Added support for restoring default organization policies

google/resource_google_folder_organization_policy.go

@@ -52,6 +52,7 @@ func resourceGoogleFolderOrganizationPolicyRead(d *schema.ResourceData, meta int
 	d.Set("constraint", policy.Constraint)
 	d.Set("boolean_policy", flattenBooleanOrganizationPolicy(policy.BooleanPolicy))
 	d.Set("list_policy", flattenListOrganizationPolicy(policy.ListPolicy))
+	d.Set("restore_policy", policy.RestoreDefault)
 	d.Set("version", policy.Version)
 	d.Set("etag", policy.Etag)
 	d.Set("update_time", policy.UpdateTime)
@@ -90,15 +91,32 @@ func setFolderOrganizationPolicy(d *schema.ResourceData, meta interface{}) error
 		return err
 	}
 
-	_, err = config.clientResourceManager.Folders.SetOrgPolicy(folder, &cloudresourcemanager.SetOrgPolicyRequest{
-		Policy: &cloudresourcemanager.OrgPolicy{
-			Constraint:    canonicalOrgPolicyConstraint(d.Get("constraint").(string)),
-			BooleanPolicy: expandBooleanOrganizationPolicy(d.Get("boolean_policy").([]interface{})),
-			ListPolicy:    listPolicy,
-			Version:       int64(d.Get("version").(int)),
-			Etag:          d.Get("etag").(string),
-		},
-	}).Do()
+	restore_default, err := checkRestoreDefault(d.Get("restore_policy").([]interface{}))
+	if err != nil {
+		return err
+	}
+
+	if restore_default != nil {
+
+		_, err = config.clientResourceManager.Folders.SetOrgPolicy(folder, &cloudresourcemanager.SetOrgPolicyRequest{
+			Policy: &cloudresourcemanager.OrgPolicy{
+				Constraint:     canonicalOrgPolicyConstraint(d.Get("constraint").(string)),
+				RestoreDefault: restore_default,
+			},
+		}).Do()
+
+	} else {
+
+		_, err = config.clientResourceManager.Folders.SetOrgPolicy(folder, &cloudresourcemanager.SetOrgPolicyRequest{
+			Policy: &cloudresourcemanager.OrgPolicy{
+				Constraint:    canonicalOrgPolicyConstraint(d.Get("constraint").(string)),
+				BooleanPolicy: expandBooleanOrganizationPolicy(d.Get("boolean_policy").([]interface{})),
+				ListPolicy:    listPolicy,
+				Version:       int64(d.Get("version").(int)),
+				Etag:          d.Get("etag").(string),
+			},
+		}).Do()
+	}
 
 	return err
 }

google/resource_google_folder_organization_policy_test.go

@@ -129,6 +129,24 @@ func TestAccFolderOrganizationPolicy_list_update(t *testing.T) {
 	})
 }
 
+func TestAccFolderOrganizationPolicy_restore_defaultTrue(t *testing.T) {
+	t.Parallel()
+
+	folder := acctest.RandomWithPrefix("tf-test")
+	org := getTestOrgFromEnv(t)
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckGoogleOrganizationPolicyDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccFolderOrganizationPolicy_restore_defaultTrue(org, folder),
+				Check:  getGoogleFolderOrganizationRestoreDefaultTrue("list", &cloudresourcemanager.RestoreDefault{}),
+			},
+		},
+	})
+}
+
 func testAccCheckGoogleFolderOrganizationPolicyDestroy(s *terraform.State) error {
 	config := testAccProvider.Meta().(*Config)
 
@@ -222,6 +240,22 @@ func testAccCheckGoogleFolderOrganizationListPolicyDeniedValues(n string, values
 	}
 }
 
