Add factory support for new org policies
This commit is contained in:
parent
eae0f960b5
commit
3e18575fad
|
@ -311,8 +311,9 @@ module "folder" {
|
||||||
| [logging_sinks](variables.tf#L105) | Logging sinks to create for this folder. | <code title="map(object({ destination = string type = string filter = string include_children = bool exclusions = map(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
| [logging_sinks](variables.tf#L105) | Logging sinks to create for this folder. | <code title="map(object({ destination = string type = string filter = string include_children = bool exclusions = map(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||||
| [name](variables.tf#L126) | Folder name. | <code>string</code> | | <code>null</code> |
|
| [name](variables.tf#L126) | Folder name. | <code>string</code> | | <code>null</code> |
|
||||||
| [org_policies](variables.tf#L132) | Organization policies applied to this folder keyed by policy name. | <code title="map(object({ inherit_from_parent = optional(bool) # for list policies only. reset = optional(bool) allow = optional(object({ all = optional(bool) values = optional(list(string)) })) deny = optional(object({ all = optional(bool) values = optional(list(string)) })) enforce = optional(bool, true) # for boolean policies only. rules = optional(list(object({ allow = optional(object({ all = optional(bool) values = optional(list(string)) })) deny = optional(object({ all = optional(bool) values = optional(list(string)) })) enforce = optional(bool, true) # for boolean policies only. condition = object({ description = optional(string) expression = optional(string) location = optional(string) title = optional(string) }) })), []) }))">map(object({…}))</code> | | <code>{}</code> |
|
| [org_policies](variables.tf#L132) | Organization policies applied to this folder keyed by policy name. | <code title="map(object({ inherit_from_parent = optional(bool) # for list policies only. reset = optional(bool) allow = optional(object({ all = optional(bool) values = optional(list(string)) })) deny = optional(object({ all = optional(bool) values = optional(list(string)) })) enforce = optional(bool, true) # for boolean policies only. rules = optional(list(object({ allow = optional(object({ all = optional(bool) values = optional(list(string)) })) deny = optional(object({ all = optional(bool) values = optional(list(string)) })) enforce = optional(bool, true) # for boolean policies only. condition = object({ description = optional(string) expression = optional(string) location = optional(string) title = optional(string) }) })), []) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||||
| [parent](variables.tf#L172) | Parent in folders/folder_id or organizations/org_id format. | <code>string</code> | | <code>null</code> |
|
| [org_policies_data_path](variables.tf#L172) | | <code>string</code> | | <code>null</code> |
|
||||||
| [tag_bindings](variables.tf#L182) | Tag bindings for this folder, in key => tag value id format. | <code>map(string)</code> | | <code>null</code> |
|
| [parent](variables.tf#L178) | Parent in folders/folder_id or organizations/org_id format. | <code>string</code> | | <code>null</code> |
|
||||||
|
| [tag_bindings](variables.tf#L188) | Tag bindings for this folder, in key => tag value id format. | <code>map(string)</code> | | <code>null</code> |
|
||||||
|
|
||||||
## Outputs
|
## Outputs
|
||||||
|
|
||||||
|
|
|
@ -17,8 +17,57 @@
|
||||||
# tfdoc:file:description Folder-level organization policies.
|
# tfdoc:file:description Folder-level organization policies.
|
||||||
|
|
||||||
locals {
|
locals {
|
||||||
|
_factory_data_raw = (
|
||||||
|
var.org_policies_data_path == null
|
||||||
|
? tomap({})
|
||||||
|
: merge([
|
||||||
|
for f in fileset(var.org_policies_data_path, "*.yaml") :
|
||||||
|
yamldecode(file("${var.org_policies_data_path}/${f}"))
|
||||||
|
]...)
