diff --git a/modules/folder/organization-policies.tf b/modules/folder/organization-policies.tf index 999d1c58..47532f21 100644 --- a/modules/folder/organization-policies.tf +++ b/modules/folder/organization-policies.tf @@ -95,23 +95,6 @@ resource "google_org_policy_policy" "default" { inherit_from_parent = each.value.inherit_from_parent reset = each.value.reset - rules { - allow_all = try(each.value.allow.all, null) == true ? "TRUE" : null - deny_all = try(each.value.deny.all, null) == true ? "TRUE" : null - enforce = ( - each.value.is_boolean_policy && each.value.enforce != null - ? upper(tostring(each.value.enforce)) - : null - ) - dynamic "values" { - for_each = each.value.has_values ? [1] : [] - content { - allowed_values = try(each.value.allow.values, null) - denied_values = try(each.value.deny.values, null) - } - } - } - dynamic "rules" { for_each = each.value.rules iterator = rule @@ -138,5 +121,22 @@ resource "google_org_policy_policy" "default" { } } } + + rules { + allow_all = try(each.value.allow.all, null) == true ? "TRUE" : null + deny_all = try(each.value.deny.all, null) == true ? "TRUE" : null + enforce = ( + each.value.is_boolean_policy && each.value.enforce != null + ? upper(tostring(each.value.enforce)) + : null + ) + dynamic "values" { + for_each = each.value.has_values ? [1] : [] + content { + allowed_values = try(each.value.allow.values, null) + denied_values = try(each.value.deny.values, null) + } + } + } } } diff --git a/modules/organization/organization-policies.tf b/modules/organization/organization-policies.tf index 62d46455..1a99ef9a 100644 --- a/modules/organization/organization-policies.tf +++ b/modules/organization/organization-policies.tf @@ -95,23 +95,6 @@ resource "google_org_policy_policy" "default" { inherit_from_parent = each.value.inherit_from_parent reset = each.value.reset - rules { - allow_all = try(each.value.allow.all, null) == true ? "TRUE" : null - deny_all = try(each.value.deny.all, null) == true ? "TRUE" : null - enforce = ( - each.value.is_boolean_policy && each.value.enforce != null - ? upper(tostring(each.value.enforce)) - : null - ) - dynamic "values" { - for_each = each.value.has_values ? [1] : [] - content { - allowed_values = try(each.value.allow.values, null) - denied_values = try(each.value.deny.values, null) - } - } - } - dynamic "rules" { for_each = each.value.rules iterator = rule @@ -138,6 +121,23 @@ resource "google_org_policy_policy" "default" { } } } + + rules { + allow_all = try(each.value.allow.all, null) == true ? "TRUE" : null + deny_all = try(each.value.deny.all, null) == true ? "TRUE" : null + enforce = ( + each.value.is_boolean_policy && each.value.enforce != null + ? upper(tostring(each.value.enforce)) + : null + ) + dynamic "values" { + for_each = each.value.has_values ? [1] : [] + content { + allowed_values = try(each.value.allow.values, null) + denied_values = try(each.value.deny.values, null) + } + } + } } depends_on = [ diff --git a/modules/project/organization-policies.tf b/modules/project/organization-policies.tf index 7763aff4..4ff5bb99 100644 --- a/modules/project/organization-policies.tf +++ b/modules/project/organization-policies.tf @@ -95,23 +95,6 @@ resource "google_org_policy_policy" "default" { inherit_from_parent = each.value.inherit_from_parent reset = each.value.reset - rules { - allow_all = try(each.value.allow.all, null) == true ? "TRUE" : null - deny_all = try(each.value.deny.all, null) == true ? "TRUE" : null - enforce = ( - each.value.is_boolean_policy && each.value.enforce != null - ? upper(tostring(each.value.enforce)) - : null - ) - dynamic "values" { - for_each = each.value.has_values ? [1] : [] - content { - allowed_values = try(each.value.allow.values, null) - denied_values = try(each.value.deny.values, null) - } - } - } - dynamic "rules" { for_each = each.value.rules iterator = rule @@ -138,5 +121,22 @@ resource "google_org_policy_policy" "default" { } } } + + rules { + allow_all = try(each.value.allow.all, null) == true ? "TRUE" : null + deny_all = try(each.value.deny.all, null) == true ? "TRUE" : null + enforce = ( + each.value.is_boolean_policy && each.value.enforce != null + ? upper(tostring(each.value.enforce)) + : null + ) + dynamic "values" { + for_each = each.value.has_values ? [1] : [] + content { + allowed_values = try(each.value.allow.values, null) + denied_values = try(each.value.deny.values, null) + } + } + } } } diff --git a/tests/modules/organization/org_policies_boolean.yaml b/tests/modules/organization/org_policies_boolean.yaml index 310997a4..00f98b06 100644 --- a/tests/modules/organization/org_policies_boolean.yaml +++ b/tests/modules/organization/org_policies_boolean.yaml @@ -33,11 +33,6 @@ values: - inherit_from_parent: null reset: null rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'FALSE' - values: [] - allow_all: null condition: - description: test condition @@ -47,6 +42,11 @@ values: deny_all: null enforce: 'TRUE' values: [] + - allow_all: null + condition: [] + deny_all: null + enforce: 'FALSE' + values: [] timeouts: null counts: diff --git a/tests/modules/organization/org_policies_list.yaml b/tests/modules/organization/org_policies_list.yaml index 39c3a389..393eadde 100644 --- a/tests/modules/organization/org_policies_list.yaml +++ b/tests/modules/organization/org_policies_list.yaml @@ -20,14 +20,6 @@ values: - inherit_from_parent: null reset: null rules: - - allow_all: null - condition: [] - deny_all: null - enforce: null - values: - - allowed_values: null - denied_values: - - in:EXTERNAL - allow_all: null condition: - description: test condition @@ -49,6 +41,14 @@ values: deny_all: null enforce: null values: [] + - allow_all: null + condition: [] + deny_all: null + enforce: null + values: + - allowed_values: null + denied_values: + - in:EXTERNAL timeouts: null google_org_policy_policy.default["compute.vmExternalIpAccess"]: name: organizations/1234567890/policies/compute.vmExternalIpAccess diff --git a/tests/modules/project/examples/org-policies.yaml b/tests/modules/project/examples/org-policies.yaml index 38e0ba9b..8841dede 100644 --- a/tests/modules/project/examples/org-policies.yaml +++ b/tests/modules/project/examples/org-policies.yaml @@ -99,11 +99,6 @@ values: - inherit_from_parent: null reset: null rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'FALSE' - values: [] - allow_all: null condition: - description: test condition @@ -113,6 +108,11 @@ values: deny_all: null enforce: 'TRUE' values: [] + - allow_all: null + condition: [] + deny_all: null + enforce: 'FALSE' + values: [] module.project.google_project.project[0]: billing_account: 123456-123456-123456 folder_id: '1234567890' diff --git a/tests/modules/project/org_policies_boolean.yaml b/tests/modules/project/org_policies_boolean.yaml index 44cba34d..4f23958f 100644 --- a/tests/modules/project/org_policies_boolean.yaml +++ b/tests/modules/project/org_policies_boolean.yaml @@ -33,11 +33,6 @@ values: - inherit_from_parent: null reset: null rules: - - allow_all: null - condition: [] - deny_all: null - enforce: 'FALSE' - values: [] - allow_all: null condition: - description: test condition @@ -47,6 +42,11 @@ values: deny_all: null enforce: 'TRUE' values: [] + - allow_all: null + condition: [] + deny_all: null + enforce: 'FALSE' + values: [] timeouts: null counts: diff --git a/tests/modules/project/org_policies_list.yaml b/tests/modules/project/org_policies_list.yaml index ab556a10..2f1c64e0 100644 --- a/tests/modules/project/org_policies_list.yaml +++ b/tests/modules/project/org_policies_list.yaml @@ -20,14 +20,6 @@ values: - inherit_from_parent: null reset: null rules: - - allow_all: null - condition: [] - deny_all: null - enforce: null - values: - - allowed_values: null - denied_values: - - in:EXTERNAL - allow_all: null condition: - description: test condition @@ -49,6 +41,14 @@ values: deny_all: null enforce: null values: [] + - allow_all: null + condition: [] + deny_all: null + enforce: null + values: + - allowed_values: null + denied_values: + - in:EXTERNAL timeouts: null google_org_policy_policy.default["compute.vmExternalIpAccess"]: name: projects/my-project/policies/compute.vmExternalIpAccess