google_organization_policy support conditional expression

[spacetj]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.

Description

Ability to define conditional expressions and reference tags in google_organization_policy. Docs: https://cloud.google.com/resource-manager/docs/organization-policy/tags-organization-policy

New or Affected Resource(s)

• google_organization_policy

Potential Terraform Configuration

# Propose what you think the configuration to take advantage of this feature should look like.
# We may not use it verbatim, but it's helpful in understanding your intent.
resource "google_organization_policy" "resource_locations" {
  org_id     = org_id
  constraint = "gcp.resourceLocations"

  list_policy {
    condition {
      match_tag {
        key = google_tags_tag_key.resource_locations.name
        value = google_tags_tag_value.resource_locations_us_west_1.name
      }
    }
    allow {
      values = ["us-west1-locations"]
    }
  }

  list_policy {
    allow {
      values = ["us-east1-locations"]
    }
  }
}

References

• https://cloud.google.com/resource-manager/docs/organization-policy/tags-organization-policy
• b/190763760

[megan07]

Hi! Could you please provide a link to the REST api? Thanks!

[BrunoReboul]

The org policy format has changed to enable using tags in conditions example

Resource Manager REST API v1 are the same. Not available en v2 nor v3

Org resource:

• Method: organizations.listOrgPolicies
• Method: organizations.getOrgPolicy
• Method: organizations.setOrgPolicy
• Method: organizations.getEffectiveOrgPolicy
• Method: organizations.clearOrgPolicy

Folder resource:

• Method: folders.listOrgPolicies
• Method: folders.getOrgPolicy
• Method: folders.setOrgPolicy
• Method: folders.getEffectiveOrgPolicy
• Method: folders.clearOrgPolicy

Project resource:

• Method: projects.listOrgPolicies
• Method: projects.getOrgPolicy
• Method: projects.setOrgPolicy
• Method: projects.clearOrgPolicy
• Method: projects.getEffectiveOrgPolicy

[dgulli]

any movement on this?

[gabor-farkas]

It's quite tricky to find but it's actually available in another endpoint, see: https://cloud.google.com/orgpolicy/docs/reference/rest
The service is https://orgpolicy.googleapis.com

It's such a hidden feature actually that if you set a policy with this method and try to view it on the admin console, it writes "This policy has been set with Tags through Organization Policy V2 API which is not yet supported by this Admin UI. To view/edit your policy, use the gcloud org-policies command line interface or Cloud Client Library to query the API."

[upodroid]

@rileykarson I'll try and switch the resource to use orgpolicy.googleapis.com/v2, MM style http calls instead of the go client, introduce parent field similar to essential_contacts_contact and see where it goes.

[rileykarson]

GoogleCloudPlatform/magic-modules#5123 has some discussion, a summary of my thoughts being: it's possible that we're able to make it compatible but we shouldn't- ultimately, we'd be locking the resource into MMv1 with the v1 schema indefinitely. Given that the API team decided to change the schema, we should adopt those changes in the best way we are able to.

I'm normally an advocate for stability for the resource instead, for example when a field changes names from beta -> GA within the same release track. However, a v2 is an explicit breaking change on an API's part.

[rileykarson]

@ndmckinley: Assigning this to you based on your supporting b/195368328, please correct me if I got it wrong! Also, if Thomas comments here I can assign them instead.

[upodroid]

I'll submit a PR adding a warning docs to the *_organization_policy resources to use google_org_policy_policy instead.

[nat-henderson]

Oh, thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.