Update folders module to Terraform 0.13
With this commit the folders module (now called simply 'folder') only creates a single google_folder resource. Support for creating multiple folders is no longer needed since Terraform 0.13 added for_each support to modules.
This commit is contained in:
parent
7ab87d0790
commit
2e7876b4c7
|
@ -85,17 +85,14 @@ module "tf-gcs-environments" {
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
|
||||||
module "environment-folders" {
|
module "environment-folders" {
|
||||||
source = "../../modules/folders"
|
source = "../../modules/folder"
|
||||||
parent = var.root_node
|
for_each = var.environments
|
||||||
names = var.environments
|
parent = var.root_node
|
||||||
iam_roles = {
|
name = each.value
|
||||||
for name in var.environments : (name) => local.folder_roles
|
iam_roles = local.folder_roles
|
||||||
}
|
|
||||||
iam_members = {
|
iam_members = {
|
||||||
for name in var.environments : (name) => {
|
for role in local.folder_roles :
|
||||||
for role in local.folder_roles :
|
(role) => [module.tf-service-accounts.iam_emails[each.value]]
|
||||||
(role) => [module.tf-service-accounts.iam_emails[name]]
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -24,7 +24,7 @@ output "bootstrap_tf_gcs_bucket" {
|
||||||
|
|
||||||
output "environment_folders" {
|
output "environment_folders" {
|
||||||
description = "Top-level environment folders."
|
description = "Top-level environment folders."
|
||||||
value = module.environment-folders.ids
|
value = { for folder in module.environment-folders : folder.name => folder.id }
|
||||||
}
|
}
|
||||||
|
|
||||||
output "environment_tf_gcs_buckets" {
|
output "environment_tf_gcs_buckets" {
|
||||||
|
|
|
@ -29,7 +29,7 @@ variable "billing_account_id" {
|
||||||
|
|
||||||
variable "environments" {
|
variable "environments" {
|
||||||
description = "Environment short names."
|
description = "Environment short names."
|
||||||
type = list(string)
|
type = set(string)
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "gcs_location" {
|
variable "gcs_location" {
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
# Google Cloud Folder Module
|
# Google Cloud Folder Module
|
||||||
|
|
||||||
This module allow creation and management of sets of folders sharing a common parent, and their individual IAM bindings. It also allows setting a common set of organization policies on all folders.
|
This module allows the creation and management of folders together with their individual IAM bindings and organization policies.
|
||||||
|
|
||||||
## Examples
|
## Examples
|
||||||
|
|
||||||
|
@ -8,17 +8,13 @@ This module allow creation and management of sets of folders sharing a common pa
|
||||||
|
|
||||||
```hcl
|
```hcl
|
||||||
module "folder" {
|
module "folder" {
|
||||||
source = "./modules/folders"
|
source = "./modules/folder"
|
||||||
parent = "organizations/1234567890"
|
parent = "organizations/1234567890"
|
||||||
names = ["Folder one", "Folder two"]
|
name = "Folder name"
|
||||||
iam_members = {
|
iam_members = {
|
||||||
"Folder one" = {
|
"roles/owner" = ["group:users@example.com"]
|
||||||
"roles/owner" = ["group:users@example.com"]
|
|
||||||
}
|
|
||||||
}
|
|
||||||
iam_roles = {
|
|
||||||
"Folder one" = ["roles/owner"]
|
|
||||||
}
|
}
|
||||||
|
iam_roles = ["roles/owner"]
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -26,9 +22,9 @@ module "folder" {
|
||||||
|
|
||||||
```hcl
|
```hcl
|
||||||
module "folder" {
|
module "folder" {
|
||||||
source = "./modules/folders"
|
source = "./modules/folder"
|
||||||
parent = "organizations/1234567890"
|
parent = "organizations/1234567890"
|
||||||
names = ["Folder one", "Folder two"]
|
name = "Folder name"
|
||||||
policy_boolean = {
|
policy_boolean = {
|
||||||