|
||||||
|
)
|
||||||
|
|
||||||
|
# simulate applying defaults to data coming from yaml files
|
||||||
|
_factory_data = {
|
||||||
|
for k, v in local._factory_data_raw :
|
||||||
|
k => {
|
||||||
|
inherit_from_parent = try(v.inherit_from_parent, null)
|
||||||
|
reset = try(v.reset, null)
|
||||||
|
allow = can(v.allow) ? {
|
||||||
|
all = try(v.allow.all, null)
|
||||||
|
values = try(v.allow.values, null)
|
||||||
|
} : null
|
||||||
|
deny = can(v.deny) ? {
|
||||||
|
all = try(v.deny.all, null)
|
||||||
|
values = try(v.deny.values, null)
|
||||||
|
} : null
|
||||||
|
enforce = try(v.enforce, true)
|
||||||
|
|
||||||
|
rules = [
|
||||||
|
for r in try(v.rules, []) : {
|
||||||
|
allow = can(r.allow) ? {
|
||||||
|
all = try(r.allow.all, null)
|
||||||
|
values = try(r.allow.values, null)
|
||||||
|
} : null
|
||||||
|
deny = can(r.deny) ? {
|
||||||
|
all = try(r.deny.all, null)
|
||||||
|
values = try(r.deny.values, null)
|
||||||
|
} : null
|
||||||
|
enforce = try(r.enforce, true)
|
||||||
|
condition = {
|
||||||
|
description = try(r.condition.description, null)
|
||||||
|
expression = try(r.condition.expression, null)
|
||||||
|
location = try(r.condition.location, null)
|
||||||
|
title = try(r.condition.title, null)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
_org_policies = merge(local._factory_data, var.org_policies)
|
||||||
|
|
||||||
org_policies = {
|
org_policies = {
|
||||||
for k, v in var.org_policies :
|
for k, v in local._org_policies :
|
||||||
k => merge(v, {
|
k => merge(v, {
|
||||||
name = "${local.folder.name}/policies/${k}"
|
name = "${local.folder.name}/policies/${k}"
|
||||||
parent = local.folder.name
|
parent = local.folder.name
|
||||||
|
|
|
@ -169,6 +169,12 @@ variable "org_policies" {
|
||||||
nullable = false
|
nullable = false
|
||||||
}
|
}
|
||||||
|
|
||||||
|
variable "org_policies_data_path" {
|
||||||
|
description = ""
|
||||||
|
type = string
|
||||||
|
default = null
|
||||||
|
}
|
||||||
|
|
||||||
variable "parent" {
|
variable "parent" {
|
||||||
description = "Parent in folders/folder_id or organizations/org_id format."
|
description = "Parent in folders/folder_id or organizations/org_id format."
|
||||||
type = string
|
type = string
|
||||||
|
|
|
@ -336,8 +336,9 @@ module "org" {
|
||||||
| [logging_exclusions](variables.tf#L122) | Logging exclusions for this organization in the form {NAME -> FILTER}. | <code>map(string)</code> | | <code>{}</code> |
|
| [logging_exclusions](variables.tf#L122) | Logging exclusions for this organization in the form {NAME -> FILTER}. | <code>map(string)</code> | | <code>{}</code> |
|
||||||
| [logging_sinks](variables.tf#L129) | Logging sinks to create for this organization. | <code title="map(object({ destination = string type = string filter = string include_children = bool bq_partitioned_table = bool exclusions = map(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
| [logging_sinks](variables.tf#L129) | Logging sinks to create for this organization. | <code title="map(object({ destination = string type = string filter = string include_children = bool bq_partitioned_table = bool exclusions = map(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||||
| [org_policies](variables.tf#L151) | Organization policies applied to this organization keyed by policy name. | <code title="map(object({ inherit_from_parent = optional(bool) # for list policies only. reset = optional(bool) allow = optional(object({ all = optional(bool) values = optional(list(string)) })) deny = optional(object({ all = optional(bool) values = optional(list(string)) })) enforce = optional(bool, true) # for boolean policies only. rules = optional(list(object({ allow = optional(object({ all = optional(bool) values = optional(list(string)) })) deny = optional(object({ all = optional(bool) values = optional(list(string)) })) enforce = optional(bool, true) # for boolean policies only. condition = object({ description = optional(string) expression = optional(string) location = optional(string) title = optional(string) }) })), []) }))">map(object({…}))</code> | | <code>{}</code> |
|
| [org_policies](variables.tf#L151) | Organization policies applied to this organization keyed by policy name. | <code title="map(object({ inherit_from_parent = optional(bool) # for list policies only. reset = optional(bool) allow = optional(object({ all = optional(bool) values = optional(list(string)) })) deny = optional(object({ all = optional(bool) values = optional(list(string)) })) enforce = optional(bool, true) # for boolean policies only. rules = optional(list(object({ allow = optional(object({ all = optional(bool) values = optional(list(string)) })) deny = optional(object({ all = optional(bool) values = optional(list(string)) })) enforce = optional(bool, true) # for boolean policies only. condition = object({ description = optional(string) expression = optional(string) location = optional(string) title = optional(string) }) })), []) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||||
| [tag_bindings](variables.tf#L200) | Tag bindings for this organization, in key => tag value id format. | <code>map(string)</code> | | <code>null</code> |
|
| [org_policies_data_path](variables.tf#L200) | | <code>string</code> | | <code>null</code> |
|
||||||
| [tags](variables.tf#L206) | Tags by key name. The `iam` attribute behaves like the similarly named one at module level. | <code title="map(object({ description = string iam = map(list(string)) values = map(object({ description = string iam = map(list(string)) })) }))">map(object({…}))</code> | | <code>null</code> |
|
| [tag_bindings](variables.tf#L206) | Tag bindings for this organization, in key => tag value id format. | <code>map(string)</code> | | <code>null</code> |
|
||||||
|
| [tags](variables.tf#L212) | Tags by key name. The `iam` attribute behaves like the similarly named one at module level. | <code title="map(object({ description = string iam = map(list(string)) values = map(object({ description = string iam = map(list(string)) })) }))">map(object({…}))</code> | | <code>null</code> |
