none of [`boolean_policy`, `list_policy`, `restore_policy`] are defined the policy for a given constraint will
+effectively be unset. This is represented in the UI as the constraint being 'Inherited'.
+
 - - -

 The `boolean_policy` block supports:
--- a/website/docs/r/google_organization_policy.html.markdown
+++ b/website/docs/r/google_organization_policy.html.markdown
@ -86,11 +86,14 @@ The following arguments are supported:

 * `version` - (Optional) Version of the Policy. Default version is 0.

-* `boolean_policy` - (Optional) A boolean policy is a constraint that is either enforced or not. Structure is documented below. 
+* `boolean_policy` - (Optional) A boolean policy is a constraint that is either enforced or not. Structure is documented below.

 * `list_policy` - (Optional) A policy that can define specific values that are allowed or denied for the given constraint. It can also be used to allow or deny all values. Structure is documented below.

-* `restore_policy` - (Optional) A restore policy is a constraint to restore the default policy. Structure is documented below. 
+* `restore_policy` - (Optional) A restore policy is a constraint to restore the default policy. Structure is documented below.
+
+~> **Note:** If none of [`boolean_policy`, `list_policy`, `restore_policy`] are defined the policy for a given constraint will
+effectively be unset. This is represented in the UI as the constraint being 'Inherited'.

 - - -

@ -122,7 +125,7 @@ The `restore_policy` block supports:
 In addition to the arguments listed above, the following computed attributes are
 exported:

-* `etag` - (Computed) The etag of the organization policy. `etag` is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other. 
+* `etag` - (Computed) The etag of the organization policy. `etag` is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other.

 * `update_time` - (Computed) The timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds, representing when the variable was last updated. Example: "2016-10-09T12:33:37.578138407Z".

--- a/website/docs/r/google_project_organization_policy.html.markdown
+++ b/website/docs/r/google_project_organization_policy.html.markdown
@ -93,6 +93,9 @@ The following arguments are supported:

 * `restore_policy` - (Optional) A restore policy is a constraint to restore the default policy. Structure is documented below.

+~> **Note:** If none of [`boolean_policy`, `list_policy`, `restore_policy`] are defined the policy for a given constraint will
+effectively be unset. This is represented in the UI as the constraint being 'Inherited'.
+
 - - -

 The `boolean_policy` block supports: