Add support for org policies at the organization level #523
Conversation
TF_ACC=1 go test ./google -v -run TestAccGoogleOrganizationPolicy_ -timeout 120m
=== RUN TestAccGoogleOrganizationPolicy_import
--- PASS: TestAccGoogleOrganizationPolicy_import (2.38s)
=== RUN TestAccGoogleOrganizationPolicy_boolean_enforced
--- PASS: TestAccGoogleOrganizationPolicy_boolean_enforced (1.70s)
=== RUN TestAccGoogleOrganizationPolicy_boolean_notEnforced
--- PASS: TestAccGoogleOrganizationPolicy_boolean_notEnforced (1.80s)
=== RUN TestAccGoogleOrganizationPolicy_boolean_update
--- PASS: TestAccGoogleOrganizationPolicy_boolean_update (4.30s)
=== RUN TestAccGoogleOrganizationPolicy_list_allowAll
--- PASS: TestAccGoogleOrganizationPolicy_list_allowAll (2.20s)
=== RUN TestAccGoogleOrganizationPolicy_list_allowSome
--- PASS: TestAccGoogleOrganizationPolicy_list_allowSome (1.80s)
=== RUN TestAccGoogleOrganizationPolicy_list_denyAll
--- PASS: TestAccGoogleOrganizationPolicy_list_denyAll (1.80s)
=== RUN TestAccGoogleOrganizationPolicy_list_denySome
--- PASS: TestAccGoogleOrganizationPolicy_list_denySome (1.90s)
=== RUN TestAccGoogleOrganizationPolicy_list_update
--- PASS: TestAccGoogleOrganizationPolicy_list_update (4.84s)
PASS
TF_ACC=1 go test ./google -v -run TestAccGoogleFolder_rename -timeout 120m
=== RUN TestAccGoogleFolder_rename
--- PASS: TestAccGoogleFolder_rename (16.88s)
PASS |
|
I wrote the preliminary documentation but wanted to first get an agreement on the schema structure before spending more time finishing it. Specifically for List Policy. There is many ways we could structure the schema. The API structure is not user-friendly so I would rather not follow it. Option A (the one I implemented) ... nested
list_policy {
allow {
values = [
"cloudresourcemanager.googleapis.com",
"compute.googleapis.com",
]
}
}
list_policy {
deny {
all = true
}
}
...Option B ... nested
list_policy {
allow_values = [
"cloudresourcemanager.googleapis.com",
"compute.googleapis.com",
]
}
}
list_policy {
deny_all = true
}
... |
| }) | ||
| } | ||
|
|
||
| func TestAccGoogleOrganizationPolicy_list_allowSome(t *testing.T) { |
There was a problem hiding this comment.
This test and the deny tests could have side effects with other tests running in parallel.
We have different options:
- Run this test serially (can we annotate a test to force the test runner to run it serially?)
- Find harmless constraint. For instance, allowing all services won't cause side effect both denying all potentially could.
- Don't run on the CI server. Only run locally.
I will try 2) but I am not convinced I can find harmless cases for the 4 different cases (allow some, allow all, deny some, deny all)
There was a problem hiding this comment.
I have been able to do 2). However, I haven't found a way to test the denyAll without side-effects but knowing the implementation, if the allowAll works, it is very likely that the denyAll works also, it is not ideal but good enough.
Also, the same methods (expandListOrganizationPolicy and flattenListOrganizationPolicy) will be used for org policies on folders. Since I can create a new folder easily, I will be able to test the denyAll case without side effects on other tests running in parallel.
| MaxItems: 1, | ||
| Elem: &schema.Resource{ | ||
| Schema: map[string]*schema.Schema{ | ||
| "all": { |
There was a problem hiding this comment.
can you have this conflict with values? (should be possible with list_policy.0.allow.0.values)
There was a problem hiding this comment.
Right, I thought ConflictsWith didn't work with list but when there is only one item in the list, it does. I will fix this.
| deny := listPolicyMap["deny"].([]interface{}) | ||
|
|
||
| if len(allow) > 0 && len(deny) > 0 { | ||
| return nil, fmt.Errorf("You cannot specified an `allow` and a `deny` block") |
| allow := listPolicyMap["allow"].([]interface{}) | ||
| deny := listPolicyMap["deny"].([]interface{}) | ||
|
|
||
| if len(allow) > 0 && len(deny) > 0 { |
There was a problem hiding this comment.
can we do this check with conflictswith?
| }, nil | ||
| } | ||
|
|
||
| func canonicalOrgPolicyConstraint(constraint string) string { |
There was a problem hiding this comment.
if we allow people to set a non-canonical version, wouldn't that lead to diffs next plan once the constraint comes back from the api with a canonical version? Should be an easy enough fix with a diffsuppress
There was a problem hiding this comment.
There is already a DiffSuppress func set in the schema.
| Constraint: constraint, | ||
| }).Do() | ||
|
|
||
| if err != nil { |
There was a problem hiding this comment.
wait, shouldn't this be the opposite? I'd expect a nil error to mean it exists.
There was a problem hiding this comment.
Good catch. I fixed it. It basically always returns an org policy. If it has been cleared, both the boolean and list policy field are nil.
|
|
||
| * `version` - (Optional) Version of the Policy. Default version is 0. | ||
|
|
||
| TODO(rosbo): Add boolean and list policy block once I get agreement on the schema format. |
* Fetch latest resource manager client * Add new resource to manage Org Policy at the organization level. * Update documentation
* Fetch latest resource manager client * Add new resource to manage Org Policy at the organization level. * Update documentation
* Fetch latest resource manager client * Add new resource to manage Org Policy at the organization level. * Update documentation
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks! |
ghost
locked and limited conversation to collaborators
Fixes #507
cc/ @ubschmidt2