|
||||||
|
|
||||||
## Outputs
|
## Outputs
|
||||||
|
|
||||||
|
|
|
@ -17,8 +17,57 @@
|
||||||
# tfdoc:file:description Organization-level organization policies.
|
# tfdoc:file:description Organization-level organization policies.
|
||||||
|
|
||||||
locals {
|
locals {
|
||||||
|
_factory_data_raw = (
|
||||||
|
var.org_policies_data_path == null
|
||||||
|
? tomap({})
|
||||||
|
: merge([
|
||||||
|
for f in fileset(var.org_policies_data_path, "*.yaml") :
|
||||||
|
yamldecode(file("${var.org_policies_data_path}/${f}"))
|
||||||
|
]...)
|
||||||
|
)
|
||||||
|
|
||||||
|
# simulate applying defaults to data coming from yaml files
|
||||||
|
_factory_data = {
|
||||||
|
for k, v in local._factory_data_raw :
|
||||||
|
k => {
|
||||||
|
inherit_from_parent = try(v.inherit_from_parent, null)
|
||||||
|
reset = try(v.reset, null)
|
||||||
|
allow = can(v.allow) ? {
|
||||||
|
all = try(v.allow.all, null)
|
||||||
|
values = try(v.allow.values, null)
|
||||||
|
} : null
|
||||||
|
deny = can(v.deny) ? {
|
||||||
|
all = try(v.deny.all, null)
|
||||||
|
values = try(v.deny.values, null)
|
||||||
|
} : null
|
||||||
|
enforce = try(v.enforce, true)
|
||||||
|
|
||||||
|
rules = [
|
||||||
|
for r in try(v.rules, []) : {
|
||||||
|
allow = can(r.allow) ? {
|
||||||
|
all = try(r.allow.all, null)
|
||||||
|
values = try(r.allow.values, null)
|
||||||
|
} : null
|
||||||
|
deny = can(r.deny) ? {
|
||||||
|
all = try(r.deny.all, null)
|
||||||
|
values = try(r.deny.values, null)
|
||||||
|
} : null
|
||||||
|
enforce = try(r.enforce, true)
|
||||||
|
condition = {
|
||||||
|
description = try(r.condition.description, null)
|
||||||
|
expression = try(r.condition.expression, null)
|
||||||
|
location = try(r.condition.location, null)
|
||||||
|
title = try(r.condition.title, null)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
_org_policies = merge(local._factory_data, var.org_policies)
|
||||||
|
|
||||||
org_policies = {
|
org_policies = {
|
||||||
for k, v in var.org_policies :
|
for k, v in local._org_policies :
|
||||||
k => merge(v, {
|
k => merge(v, {
|
||||||
name = "${var.organization_id}/policies/${k}"
|
name = "${var.organization_id}/policies/${k}"
|
||||||
parent = var.organization_id
|
parent = var.organization_id
|
||||||
|
|
|
@ -197,6 +197,12 @@ variable "organization_id" {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
variable "org_policies_data_path" {
|
||||||
|
description = ""
|
||||||
|
type = string
|
||||||
|
default = null
|
||||||
|
}
|
||||||
|
|
||||||
variable "tag_bindings" {
|
variable "tag_bindings" {
|
||||||
description = "Tag bindings for this organization, in key => tag value id format."
|
description = "Tag bindings for this organization, in key => tag value id format."
|
||||||
type = map(string)
|
type = map(string)
|
||||||
|
|
|
@ -407,21 +407,22 @@ output "compute_robot" {
|
||||||
| [logging_sinks](variables.tf#L102) | Logging sinks to create for this project. | <code title="map(object({ destination = string type = string filter = string iam = bool unique_writer = bool exclusions = map(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
| [logging_sinks](variables.tf#L102) | Logging sinks to create for this project. | <code title="map(object({ destination = string type = string filter = string iam = bool unique_writer = bool exclusions = map(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||||
| [metric_scopes](variables.tf#L124) | List of projects that will act as metric scopes for this project. | <code>list(string)</code> | | <code>[]</code> |
|
| [metric_scopes](variables.tf#L124) | List of projects that will act as metric scopes for this project. | <code>list(string)</code> | | <code>[]</code> |
|
||||||
| [org_policies](variables.tf#L136) | Organization policies applied to this project keyed by policy name. | <code title="map(object({ inherit_from_parent = optional(bool) # for list policies only. reset = optional(bool) allow = optional(object({ all = optional(bool) values = optional(list(string)) })) deny = optional(object({ all = optional(bool) values = optional(list(string)) })) enforce = optional(bool, true) # for boolean policies only. rules = optional(list(object({ allow = optional(object({ all = optional(bool) values = optional(list(string)) })) deny = optional(object({ all = optional(bool) values = optional(list(string)) })) enforce = optional(bool, true) # for boolean policies only. condition = object({ description = optional(string) expression = optional(string) location = optional(string) title = optional(string) }) })), []) }))">map(object({…}))</code> | | <code>{}</code> |
|
| [org_policies](variables.tf#L136) | Organization policies applied to this project keyed by policy name. | <code title="map(object({ inherit_from_parent = optional(bool) # for list policies only. reset = optional(bool) allow = optional(object({ all = optional(bool) values = optional(list(string)) })) deny = optional(object({ all = optional(bool) values = optional(list(string)) })) enforce = optional(bool, true) # for boolean policies only. rules = optional(list(object({ allow = optional(object({ all = optional(bool) values = optional(list(string)) })) deny = optional(object({ all = optional(bool) values = optional(list(string)) })) enforce = optional(bool, true) # for boolean policies only. condition = object({ description = optional(string) expression = optional(string) location = optional(string) title = optional(string) }) })), []) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||||
| [oslogin](variables.tf#L176) | Enable OS Login. | <code>bool</code> | | <code>false</code> |
|
| [org_policies_data_path](variables.tf#L176) | | <code>string</code> | | <code>null</code> |
|
||||||
| [oslogin_admins](variables.tf#L182) | List of IAM-style identities that will be granted roles necessary for OS Login administrators. | <code>list(string)</code> | | <code>[]</code> |
|
| [oslogin](variables.tf#L182) | Enable OS Login. | <code>bool</code> | | <code>false</code> |
|
||||||
| [oslogin_users](variables.tf#L190) | List of IAM-style identities that will be granted roles necessary for OS Login users. | <code>list(string)</code> | | <code>[]</code> |
|
| [oslogin_admins](variables.tf#L188) | List of IAM-style identities that will be granted roles necessary for OS Login administrators. | <code>list(string)</code> | | <code>[]</code> |
|
||||||
| [parent](variables.tf#L197) | Parent folder or organization in 'folders/folder_id' or 'organizations/org_id' format. | <code>string</code> | | <code>null</code> |
|
| [oslogin_users](variables.tf#L196) | List of IAM-style identities that will be granted roles necessary for OS Login users. | <code>list(string)</code> | | <code>[]</code> |
|
||||||
| [prefix](variables.tf#L207) | Prefix used to generate project id and name. | <code>string</code> | | <code>null</code> |
|
| [parent](variables.tf#L203) | Parent folder or organization in 'folders/folder_id' or 'organizations/org_id' format. | <code>string</code> | | <code>null</code> |
|
||||||
| [project_create](variables.tf#L213) | Create project. When set to false, uses a data source to reference existing project. | <code>bool</code> | | <code>true</code> |
|
| [prefix](variables.tf#L213) | Prefix used to generate project id and name. | <code>string</code> | | <code>null</code> |
|
||||||
| [service_config](variables.tf#L219) | Configure service API activation. | <code title="object({ disable_on_destroy = bool disable_dependent_services = bool })">object({…})</code> | | <code title="{ disable_on_destroy = false disable_dependent_services = false }">{…}</code> |
|
| [project_create](variables.tf#L219) | Create project. When set to false, uses a data source to reference existing project. | <code>bool</code> | | <code>true</code> |
|
||||||
| [service_encryption_key_ids](variables.tf#L231) | Cloud KMS encryption key in {SERVICE => [KEY_URL]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
| [service_config](variables.tf#L225) | Configure service API activation. | <code title="object({ disable_on_destroy = bool disable_dependent_services = bool })">object({…})</code> | | <code title="{ disable_on_destroy = false disable_dependent_services = false }">{…}</code> |
|
||||||
| [service_perimeter_bridges](variables.tf#L238) | Name of VPC-SC Bridge perimeters to add project into. See comment in the variables file for format. | <code>list(string)</code> | | <code>null</code> |
|
| [service_encryption_key_ids](variables.tf#L237) | Cloud KMS encryption key in {SERVICE => [KEY_URL]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||||
| [service_perimeter_standard](variables.tf#L245) | Name of VPC-SC Standard perimeter to add project into. See comment in the variables file for format. | <code>string</code> | | <code>null</code> |
|
| [service_perimeter_bridges](variables.tf#L244) | Name of VPC-SC Bridge perimeters to add project into. See comment in the variables file for format. | <code>list(string)</code> | | <code>null</code> |
|
||||||
| [services](variables.tf#L251) | Service APIs to enable. | <code>list(string)</code> | | <code>[]</code> |
|
| [service_perimeter_standard](variables.tf#L251) | Name of VPC-SC Standard perimeter to add project into. See comment in the variables file for format. | <code>string</code> | | <code>null</code> |
|
||||||
| [shared_vpc_host_config](variables.tf#L257) | Configures this project as a Shared VPC host project (mutually exclusive with shared_vpc_service_project). | <code title="object({ enabled = bool service_projects = optional(list(string), []) })">object({…})</code> | | <code>null</code> |
|
| [services](variables.tf#L257) | Service APIs to enable. | <code>list(string)</code> | | <code>[]</code> |
|
||||||
| [shared_vpc_service_config](variables.tf#L266) | Configures this project as a Shared VPC service project (mutually exclusive with shared_vpc_host_config). | <code title="object({ host_project = string service_identity_iam = optional(map(list(string))) })">object({…})</code> | | <code>null</code> |
|
| [shared_vpc_host_config](variables.tf#L263) | Configures this project as a Shared VPC host project (mutually exclusive with shared_vpc_service_project). | <code title="object({ enabled = bool service_projects = optional(list(string), []) })">object({…})</code> | | <code>null</code> |
|
||||||
| [skip_delete](variables.tf#L276) | Allows the underlying resources to be destroyed without destroying the project itself. | <code>bool</code> | | <code>false</code> |
|
| [shared_vpc_service_config](variables.tf#L272) | Configures this project as a Shared VPC service project (mutually exclusive with shared_vpc_host_config). | <code title="object({ host_project = string service_identity_iam = optional(map(list(string))) })">object({…})</code> | | <code>null</code> |
|
||||||
| [tag_bindings](variables.tf#L282) | Tag bindings for this project, in key => tag value id format. | <code>map(string)</code> | | <code>null</code> |
|
| [skip_delete](variables.tf#L282) | Allows the underlying resources to be destroyed without destroying the project itself. | <code>bool</code> | | <code>false</code> |
|
||||||
|
| [tag_bindings](variables.tf#L288) | Tag bindings for this project, in key => tag value id format. | <code>map(string)</code> | | <code>null</code> |
|
||||||
|
|
||||||
## Outputs
|
## Outputs
|
||||||
|
|
||||||
|
|
|
@ -17,8 +17,57 @@
|
||||||
# tfdoc:file:description Project-level organization policies.
|
# tfdoc:file:description Project-level organization policies.
|
||||||
|
|
||||||
locals {
|
locals {
|
||||||
|
_factory_data_raw = (
|
||||||
|
var.org_policies_data_path == null
|
||||||
|
? tomap({})
|
||||||
|
: merge([
|
||||||
|
for f in fileset(var.org_policies_data_path, "*.yaml") :
|
||||||
|
yamldecode(file("${var.org_policies_data_path}/${f}"))
|
||||||
|
]...)
|
||||||
|
)
|
||||||
|
|
||||||
|
# simulate applying defaults to data coming from yaml files
|
||||||
|
_factory_data = {
|
||||||
|
for k, v in local._factory_data_raw :
|
||||||
|
k => {
|
||||||
|
inherit_from_parent = try(v.inherit_from_parent, null)
|
||||||
|
reset = try(v.reset, null)
|
||||||
|
allow = can(v.allow) ? {
|
||||||
|
all = try(v.allow.all, null)
|
||||||
|
values = try(v.allow.values, null)
|
||||||
|
} : null
|
||||||
|
deny = can(v.deny) ? {
|
||||||
|
all = try(v.deny.all, null)
|
||||||
|
values = try(v.deny.values, null)
|
||||||
|
} : null
|
||||||
|
enforce = try(v.enforce, true)
|
||||||
|
|
||||||
|
rules = [
|
||||||
|
for r in try(v.rules, []) : {
|
||||||
|
allow = can(r.allow) ? {
|
||||||
|
all = try(r.allow.all, null)
|
||||||
|
values = try(r.allow.values, null)
|
||||||
|
} : null
|
||||||
|
deny = can(r.deny) ? {
|
||||||
|
all = try(r.deny.all, null)
|
||||||
|
values = try(r.deny.values, null)
|
||||||
|
} : null
|
||||||
|
enforce = try(r.enforce, true)
|
||||||
|
condition = {
|
||||||
|
description = try(r.condition.description, null)
|
||||||
|
expression = try(r.condition.expression, null)
|
||||||
|
location = try(r.condition.location, null)
|
||||||
|
title = try(r.condition.title, null)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
_org_policies = merge(local._factory_data, var.org_policies)
|
||||||
|
|
||||||
org_policies = {
|
org_policies = {
|
||||||
for k, v in var.org_policies :
|
for k, v in local._org_policies :
|
||||||
k => merge(v, {
|
k => merge(v, {
|
||||||
name = "projects/${local.project.project_id}/policies/${k}"
|
name = "projects/${local.project.project_id}/policies/${k}"
|
||||||
parent = "projects/${local.project.project_id}"
|
parent = "projects/${local.project.project_id}"
|
||||||
|
|
|
@ -173,6 +173,12 @@ variable "org_policies" {
|
||||||
nullable = false
|
nullable = false
|
||||||
}
|
}
|
||||||
|
|
||||||
|
variable "org_policies_data_path" {
|
||||||
|
description = ""
|
||||||
|
type = string
|
||||||
|
default = null
|
||||||
|
}
|
||||||
|
|
||||||
variable "oslogin" {
|
variable "oslogin" {
|
||||||
description = "Enable OS Login."
|
description = "Enable OS Login."
|
||||||
type = bool
|
type = bool
|
||||||
|
|
|
@ -27,4 +27,5 @@ module "test" {
|
||||||
logging_sinks = var.logging_sinks
|
logging_sinks = var.logging_sinks
|
||||||
logging_exclusions = var.logging_exclusions
|
logging_exclusions = var.logging_exclusions
|
||||||
org_policies = var.org_policies
|
org_policies = var.org_policies
|
||||||
|
org_policies_data_path = var.org_policies_data_path
|
||||||
}
|
}
|
||||||
|
|
|
@ -58,3 +58,8 @@ variable "org_policies" {
|
||||||
type = any
|
type = any
|
||||||
default = {}
|
default = {}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
variable "org_policies_data_path" {
|
||||||
|
type = any
|
||||||
|
default = null
|
||||||
|
}
|
||||||
|
|
|
@ -12,10 +12,10 @@
|
||||||
# See the License for the specific language governing permissions and
|
# See the License for the specific language governing permissions and
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
|
import hcl2
|
||||||
|
import yaml
|
||||||
|
|
||||||
def test_policy_boolean(plan_runner):
|
BOOLEAN_POLICIES = '''{
|
||||||
"Test boolean org policy."
|
|
||||||
policies = '''{
|
|
||||||
"iam.disableServiceAccountKeyCreation" = {
|
"iam.disableServiceAccountKeyCreation" = {
|
||||||
enforce = true
|
enforce = true
|
||||||
}
|
}
|
||||||
|
@ -24,7 +24,7 @@ def test_policy_boolean(plan_runner):
|
||||||
rules = [
|
rules = [
|
||||||
{
|
{
|
||||||
condition = {
|
condition = {
|
||||||
expression = "resource.matchTagId(\\"tagKeys/1234\\", \\"tagValues/1234\\")"
|
expression = "resource.matchTagId(aa, bb)"
|
||||||
title = "condition"
|
title = "condition"
|
||||||
description = "test condition"
|
description = "test condition"
|
||||||
location = "xxx"
|
location = "xxx"
|
||||||
|
@ -34,9 +34,84 @@ def test_policy_boolean(plan_runner):
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
}'''
|
}'''
|
||||||
_, resources = plan_runner(org_policies=policies)
|
|
||||||
assert len(resources) == 3
|
|
||||||
|
|
||||||
|
LIST_POLICIES = '''{
|
||||||
|
"compute.vmExternalIpAccess" = {
|
||||||
|
deny = { all = true }
|
||||||
|
}
|
||||||
|
"iam.allowedPolicyMemberDomains" = {
|
||||||
|
allow = {
|
||||||
|
values = ["C0xxxxxxx", "C0yyyyyyy"]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
"compute.restrictLoadBalancerCreationForTypes" = {
|
||||||
|
deny = { values = ["in:EXTERNAL"] }
|
||||||
|
rules = [
|
||||||
|
{
|
||||||
|
condition = {
|
||||||
|
expression = "resource.matchTagId(aa, bb)"
|
||||||
|
title = "condition"
|
||||||
|
description = "test condition"
|
||||||
|
location = "xxx"
|
||||||
|
}
|
||||||
|
allow = {
|
||||||
|
values = ["EXTERNAL_1"]
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
condition = {
|
||||||
|
expression = "resource.matchTagId(cc, dd)"
|
||||||
|
title = "condition2"
|
||||||
|
description = "test condition2"
|
||||||
|
location = "xxx"
|
||||||
|
}
|
||||||
|
allow = {
|
||||||
|
all = true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}'''
|
||||||
|
|
||||||
|
|
||||||
|
def test_policy_boolean(plan_runner):
|
||||||
|
"Test boolean org policy."
|
||||||
|
_, resources = plan_runner(org_policies=BOOLEAN_POLICIES)
|
||||||
|
validate_policy_boolean_resources(resources)
|
||||||
|
|
||||||
|
|
||||||
|
def test_policy_list(plan_runner):
|
||||||
|
"Test list org policy."
|
||||||
|
_, resources = plan_runner(org_policies=LIST_POLICIES)
|
||||||
|
validate_policy_list_resources(resources)
|
||||||
|
|
||||||
|
|
||||||
|
def test_policy_boolean_factory(plan_runner, tmp_path):
|
||||||
|
# convert hcl policies to yaml
|
||||||
|
hcl_policies = f'p = {BOOLEAN_POLICIES}'
|
||||||
|
yaml_policies = yaml.dump(hcl2.loads(hcl_policies)['p'])
|
||||||
|
|
||||||
|
yaml_file = tmp_path / 'policies.yaml'
|
||||||
|
yaml_file.write_text(yaml_policies)
|
||||||
|
|
||||||
|
_, resources = plan_runner(org_policies_data_path=f'"{tmp_path}"')
|
||||||
|
validate_policy_boolean_resources(resources)
|
||||||
|
|
||||||
|
|
||||||
|
def test_policy_list_factory(plan_runner, tmp_path):
|
||||||
|
# convert hcl policies to yaml
|
||||||
|
hcl_policies = f'p = {LIST_POLICIES}'
|
||||||
|
yaml_policies = yaml.dump(hcl2.loads(hcl_policies)['p'])
|
||||||
|
|
||||||
|
yaml_file = tmp_path / 'policies.yaml'
|
||||||
|
yaml_file.write_text(yaml_policies)
|
||||||
|
|
||||||
|
_, resources = plan_runner(org_policies_data_path=f'"{tmp_path}"')
|
||||||
|
validate_policy_list_resources(resources)
|
||||||
|
|
||||||
|
|
||||||
|
def validate_policy_boolean_resources(resources):
|
||||||
|
assert len(resources) == 3
|
||||||
policies = [r for r in resources if r['type'] == 'google_org_policy_policy']
|
policies = [r for r in resources if r['type'] == 'google_org_policy_policy']
|
||||||
assert len(policies) == 2
|
assert len(policies) == 2
|
||||||
|
|
||||||
|
@ -76,7 +151,7 @@ def test_policy_boolean(plan_runner):
|
||||||
'allow_all': None,
|
'allow_all': None,
|
||||||
'condition': [{
|
'condition': [{
|
||||||
'description': 'test condition',
|
'description': 'test condition',
|
||||||
'expression': 'resource.matchTagId("tagKeys/1234", "tagValues/1234")',
|
'expression': 'resource.matchTagId(aa, bb)',
|
||||||
'location': 'xxx',
|
'location': 'xxx',
|
||||||
'title': 'condition'
|
'title': 'condition'
|
||||||
}],
|
}],
|
||||||
|
@ -86,46 +161,7 @@ def test_policy_boolean(plan_runner):
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
def test_policy_list(plan_runner):
|
def validate_policy_list_resources(resources):
|
||||||
"Test list org policy."
