Skip to content

Commit

Permalink
Add google_organization_policy for terraform validator (GoogleCloudPl…
Browse files Browse the repository at this point in the history
…atform#5711)

* Add google_organization_policy for terraform validator

* fix comma
  • Loading branch information
iyabchen authored and lcaggio committed Mar 17, 2022
1 parent cf9f247 commit 4ce50f4
Show file tree
Hide file tree
Showing 6 changed files with 648 additions and 1 deletion.
4 changes: 3 additions & 1 deletion mmv1/provider/terraform_validator.rb
Original file line number Diff line number Diff line change
Expand Up @@ -316,7 +316,9 @@ def copy_common_files(output_folder, generate_code, _generate_docs)
['converters/google/resources/spanner_instance_iam.go',
'third_party/validator/spanner_instance_iam.go'],
['converters/google/resources/storage_bucket_iam.go',
'third_party/validator/storage_bucket_iam.go']
'third_party/validator/storage_bucket_iam.go'],
['converters/google/resources/organization_policy.go',
'third_party/validator/organization_policy.go']
])
end

Expand Down
1 change: 1 addition & 0 deletions mmv1/templates/validator/resource_converters.go.erb
Original file line number Diff line number Diff line change
Expand Up @@ -113,6 +113,7 @@ func ResourceConverters() map[string][]ResourceConverter {
"google_organization_iam_policy": {resourceConverterOrganizationIamPolicy()},
"google_organization_iam_binding": {resourceConverterOrganizationIamBinding()},
"google_organization_iam_member": {resourceConverterOrganizationIamMember()},
"google_organization_policy": {resourceConverterOrganizationPolicy()},
"google_project_organization_policy": {resourceConverterProjectOrgPolicy()},
"google_folder_iam_policy": {resourceConverterFolderIamPolicy()},
"google_folder_iam_binding": {resourceConverterFolderIamBinding()},
Expand Down
52 changes: 52 additions & 0 deletions mmv1/third_party/validator/organization_policy.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
package google

func resourceConverterOrganizationPolicy() ResourceConverter {
return ResourceConverter{
AssetType: "cloudresourcemanager.googleapis.com/Organization",
Convert: GetOrganizationPolicyCaiObject,
MergeCreateUpdate: MergeOrganizationPolicy,
}
}

func GetOrganizationPolicyCaiObject(d TerraformResourceData, config *Config) ([]Asset, error) {
name, err := assetName(d, config, "//cloudresourcemanager.googleapis.com/organizations/{{org_id}}")
if err != nil {
return []Asset{}, err
}
if obj, err := GetOrganizationPolicyApiObject(d, config); err == nil {
return []Asset{{
Name: name,
Type: "cloudresourcemanager.googleapis.com/Organization",
OrgPolicy: []*OrgPolicy{&obj},
}}, nil
} else {
return []Asset{}, err
}
}

func MergeOrganizationPolicy(existing, incoming Asset) Asset {
existing.OrgPolicy = append(existing.OrgPolicy, incoming.OrgPolicy...)
return existing
}

func GetOrganizationPolicyApiObject(d TerraformResourceData, config *Config) (OrgPolicy, error) {

listPolicy, err := expandListOrganizationPolicy(d.Get("list_policy").([]interface{}))
if err != nil {
return OrgPolicy{}, err
}

restoreDefault, err := expandRestoreOrganizationPolicy(d.Get("restore_policy").([]interface{}))
if err != nil {
return OrgPolicy{}, err
}

policy := OrgPolicy{
Constraint: canonicalOrgPolicyConstraint(d.Get("constraint").(string)),
BooleanPolicy: expandBooleanOrganizationPolicy(d.Get("boolean_policy").([]interface{})),
ListPolicy: listPolicy,
RestoreDefault: restoreDefault,
}

return policy, nil
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
[
{
"name": "//cloudresourcemanager.googleapis.com/organizations/{{.OrgID}}",
"asset_type": "cloudresourcemanager.googleapis.com/Organization",
"ancestry_path": "{{.Ancestry}}/project/{{.Provider.project}}",
"org_policy": [
{
"constraint": "constraints/compute.disableSerialPortAccess",
"boolean_policy": {
"enforced": true
},
"update_time": "{{.Time.RFC3339Nano}}"
},
{
"constraint": "constraints/serviceuser.services",
"list_policy": {
"all_values": 1
},
"update_time": "{{.Time.RFC3339Nano}}"
},
{
"constraint": "constraints/serviceuser.services",
"list_policy": {
"denied_values": [
"cloudresourcemanager.googleapis.com"
],
"suggested_value": "compute.googleapis.com"
},
"update_time": "{{.Time.RFC3339Nano}}"
},
{
"constraint": "constraints/serviceuser.services",
"restore_default": {},
"update_time": "{{.Time.RFC3339Nano}}"
}
]
}
]
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
/**
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

terraform {
required_providers {
google = {
source = "hashicorp/google"
version = "~> {{.Provider.version}}"
}
}
}

provider "google" {
{{if .Provider.credentials }}credentials = "{{.Provider.credentials}}"{{end}}
}

resource "google_organization_policy" "serial_port_policy" {
org_id = "{{.OrgID}}"
constraint = "compute.disableSerialPortAccess"

boolean_policy {
enforced = true
}
}

resource "google_organization_policy" "services_policy_a" {
org_id = "{{.OrgID}}"
constraint = "serviceuser.services"

list_policy {
allow {
all = true
}
}
}

resource "google_organization_policy" "services_policy_b" {
org_id = "{{.OrgID}}"
constraint = "serviceuser.services"

list_policy {
suggested_value = "compute.googleapis.com"

deny {
values = ["cloudresourcemanager.googleapis.com"]
}
}
}

resource "google_organization_policy" "services_policy_c" {
org_id = "{{.OrgID}}"
constraint = "serviceuser.services"

restore_policy {
default = true
}
}
Loading

0 comments on commit 4ce50f4

Please sign in to comment.