+func getGoogleFolderOrganizationRestoreDefaultTrue(n string, policyDefault *cloudresourcemanager.RestoreDefault) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+
+		policy, err := getGoogleFolderOrganizationPolicyTestResource(s, n)
+		if err != nil {
+			return err
+		}
+
+		if !reflect.DeepEqual(policy.RestoreDefault, policyDefault) {
+			return fmt.Errorf("Expected the list policy to '%s', restore default got, %s", policyDefault, policy.RestoreDefault)
+		}
+
+		return nil
+	}
+}
+
 func getGoogleFolderOrganizationPolicyTestResource(s *terraform.State, n string) (*cloudresourcemanager.OrgPolicy, error) {
 	rn := "google_folder_organization_policy." + n
 	rs, ok := s.RootModule().Resources[rn]
@@ -322,3 +356,21 @@ resource "google_folder_organization_policy" "list" {
 }
 `, folder, "organizations/"+org)
 }
+
+func testAccFolderOrganizationPolicy_restore_defaultTrue(org, folder string) string {
+	return fmt.Sprintf(`
+resource "google_folder" "orgpolicy" {
+  display_name = "%s"
+  parent       = "%s"
+}
+
+resource "google_folder_organization_policy" "list" {
+    folder     = "${google_folder.orgpolicy.name}"
+	constraint = "serviceuser.services"
+
+	restore_policy {
+		default = true
+	}
+}
+`, folder, "organizations/"+org)
+}

google/resource_google_organization_policy.go

@@ -18,7 +18,7 @@ var schemaOrganizationPolicy = map[string]*schema.Schema{
 		Type:          schema.TypeList,
 		Optional:      true,
 		MaxItems:      1,
-		ConflictsWith: []string{"list_policy"},
+		ConflictsWith: []string{"list_policy", "restore_policy"},
 		Elem: &schema.Resource{
 			Schema: map[string]*schema.Schema{
 				"enforced": {
@@ -32,7 +32,8 @@ var schemaOrganizationPolicy = map[string]*schema.Schema{
 		Type:          schema.TypeList,
 		Optional:      true,
 		MaxItems:      1,
-		ConflictsWith: []string{"boolean_policy"},
+		ConflictsWith: []string{"boolean_policy", "restore_policy"},
+
 		Elem: &schema.Resource{
 			Schema: map[string]*schema.Schema{
 				"allow": {
@@ -99,6 +100,20 @@ var schemaOrganizationPolicy = map[string]*schema.Schema{
 		Type:     schema.TypeString,
 		Computed: true,
 	},
+	"restore_policy": {
+		Type:          schema.TypeList,
+		Optional:      true,
+		MaxItems:      1,
+		ConflictsWith: []string{"boolean_policy", "list_policy"},
+		Elem: &schema.Resource{
+			Schema: map[string]*schema.Schema{
+				"default": {
+					Type:     schema.TypeBool,
+					Required: true,
+				},
+			},
+		},
+	},
 }
 
 func resourceGoogleOrganizationPolicy() *schema.Resource {
@@ -152,6 +167,7 @@ func resourceGoogleOrganizationPolicyRead(d *schema.ResourceData, meta interface
 	d.Set("version", policy.Version)
 	d.Set("etag", policy.Etag)
 	d.Set("update_time", policy.UpdateTime)
+	d.Set("restore_policy", policy.RestoreDefault)
 
 	return nil
 }
@@ -195,20 +211,37 @@ func setOrganizationPolicy(d *schema.ResourceData, meta interface{}) error {
 	config := meta.(*Config)
 	org := "organizations/" + d.Get("org_id").(string)
 
-	listPolicy, err := expandListOrganizationPolicy(d.Get("list_policy").([]interface{}))
+	restore_default, err := checkRestoreDefault(d.Get("restore_policy").([]interface{}))
 	if err != nil {
 		return err
 	}
 
-	_, err = config.clientResourceManager.Organizations.SetOrgPolicy(org, &cloudresourcemanager.SetOrgPolicyRequest{
-		Policy: &cloudresourcemanager.OrgPolicy{
-			Constraint:    canonicalOrgPolicyConstraint(d.Get("constraint").(string)),
-			BooleanPolicy: expandBooleanOrganizationPolicy(d.Get("boolean_policy").([]interface{})),
-			ListPolicy:    listPolicy,
-			Version:       int64(d.Get("version").(int)),
-			Etag:          d.Get("etag").(string),
-		},
-	}).Do()
+	if restore_default != nil {
+
+		_, err = config.clientResourceManager.Organizations.SetOrgPolicy(org, &cloudresourcemanager.SetOrgPolicyRequest{
+			Policy: &cloudresourcemanager.OrgPolicy{
+				Constraint:     canonicalOrgPolicyConstraint(d.Get("constraint").(string)),
+				RestoreDefault: restore_default,
+			},
+		}).Do()
+
+	} else {
+
+		listPolicy, err := expandListOrganizationPolicy(d.Get("list_policy").([]interface{}))
+		if err != nil {
+			return err
+		}
+
+		_, err = config.clientResourceManager.Organizations.SetOrgPolicy(org, &cloudresourcemanager.SetOrgPolicyRequest{
+			Policy: &cloudresourcemanager.OrgPolicy{
+				Constraint:    canonicalOrgPolicyConstraint(d.Get("constraint").(string)),
+				BooleanPolicy: expandBooleanOrganizationPolicy(d.Get("boolean_policy").([]interface{})),
+				ListPolicy:    listPolicy,
+				Version:       int64(d.Get("version").(int)),
+				Etag:          d.Get("etag").(string),
+			},
+		}).Do()
+	}
 
 	return err
 }
@@ -316,6 +349,20 @@ func expandListOrganizationPolicy(configured []interface{}) (*cloudresourcemanag
 	}, nil
 }
 
+func checkRestoreDefault(configured []interface{}) (*cloudresourcemanager.RestoreDefault, error) {
+	if len(configured) > 0 {
+		restoreDefaultMap := configured[0].(map[string]interface{})
+		default_value := restoreDefaultMap["default"].(bool)
+
+		if default_value {
+			restore_default := &cloudresourcemanager.RestoreDefault{}
+			return restore_default, nil
+		}
+	}
+
+	return nil, nil
+}
+
 func canonicalOrgPolicyConstraint(constraint string) string {
 	if strings.HasPrefix(constraint, "constraints/") {
 		return constraint

google/resource_google_organization_policy_test.go

@@ -24,7 +24,7 @@ func TestAccOrganizationPolicy(t *testing.T) {
 		"list_allowAll":  testAccOrganizationPolicy_list_allowAll,
 		"list_allowSome": testAccOrganizationPolicy_list_allowSome,
 		"list_denySome":  testAccOrganizationPolicy_list_denySome,
-		"list_update":    testAccOrganizationPolicy_list_update,
+		"list_restore":   testAccOrganizationPolicy_restore_defaultTrue,
 	}
 
 	for name, tc := range testCases {
@@ -165,6 +165,25 @@ func testAccOrganizationPolicy_list_update(t *testing.T) {
 	})
 }
 
+func testAccOrganizationPolicy_restore_defaultTrue(t *testing.T) {
+	org := getTestOrgTargetFromEnv(t)
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckGoogleOrganizationPolicyDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccOrganizationPolicyConfig_restore_defaultTrue(org),
+				Check:  testAccCheckGoogleOrganizationRestoreDefaultTrue("list", &cloudresourcemanager.RestoreDefault{}),
+			},
+			{
+				ResourceName: "google_organization_policy.list",
+				ImportState:  true,
+			},
+		},
+	})
+}
+
 func testAccCheckGoogleOrganizationPolicyDestroy(s *terraform.State) error {
 	config := testAccProvider.Meta().(*Config)
 
@@ -258,6 +277,22 @@ func testAccCheckGoogleOrganizationListPolicyDeniedValues(n string, values []str
 	}
 }
 
+func testAccCheckGoogleOrganizationRestoreDefaultTrue(n string, policyDefault *cloudresourcemanager.RestoreDefault) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+
+		policy, err := getGoogleOrganizationPolicyTestResource(s, n)
+		if err != nil {
+			return err
+		}
+
+		if !reflect.DeepEqual(policy.RestoreDefault, policyDefault) {
+			return fmt.Errorf("Expected the list policy to '%s', restore default got, %s", policyDefault, policy.RestoreDefault)
+		}
+
+		return nil
+	}
+}
+
 func getGoogleOrganizationPolicyTestResource(s *terraform.State, n string) (*cloudresourcemanager.OrgPolicy, error) {
 	rn := "google_organization_policy." + n
 	rs, ok := s.RootModule().Resources[rn]
@@ -339,3 +374,16 @@ resource "google_organization_policy" "list" {
 }
 `, org)
 }
+
+func testAccOrganizationPolicyConfig_restore_defaultTrue(org string) string {
+	return fmt.Sprintf(`
+resource "google_organization_policy" "list" {
+	org_id = "%s"
+	constraint = "serviceuser.services"
+
+	restore_policy {
+		default = true
+	}
+}
+`, org)
+}

google/resource_google_project_organization_policy.go

@@ -52,6 +52,7 @@ func resourceGoogleProjectOrganizationPolicyRead(d *schema.ResourceData, meta in
 	d.Set("constraint", policy.Constraint)
 	d.Set("boolean_policy", flattenBooleanOrganizationPolicy(policy.BooleanPolicy))
 	d.Set("list_policy", flattenListOrganizationPolicy(policy.ListPolicy))
+	d.Set("restore_policy", policy.RestoreDefault)
 	d.Set("version", policy.Version)
 	d.Set("etag", policy.Etag)
 	d.Set("update_time", policy.UpdateTime)
@@ -90,15 +91,32 @@ func setProjectOrganizationPolicy(d *schema.ResourceData, meta interface{}) erro
 		return err
 	}
 
-	_, err = config.clientResourceManager.Projects.SetOrgPolicy(project, &cloudresourcemanager.SetOrgPolicyRequest{
-		Policy: &cloudresourcemanager.OrgPolicy{
-			Constraint:    canonicalOrgPolicyConstraint(d.Get("constraint").(string)),
-			BooleanPolicy: expandBooleanOrganizationPolicy(d.Get("boolean_policy").([]interface{})),
-			ListPolicy:    listPolicy,
-			Version:       int64(d.Get("version").(int)),
-			Etag:          d.Get("etag").(string),
-		},
-	}).Do()
+	restore_default, err := checkRestoreDefault(d.Get("restore_policy").([]interface{}))
+	if err != nil {
+		return err
+	}
+
+	if restore_default != nil {
+
+		_, err = config.clientResourceManager.Projects.SetOrgPolicy(project, &cloudresourcemanager.SetOrgPolicyRequest{
+			Policy: &cloudresourcemanager.OrgPolicy{
+				Constraint:     canonicalOrgPolicyConstraint(d.Get("constraint").(string)),
+				RestoreDefault: restore_default,
+			},
+		}).Do()
+
+	} else {
+
+		_, err = config.clientResourceManager.Projects.SetOrgPolicy(project, &cloudresourcemanager.SetOrgPolicyRequest{
+			Policy: &cloudresourcemanager.OrgPolicy{
+				Constraint:    canonicalOrgPolicyConstraint(d.Get("constraint").(string)),
+				BooleanPolicy: expandBooleanOrganizationPolicy(d.Get("boolean_policy").([]interface{})),
+				ListPolicy:    listPolicy,
+				Version:       int64(d.Get("version").(int)),
+				Etag:          d.Get("etag").(string),
+			},
+		}).Do()
+	}
 
 	return err
 }