"constraints/compute.disableGuestAttributesAccess" = true
|
"constraints/compute.disableGuestAttributesAccess" = true
|
||||||
"constraints/compute.skipDefaultNetworkCreation" = true
|
"constraints/compute.skipDefaultNetworkCreation" = true
|
||||||
|
@ -49,10 +45,10 @@ module "folder" {
|
||||||
|
|
||||||
| name | description | type | required | default |
|
| name | description | type | required | default |
|
||||||
|---|---|:---: |:---:|:---:|
|
|---|---|:---: |:---:|:---:|
|
||||||
| parent | Parent in folders/folder_id or organizations/org_id format. | <code title="">string</code> | ✓ | |
|
| name | Folder name. | <code title="">string</code> | ✓ | |
|
||||||
| *iam_members* | List of IAM members keyed by folder name and role. | <code title="map(map(list(string)))">map(map(list(string)))</code> | | <code title="">null</code> |
|
| parent | Parent in folders/folder_id or organizations/org_id format. | <code title="string validation { condition = can(regex("(organizations|folders)/[0-9]+", var.parent)) error_message = "Parent must be of the form folders/folder_id or organizations/organization_id." }">string</code> | ✓ | |
|
||||||
| *iam_roles* | List of IAM roles keyed by folder name. | <code title="map(list(string))">map(list(string))</code> | | <code title="">null</code> |
|
| *iam_members* | List of IAM members keyed by role. | <code title="map(set(string))">map(set(string))</code> | | <code title="">null</code> |
|
||||||
| *names* | Folder names. | <code title="list(string)">list(string)</code> | | <code title="">[]</code> |
|
| *iam_roles* | List of IAM roles. | <code title="set(string)">set(string)</code> | | <code title="">null</code> |
|
||||||
| *policy_boolean* | Map of boolean org policies and enforcement value, set value to null for policy restore. | <code title="map(bool)">map(bool)</code> | | <code title="">{}</code> |
|
| *policy_boolean* | Map of boolean org policies and enforcement value, set value to null for policy restore. | <code title="map(bool)">map(bool)</code> | | <code title="">{}</code> |
|
||||||
| *policy_list* | Map of list org policies, status is true for allow, false for deny, null for restore. Values can only be used for allow or deny. | <code title="map(object({ inherit_from_parent = bool suggested_value = string status = bool values = list(string) }))">map(object({...}))</code> | | <code title="">{}</code> |
|
| *policy_list* | Map of list org policies, status is true for allow, false for deny, null for restore. Values can only be used for allow or deny. | <code title="map(object({ inherit_from_parent = bool suggested_value = string status = bool values = list(string) }))">map(object({...}))</code> | | <code title="">{}</code> |
|
||||||
|
|
||||||
|
@ -60,12 +56,7 @@ module "folder" {
|
||||||
|
|
||||||
| name | description | sensitive |
|
| name | description | sensitive |
|
||||||
|---|---|:---:|
|
|---|---|:---:|
|
||||||
| folder | Folder resource (for single use). | |
|
| folder | Folder resource. | |
|
||||||
| folders | Folder resources. | |
|
| id | Folder id. | |
|
||||||
| id | Folder id (for single use). | |
|
| name | Folder name. | |
|
||||||
| ids | Folder ids. | |
|
|
||||||
| ids_list | List of folder ids. | |
|
|
||||||
| name | Folder name (for single use). | |
|
|
||||||
| names | Folder names. | |
|
|
||||||
| names_list | List of folder names. | |
|
|
||||||
<!-- END TFDOC -->
|
<!-- END TFDOC -->
|
|
@ -1,5 +1,5 @@
|
||||||
/**
|
/**
|
||||||
* Copyright 2018 Google LLC
|
* Copyright 2020 Google LLC
|
||||||
*
|
*
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
* you may not use this file except in compliance with the License.
|
* you may not use this file except in compliance with the License.
|
||||||
|
@ -14,63 +14,26 @@
|
||||||
* limitations under the License.
|
* limitations under the License.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
locals {
|
|
||||||
folders = (
|
|
||||||
local.has_folders
|
|
||||||
? [for name in var.names : google_folder.folders[name]]
|
|
||||||
: []
|
|
||||||
)
|
|
||||||
# needed when destroying
|
|
||||||
has_folders = length(google_folder.folders) > 0
|
|
||||||
iam_pairs = var.iam_roles == null ? [] : flatten([
|
|
||||||
for name, roles in var.iam_roles :
|
|
||||||
[for role in roles : { name = name, role = role }]
|
|
||||||
])
|
|
||||||
iam_keypairs = {
|
|
||||||
for pair in local.iam_pairs :
|
|
||||||
"${pair.name}-${pair.role}" => pair
|
|
||||||
}
|
|
||||||
iam_members = var.iam_members == null ? {} : var.iam_members
|
|
||||||
policy_boolean_pairs = {
|
|
||||||
for pair in setproduct(var.names, keys(var.policy_boolean)) :
|
|
||||||
"${pair.0}-${pair.1}" => {
|
|
||||||
folder = pair.0,
|
|
||||||
policy = pair.1,
|
|
||||||
policy_data = var.policy_boolean[pair.1]
|
|
||||||
}
|
|
||||||
}
|
|
||||||
policy_list_pairs = {
|
|
||||||
for pair in setproduct(var.names, keys(var.policy_list)) :
|
|
||||||
"${pair.0}-${pair.1}" => {
|
|
||||||
folder = pair.0,
|
|
||||||
policy = pair.1,
|
|
||||||
policy_data = var.policy_list[pair.1]
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "google_folder" "folders" {
|
resource "google_folder" "folder" {
|
||||||
for_each = toset(var.names)
|
display_name = var.name
|
||||||
display_name = each.value
|
|
||||||
parent = var.parent
|
parent = var.parent
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "google_folder_iam_binding" "authoritative" {
|
resource "google_folder_iam_binding" "authoritative" {
|
||||||
for_each = local.iam_keypairs
|
for_each = var.iam_roles
|
||||||
folder = google_folder.folders[each.value.name].name
|
folder = google_folder.folder.name
|
||||||
role = each.value.role
|
role = each.key
|
||||||
members = lookup(
|
members = lookup(var.iam_members, each.key, [])
|
||||||
lookup(local.iam_members, each.value.name, {}), each.value.role, []
|
|
||||||
)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "google_folder_organization_policy" "boolean" {
|
resource "google_folder_organization_policy" "boolean" {
|
||||||
for_each = local.policy_boolean_pairs
|
for_each = var.policy_boolean
|
||||||
folder = google_folder.folders[each.value.folder].id
|
folder = google_folder.folder.name
|
||||||
constraint = each.value.policy
|
constraint = each.key
|
||||||
|
|
||||||
dynamic boolean_policy {
|
dynamic boolean_policy {
|
||||||
for_each = each.value.policy_data == null ? [] : [each.value.policy_data]
|
for_each = each.value == null ? [] : [each.value]
|
||||||
iterator = policy
|
iterator = policy
|
||||||
content {
|
content {
|
||||||
enforced = policy.value
|
enforced = policy.value
|
||||||
|
@ -78,7 +41,7 @@ resource "google_folder_organization_policy" "boolean" {
|
||||||
}
|
}
|
||||||
|
|
||||||
dynamic restore_policy {
|
dynamic restore_policy {
|
||||||
for_each = each.value.policy_data == null ? [""] : []
|
for_each = each.value == null ? [""] : []
|
||||||
content {
|
content {
|
||||||
default = true
|
default = true
|
||||||
}
|
}
|
||||||
|
@ -86,12 +49,12 @@ resource "google_folder_organization_policy" "boolean" {
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "google_folder_organization_policy" "list" {
|
resource "google_folder_organization_policy" "list" {
|
||||||
for_each = local.policy_list_pairs
|
for_each = var.policy_list
|
||||||
folder = google_folder.folders[each.value.folder].id
|
folder = google_folder.folder.name
|
||||||
constraint = each.value.policy
|
constraint = each.key
|
||||||
|
|
||||||
dynamic list_policy {
|
dynamic list_policy {
|
||||||
for_each = each.value.policy_data.status == null ? [] : [each.value.policy_data]
|
for_each = each.value.status == null ? [] : [each.value]
|
||||||
iterator = policy
|
iterator = policy
|
||||||
content {
|
content {
|
||||||
inherit_from_parent = policy.value.inherit_from_parent
|
inherit_from_parent = policy.value.inherit_from_parent
|
||||||
|
@ -130,7 +93,7 @@ resource "google_folder_organization_policy" "list" {
|
||||||
}
|
}
|
||||||
|
|
||||||
dynamic restore_policy {
|
dynamic restore_policy {
|
||||||
for_each = each.value.policy_data.status == null ? [true] : []
|
for_each = each.value.status == null ? [true] : []
|
||||||
content {
|
content {
|
||||||
default = true
|
default = true
|
||||||
}
|
}
|
|
@ -0,0 +1,35 @@
|
||||||
|
/**
|
||||||
|
* Copyright 2020 Google LLC
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
output "folder" {
|
||||||
|
description = "Folder resource."
|
||||||
|
value = google_folder.folder
|
||||||
|
}
|
||||||
|
|
||||||
|
output "id" {
|
||||||
|
description = "Folder id."
|
||||||
|
value = google_folder.folder.name
|
||||||
|
depends_on = [
|
||||||
|
google_folder_iam_binding.authoritative,
|
||||||
|
google_folder_organization_policy.boolean,
|
||||||
|
google_folder_organization_policy.list
|
||||||
|
]
|
||||||
|
}
|
||||||
|
|
||||||
|
output "name" {
|
||||||
|
description = "Folder name."
|
||||||
|
value = google_folder.folder.display_name
|
||||||
|
}
|
|
@ -1,5 +1,5 @@
|
||||||
/**
|
/**
|
||||||
* Copyright 2018 Google LLC
|
* Copyright 2020 Google LLC
|
||||||
*
|
*
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
* you may not use this file except in compliance with the License.
|
* you may not use this file except in compliance with the License.
|
||||||
|
@ -15,26 +15,29 @@
|
||||||
*/
|
*/
|
||||||
|
|
||||||
variable "iam_members" {
|
variable "iam_members" {
|
||||||
description = "List of IAM members keyed by folder name and role."
|
description = "List of IAM members keyed by role."
|
||||||
type = map(map(list(string)))
|
type = map(set(string))
|
||||||
default = null
|
default = null
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "iam_roles" {
|
variable "iam_roles" {
|
||||||
description = "List of IAM roles keyed by folder name."
|
description = "List of IAM roles."
|
||||||
type = map(list(string))
|
type = set(string)
|
||||||
default = null
|
default = null
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "names" {
|
variable "name" {
|
||||||
description = "Folder names."
|
description = "Folder name."
|
||||||
type = list(string)
|
type = string
|
||||||
default = []
|
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "parent" {
|
variable "parent" {
|
||||||
description = "Parent in folders/folder_id or organizations/org_id format."
|
description = "Parent in folders/folder_id or organizations/org_id format."
|
||||||
type = string
|
type = string
|
||||||
|
validation {
|
||||||
|
condition = can(regex("(organizations|folders)/[0-9]+", var.parent))
|
||||||
|
error_message = "Parent must be of the form folders/folder_id or organizations/organization_id."
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "policy_boolean" {
|
variable "policy_boolean" {
|
|
@ -15,5 +15,5 @@
|
||||||
*/
|
*/
|
||||||
|
|
||||||
terraform {
|
terraform {
|
||||||
required_version = ">= 0.12.6"
|
required_version = ">= 0.13.0"
|
||||||
}
|
}
|
|
@ -1,78 +0,0 @@
|
||||||
/**
|
|
||||||
* Copyright 2018 Google LLC
|
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
* you may not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*/
|
|
||||||
|
|
||||||
output "folder" {
|
|
||||||
description = "Folder resource (for single use)."
|
|
||||||
value = local.has_folders ? local.folders[0] : null
|
|
||||||
}
|
|
||||||
|
|
||||||
output "id" {
|
|
||||||
description = "Folder id (for single use)."
|
|
||||||
value = local.has_folders ? local.folders[0].name : null
|
|
||||||
depends_on = [
|
|
||||||
google_folder_iam_binding.authoritative,
|
|
||||||
google_folder_organization_policy.boolean,
|
|
||||||
google_folder_organization_policy.list
|
|
||||||
]
|
|
||||||
}
|
|
||||||
|
|
||||||
output "name" {
|
|
||||||
description = "Folder name (for single use)."
|
|
||||||
value = local.has_folders ? local.folders[0].display_name : null
|
|
||||||
}
|
|
||||||
|
|
||||||
output "folders" {
|
|
||||||
description = "Folder resources."
|
|
||||||
value = local.folders
|
|
||||||
}
|
|
||||||
|
|
||||||
output "ids" {
|
|
||||||
description = "Folder ids."
|
|
||||||
value = (
|
|
||||||
local.has_folders
|
|
||||||
? zipmap(var.names, [for f in local.folders : f.name])
|
|
||||||
: {}
|
|
||||||
)
|
|
||||||
depends_on = [
|
|
||||||
google_folder_iam_binding.authoritative,
|
|
||||||
google_folder_organization_policy.boolean,
|
|
||||||
google_folder_organization_policy.list
|
|
||||||
]
|
|
||||||
}
|
|
||||||
|
|
||||||
output "names" {
|
|
||||||
description = "Folder names."
|
|
||||||
value = (
|
|
||||||
local.has_folders
|
|
||||||
? zipmap(var.names, [for f in local.folders : f.display_name])
|
|
||||||
: {}
|
|
||||||
)
|
|
||||||
}
|
|
||||||
|
|
||||||
output "ids_list" {
|
|
||||||
description = "List of folder ids."
|
|
||||||
value = [for f in local.folders : f.name]
|
|
||||||
depends_on = [
|
|
||||||
google_folder_iam_binding.authoritative,
|
|
||||||
google_folder_organization_policy.boolean,
|
|
||||||
google_folder_organization_policy.list
|
|
||||||
]
|
|
||||||
}
|
|
||||||
|
|
||||||
output "names_list" {
|
|
||||||
description = "List of folder names."
|
|
||||||
value = [for f in local.folders : f.display_name]
|
|
||||||
}
|
|
|
@ -23,16 +23,16 @@ FIXTURES_DIR = os.path.join(os.path.dirname(__file__), 'fixture')
|
||||||
def test_folder_roles(plan_runner):
|
def test_folder_roles(plan_runner):
|
||||||
"Test folder roles."
|
"Test folder roles."
|
||||||
_, modules = plan_runner(FIXTURES_DIR, is_module=False)
|
_, modules = plan_runner(FIXTURES_DIR, is_module=False)
|
||||||
resources = modules['module.test.module.environment-folders']
|
for env in ["test", "prod"]:
|
||||||
folders = [r for r in resources if r['type'] == 'google_folder']
|
resources = modules[f'module.test.module.environment-folders["{env}"]']
|
||||||
assert len(folders) == 2
|
folders = [r for r in resources if r['type'] == 'google_folder']
|
||||||
assert set(r['values']['display_name']
|
assert len(folders) == 1
|
||||||
for r in folders) == set(['prod', 'test'])
|
folder = folders[0]
|
||||||
bindings = [r['index'].split('-')
|
assert folder['values']['display_name'] == env
|
||||||
for r in resources if r['type'] == 'google_folder_iam_binding']
|
|
||||||
assert len(bindings) == 10
|
bindings = [r['index']
|
||||||
assert set(b[0] for b in bindings) == set(['prod', 'test'])
|
for r in resources if r['type'] == 'google_folder_iam_binding']
|
||||||
assert len(set(b[1] for b in bindings)) == 5
|
assert len(bindings) == 5
|
||||||
|
|
||||||
|
|
||||||
def test_org_roles(plan_runner):
|
def test_org_roles(plan_runner):
|
||||||
|
@ -42,12 +42,13 @@ def test_org_roles(plan_runner):
|
||||||
'iam_xpn_config': '{grant = true, target_org = true}'
|
'iam_xpn_config': '{grant = true, target_org = true}'
|
||||||
}
|
}
|
||||||
_, modules = plan_runner(FIXTURES_DIR, is_module=False, **vars)
|
_, modules = plan_runner(FIXTURES_DIR, is_module=False, **vars)
|
||||||
resources = modules['module.test.module.environment-folders']
|
resources = (modules['module.test.module.environment-folders["test"]'] +
|
||||||
folder_bindings = [r['index'].split('-')
|
modules['module.test.module.environment-folders["prod"]'])
|
||||||
|
folder_bindings = [r['index']
|
||||||
for r in resources if r['type'] == 'google_folder_iam_binding']
|
for r in resources if r['type'] == 'google_folder_iam_binding']
|
||||||
assert len(folder_bindings) == 8
|
assert len(folder_bindings) == 8
|
||||||
resources = modules['module.test.module.tf-service-accounts']
|
resources = modules['module.test.module.tf-service-accounts']
|
||||||
org_bindings = [r['index'].split('-')
|
org_bindings = [r['index'].split('-')
|
||||||
for r in resources if r['type'] == 'google_organization_iam_member']
|
for r in resources if r['type'] == 'google_organization_iam_member']
|
||||||
assert len(org_bindings) == 4
|
assert len(org_bindings) == 4
|
||||||
assert set(b[0] for b in org_bindings) == set(['prod', 'test'])
|
assert {b[0] for b in org_bindings} == {'prod', 'test'}
|
||||||
|
|
|
@ -15,9 +15,9 @@
|
||||||
*/
|
*/
|
||||||
|
|
||||||
module "test" {
|
module "test" {
|
||||||
source = "../../../../modules/folders"
|
source = "../../../../modules/folder"
|
||||||
parent = "organizations/12345678"
|
parent = "organizations/12345678"
|
||||||
names = ["folder-a", "folder-b"]
|
name = "folder-a"
|
||||||
iam_members = var.iam_members
|
iam_members = var.iam_members
|
||||||
iam_roles = var.iam_roles
|
iam_roles = var.iam_roles
|
||||||
policy_boolean = var.policy_boolean
|
policy_boolean = var.policy_boolean
|
||||||
|
|
|
@ -15,13 +15,13 @@
|
||||||
*/
|
*/
|
||||||
|
|
||||||
variable "iam_members" {
|
variable "iam_members" {
|
||||||
type = map(map(list(string)))
|
type = map(list(string))
|
||||||
default = null
|
default = {}
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "iam_roles" {
|
variable "iam_roles" {
|
||||||
type = map(list(string))
|
type = list(string)
|
||||||
default = null
|
default = []
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "policy_boolean" {
|
variable "policy_boolean" {
|
||||||
|
|
|
@ -23,27 +23,48 @@ FIXTURES_DIR = os.path.join(os.path.dirname(__file__), 'fixture')
|
||||||
def test_folder(plan_runner):
|
def test_folder(plan_runner):
|
||||||
"Test folder resources."
|
"Test folder resources."
|
||||||
_, resources = plan_runner(FIXTURES_DIR)
|
_, resources = plan_runner(FIXTURES_DIR)
|
||||||
assert len(resources) == 2
|
assert len(resources) == 1
|
||||||
assert set(r['type'] for r in resources) == set(['google_folder'])
|
resource = resources[0]
|
||||||
assert set(r['values']['display_name'] for r in resources) == set([
|
assert resource['type'] == 'google_folder'
|
||||||
'folder-a', 'folder-b'
|
assert resource['values']['display_name'] == 'folder-a'
|
||||||
])
|
assert resource['values']['parent'] == 'organizations/12345678'
|
||||||
assert set(r['values']['parent'] for r in resources) == set([
|
|
||||||
'organizations/12345678'
|
|
||||||
])
|
|
||||||
|
|
||||||
|
|
||||||
def test_iam_roles_only(plan_runner):
|
def test_iam_roles_only(plan_runner):
|
||||||
"Test folder resources with only iam roles passed."
|
"Test folder resources with only iam roles passed."
|
||||||
_, resources = plan_runner(
|
_, resources = plan_runner(FIXTURES_DIR,
|
||||||
FIXTURES_DIR, iam_roles='{folder-a = [ "roles/owner"]}')
|
iam_roles='["roles/owner"]')
|
||||||
assert len(resources) == 3
|
assert len(resources) == 2
|
||||||
|
|
||||||
|
|
||||||
def test_iam(plan_runner):
|
def test_iam(plan_runner):
|
||||||
"Test folder resources with iam roles and members."
|
"Test folder resources with iam roles and members."
|
||||||
iam_roles = '{folder-a = ["roles/owner"], folder-b = ["roles/viewer"]}'
|
iam_roles = '["roles/owner"]'
|
||||||
iam_members = '{folder-a = { "roles/owner" = ["user:a@b.com"] }}'
|
iam_members = '{"roles/owner" = ["user:a@b.com"] }'
|
||||||
_, resources = plan_runner(
|
_, resources = plan_runner(FIXTURES_DIR,
|
||||||
FIXTURES_DIR, iam_roles=iam_roles, iam_members=iam_members)
|
iam_roles=iam_roles,
|
||||||
assert len(resources) == 4
|
iam_members=iam_members)
|
||||||
|
assert len(resources) == 2
|
||||||
|
|
||||||
|
def test_iam_multiple_members(plan_runner):
|
||||||
|
"Test folder resources with multiple iam members."
|
||||||
|
iam_roles = '["roles/owner"]'
|
||||||
|
iam_members = '{"roles/owner" = ["user:a@b.com", "user:c@d.com"] }'
|
||||||
|
_, resources = plan_runner(FIXTURES_DIR,
|
||||||
|
iam_roles=iam_roles,
|
||||||
|
iam_members=iam_members)
|
||||||
|
assert len(resources) == 2
|
||||||
|
|
||||||
|
def test_iam_multiple_roles(plan_runner):
|
||||||
|
"Test folder resources with multiple iam roles."
|
||||||
|
iam_roles = '["roles/owner", "roles/viewer"]'
|
||||||
|
iam_members = (
|
||||||
|
'{ '
|
||||||
|
'"roles/owner" = ["user:a@b.com"], '
|
||||||
|
'"roles/viewer" = ["user:c@d.com"] '
|
||||||
|
'} '
|
||||||
|
)
|
||||||
|
_, resources = plan_runner(FIXTURES_DIR,
|
||||||
|
iam_roles=iam_roles,
|
||||||
|
iam_members=iam_members)
|
||||||
|
assert len(resources) == 3
|
||||||
|
|
|
@ -24,16 +24,14 @@ def test_policy_boolean(plan_runner):
|
||||||
"Test boolean folder policy."
|
"Test boolean folder policy."
