-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added support for restoring default organization policies #1477
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this get read in after a change? i.e. after I change my config to restore_default and run terraform apply to edit the org policy, does running terraform plan show changes?
} | ||
|
||
if restore_default != nil { | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit - remove line
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
refactored code
@@ -32,7 +32,8 @@ var schemaOrganizationPolicy = map[string]*schema.Schema{ | |||
Type: schema.TypeList, | |||
Optional: true, | |||
MaxItems: 1, | |||
ConflictsWith: []string{"boolean_policy"}, | |||
ConflictsWith: []string{"boolean_policy", "restore_policy"}, | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
-newline
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
}).Do() | ||
|
||
} else { | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
-newline
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
refactored code
RestoreDefault: restore_default, | ||
}, | ||
}).Do() | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
-newline
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
refactored code
}, | ||
}).Do() | ||
if restore_default != nil { | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
-newline
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
refactored code
}).Do() | ||
|
||
} else { | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
-newline
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
refactored code
} | ||
|
||
if restore_default != nil { | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
-newline
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
refactored code
RestoreDefault: restore_default, | ||
}, | ||
}).Do() | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
-newline
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
code refactored
1afcaed
to
739251a
Compare
Hi @emilymye, I updated the PR with some refactored code, in another hand is not showing changes if the example is ok. [root@localhost dev-org-policy]# terraform apply Apply complete! Resources: 0 added, 1 changed, 0 destroyed. google_organization_policy.services_policy: Refreshing state... (ID: 65779779009:serviceuser.services) No changes. Infrastructure is up-to-date. This means that Terraform did not detect any differences between your |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, assigning to @danawillow to check tests for orgs
listPolicy, err := expandListOrganizationPolicy(d.Get("list_policy").([]interface{})) | ||
if err != nil { | ||
return err | ||
} | ||
|
||
restore_default, err := expandRestoreOrganizationPolicy(d.Get("restore_policy").([]interface{})) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: please camelCase your variable names
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
|
||
resource "google_folder_organization_policy" "restore" { | ||
folder = "${google_folder.orgpolicy.name}" | ||
constraint = "serviceuser.services" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: some of these lines use tabs, others use spaces
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed to use only spaces
@@ -227,6 +248,20 @@ func flattenBooleanOrganizationPolicy(policy *cloudresourcemanager.BooleanPolicy | |||
return bPolicies | |||
} | |||
|
|||
func flattenRestoreOrganizationPolicy(restore_policy *cloudresourcemanager.RestoreDefault) []map[string]interface{} { | |||
bRestore_policy := make([]map[string]interface{}, 0, 1) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure what the b
prefix means here. Maybe just call it rp
or something simple like that?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
changed to rp (prefix doesnt mean anything)
return nil, nil | ||
} | ||
|
||
if len(configured) > 0 { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This if statement isn't necessary since we already checked above if it's equal to 0
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
because there are three escenarios there:
1.- when we doesnt have the restore_policy argument.
2.-when we have the restore_policy argument, but the default value is not true.
3.-when we have the restore_policy argument and the default value is true.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right, it could look like this:
if len(configured) == 0 {
return nil, nil
}
restoreDefaultMap := configured[0].(map[string]interface{})
default_value := restoreDefaultMap["default"].(bool)
if default_value {
return &cloudresourcemanager.RestoreDefault{}, nil
}
return nil, fmt.Errorf("Invalid value for restore_policy. Expecting default = true")
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah, one 'if' is not necessary and looks cleaner, good catch (changed).
Schema: map[string]*schema.Schema{ | ||
"default": { | ||
Type: schema.TypeBool, | ||
Required: true, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm a bit confused about the structure of this. The API requires an empty object, so default
is just a construct here- what made you decide to go for a nested object with a boolean that has to be set to true, instead of just top-leveling that boolean (i.e. restore_default = true
)?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
only because in the requirements give me the next structure:
restore_policy {
default = true
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@morgante, this was your idea I believe. What do you think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The reason I specified it that way was for equivalence with the other constraint types, which use a nested structure. boolean_policy
, for example, also only has a single boolean value but is also nested. Does that make sense?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, it makes sense. It's a little different in this case because the others are mirroring the API exactly as it is, whereas this one is adding a field into an object, even though that field doesn't exist. I do think it's probably less confusing than just requiring an empty object though, and a bit more future proof anyway, so sure. I'm down.
Also as an fyi, if in your commit message you say "fixes #___" then it'll automatically close the issue once the PR is merged :) |
8fb6670
to
484d6dd
Compare
return &cloudresourcemanager.RestoreDefault{}, nil | ||
} | ||
|
||
return nil, fmt.Errorf("Invalid value for restore_policy. Expecting default = true") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Instead of this, what do you think about adding a ValidateFunc to the field? That way, if someone sets the default to false, it would get caught at plan-time instead of apply-time.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added ValidateFunc
project = "%s" | ||
constraint = "constraints/serviceuser.services" | ||
|
||
restore_policy { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: this is indented a bit too far
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
changed
@@ -96,6 +112,10 @@ The `allow` or `deny` blocks support: | |||
|
|||
* `values` - (Optional) The policy can define specific values that are allowed or denied. | |||
|
|||
The `restore_policy` block supports: | |||
|
|||
* `default` - (Required) If true, then the default Policy is restored. If false, then any configuration is acceptable. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually, if it's set to false then it throws an error.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
changed
listPolicy, err := expandListOrganizationPolicy(d.Get("list_policy").([]interface{})) | ||
if err != nil { | ||
return err | ||
} | ||
|
||
restore_default, err := expandRestoreOrganizationPolicy(d.Get("restore_policy").([]interface{})) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: This should be camelcase
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
changed
} | ||
|
||
restoreDefaultMap := configured[0].(map[string]interface{}) | ||
default_value := restoreDefaultMap["default"].(bool) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: camelcase
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
changed
@@ -227,6 +248,20 @@ func flattenBooleanOrganizationPolicy(policy *cloudresourcemanager.BooleanPolicy | |||
return bPolicies | |||
} | |||
|
|||
func flattenRestoreOrganizationPolicy(restore_policy *cloudresourcemanager.RestoreDefault) []map[string]interface{} { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: camelcase
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
changed
@@ -249,7 +283,7 @@ resource "google_folder" "orgpolicy" { | |||
} | |||
|
|||
resource "google_folder_organization_policy" "bool" { | |||
# Test numeric folder ID. | |||
# Test numeric folder ID. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: can you revert the extra indents here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
b9f3b97
to
deeaac5
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @ortaman! Looks good!
…1477) * Added support for restoring default organization policies * Added support for restoring default folder/project organization policies * Refactored code * Fixes hashicorp#1239 * Clarify docs * Clarify docs * Clarify docs
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks! |
To the enhancement: #1239