|
||||||
policy_boolean = '{policy-a = true, policy-b = false, policy-c = null}'
|
policy_boolean = '{policy-a = true, policy-b = false, policy-c = null}'
|
||||||
_, resources = plan_runner(FIXTURES_DIR, policy_boolean=policy_boolean)
|
_, resources = plan_runner(FIXTURES_DIR, policy_boolean=policy_boolean)
|
||||||
assert len(resources) == 8
|
|
||||||
|
assert len(resources) == 4
|
||||||
resources = [r for r in resources if r['type']
|
resources = [r for r in resources if r['type']
|
||||||
== 'google_folder_organization_policy']
|
== 'google_folder_organization_policy']
|
||||||
assert sorted([r['index'] for r in resources]) == [
|
assert sorted([r['index'] for r in resources]) == [
|
||||||
'folder-a-policy-a',
|
'policy-a',
|
||||||
'folder-a-policy-b',
|
'policy-b',
|
||||||
'folder-a-policy-c',
|
'policy-c',
|
||||||
'folder-b-policy-a',
|
|
||||||
'folder-b-policy-b',
|
|
||||||
'folder-b-policy-c'
|
|
||||||
]
|
]
|
||||||
policy_values = []
|
policy_values = []
|
||||||
for resource in resources:
|
for resource in resources:
|
||||||
|
@ -42,12 +40,9 @@ def test_policy_boolean(plan_runner):
|
||||||
if value:
|
if value:
|
||||||
policy_values.append((resource['index'], policy,) + value[0].popitem())
|
policy_values.append((resource['index'], policy,) + value[0].popitem())
|
||||||
assert sorted(policy_values) == [
|
assert sorted(policy_values) == [
|
||||||
('folder-a-policy-a', 'boolean_policy', 'enforced', True),
|
('policy-a', 'boolean_policy', 'enforced', True),
|
||||||
('folder-a-policy-b', 'boolean_policy', 'enforced', False),
|
('policy-b', 'boolean_policy', 'enforced', False),
|
||||||
('folder-a-policy-c', 'restore_policy', 'default', True),
|
('policy-c', 'restore_policy', 'default', True),
|
||||||
('folder-b-policy-a', 'boolean_policy', 'enforced', True),
|
|
||||||
('folder-b-policy-b', 'boolean_policy', 'enforced', False),
|
|
||||||
('folder-b-policy-c', 'restore_policy', 'default', True)
|
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
|
@ -61,26 +56,20 @@ def test_policy_list(plan_runner):
|
||||||
'}'
|
'}'
|
||||||
)
|
)
|
||||||
_, resources = plan_runner(FIXTURES_DIR, policy_list=policy_list)
|
_, resources = plan_runner(FIXTURES_DIR, policy_list=policy_list)
|
||||||
assert len(resources) == 8
|
assert len(resources) == 4
|
||||||
resources = [r for r in resources if r['type']
|
resources = [r for r in resources if r['type']
|
||||||
== 'google_folder_organization_policy']
|
== 'google_folder_organization_policy']
|
||||||
assert sorted([r['index'] for r in resources]) == [
|
assert sorted([r['index'] for r in resources]) == [
|
||||||
'folder-a-policy-a',
|
'policy-a',
|
||||||
'folder-a-policy-b',
|
'policy-b',
|
||||||
'folder-a-policy-c',
|
'policy-c',
|
||||||
'folder-b-policy-a',
|
|
||||||
'folder-b-policy-b',
|
|
||||||
'folder-b-policy-c'
|
|
||||||
]
|
]
|
||||||
values = [r['values'] for r in resources]
|
values = [r['values'] for r in resources]
|
||||||
assert [r['constraint'] for r in values] == [
|
assert [r['constraint'] for r in values] == [
|
||||||
'policy-a', 'policy-b', 'policy-c', 'policy-a', 'policy-b', 'policy-c'
|
'policy-a', 'policy-b', 'policy-c'
|
||||||
]
|
]
|
||||||
for i in (0, 3):
|
assert values[0]['list_policy'][0]['allow'] == [
|
||||||
assert values[i]['list_policy'][0]['allow'] == [
|
{'all': True, 'values': None}]
|
||||||
{'all': True, 'values': None}]
|
assert values[1]['list_policy'][0]['deny'] == [
|
||||||
for i in (1, 4):
|
{'all': False, 'values': ["bar"]}]
|
||||||
assert values[i]['list_policy'][0]['deny'] == [
|
assert values[2]['restore_policy'] == [{'default': True}]
|
||||||
{'all': False, 'values': ["bar"]}]
|
|
||||||
for i in (2, 5):
|
|
||||||
assert values[i]['restore_policy'] == [{'default': True}]
|
|
||||||
|
|
Loading…
Reference in New Issue