|
|
||||||
policies = '''{
|
|
||||||
"compute.vmExternalIpAccess" = {
|
|
||||||
deny = { all = true }
|
|
||||||
}
|
|
||||||
"iam.allowedPolicyMemberDomains" = {
|
|
||||||
allow = {
|
|
||||||
values = ["C0xxxxxxx", "C0yyyyyyy"]
|
|
||||||
}
|
|
||||||
}
|
|
||||||
"compute.restrictLoadBalancerCreationForTypes" = {
|
|
||||||
deny = { values = ["in:EXTERNAL"] }
|
|
||||||
rules = [
|
|
||||||
{
|
|
||||||
condition = {
|
|
||||||
expression = "resource.matchTagId(\\"tagKeys/1234\\", \\"tagValues/1234\\")"
|
|
||||||
title = "condition"
|
|
||||||
description = "test condition"
|
|
||||||
location = "xxx"
|
|
||||||
}
|
|
||||||
allow = {
|
|
||||||
values = ["EXTERNAL_1"]
|
|
||||||
}
|
|
||||||
},
|
|
||||||
{
|
|
||||||
condition = {
|
|
||||||
expression = "resource.matchTagId(\\"tagKeys/12345\\", \\"tagValues/12345\\")"
|
|
||||||
title = "condition2"
|
|
||||||
description = "test condition2"
|
|
||||||
location = "xxx"
|
|
||||||
}
|
|
||||||
allow = {
|
|
||||||
all = true
|
|
||||||
}
|
|
||||||
}
|
|
||||||
]
|
|
||||||
}
|
|
||||||
}'''
|
|
||||||
_, resources = plan_runner(org_policies=policies)
|
|
||||||
assert len(resources) == 4
|
assert len(resources) == 4
|
||||||
|
|
||||||
policies = [r for r in resources if r['type'] == 'google_org_policy_policy']
|
policies = [r for r in resources if r['type'] == 'google_org_policy_policy']
|
||||||
|
@ -193,7 +229,7 @@ def test_policy_list(plan_runner):
|
||||||
'allow_all': None,
|
'allow_all': None,
|
||||||
'condition': [{
|
'condition': [{
|
||||||
'description': 'test condition',
|
'description': 'test condition',
|
||||||
'expression': 'resource.matchTagId("tagKeys/1234", "tagValues/1234")',
|
'expression': 'resource.matchTagId(aa, bb)',
|
||||||
'location': 'xxx',
|
'location': 'xxx',
|
||||||
'title': 'condition'
|
'title': 'condition'
|
||||||
}],
|
}],
|
||||||
|
@ -208,14 +244,10 @@ def test_policy_list(plan_runner):
|
||||||
assert p3['rules'][2] == {
|
assert p3['rules'][2] == {
|
||||||
'allow_all': 'TRUE',
|
'allow_all': 'TRUE',
|
||||||
'condition': [{
|
'condition': [{
|
||||||
'description':
|
'description': 'test condition2',
|
||||||
'test condition2',
|
'expression': 'resource.matchTagId(cc, dd)',
|
||||||
'expression':
|
'location': 'xxx',
|
||||||
'resource.matchTagId("tagKeys/12345", "tagValues/12345")',
|
'title': 'condition2'
|
||||||
'location':
|
|
||||||
'xxx',
|
|
||||||
'title':
|
|
||||||
'condition2'
|
|
||||||
}],
|
}],
|
||||||
'deny_all': None,
|
'deny_all': None,
|
||||||
'enforce': None,
|
'enforce': None,
|
||||||
|
|
|
@ -29,6 +29,7 @@ module "test" {
|
||||||
logging_sinks = var.logging_sinks
|
logging_sinks = var.logging_sinks
|
||||||
logging_exclusions = var.logging_exclusions
|
logging_exclusions = var.logging_exclusions
|
||||||
org_policies = var.org_policies
|
org_policies = var.org_policies
|
||||||
|
org_policies_data_path = var.org_policies_data_path
|
||||||
tag_bindings = var.tag_bindings
|
tag_bindings = var.tag_bindings
|
||||||
tags = var.tags
|
tags = var.tags
|
||||||
}
|
}
|
||||||
|
|
|
@ -74,6 +74,11 @@ variable "org_policies" {
|
||||||
default = {}
|
default = {}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
variable "org_policies_data_path" {
|
||||||
|
type = any
|
||||||
|
default = null
|
||||||
|
}
|
||||||
|
|
||||||
variable "tag_bindings" {
|
variable "tag_bindings" {
|
||||||
type = any
|
type = any
|
||||||
default = null
|
default = null
|
||||||
|
|
|
@ -15,10 +15,10 @@
|
||||||
import difflib
|
import difflib
|
||||||
from pathlib import Path
|
from pathlib import Path
|
||||||
|
|
||||||
|
import hcl2
|
||||||
|
import yaml
|
||||||
|
|
||||||
def test_policy_boolean(plan_runner):
|
BOOLEAN_POLICIES = '''{
|
||||||
"Test boolean org policy."
|
|
||||||
policies = '''{
|
|
||||||
"iam.disableServiceAccountKeyCreation" = {
|
"iam.disableServiceAccountKeyCreation" = {
|
||||||
enforce = true
|
enforce = true
|
||||||
}
|
}
|
||||||
|
@ -27,7 +27,7 @@ def test_policy_boolean(plan_runner):
|
||||||
rules = [
|
rules = [
|
||||||
{
|
{
|
||||||
condition = {
|
condition = {
|
||||||
expression = "resource.matchTagId(\\"tagKeys/1234\\", \\"tagValues/1234\\")"
|
expression = "resource.matchTagId(aa, bb)"
|
||||||
title = "condition"
|
title = "condition"
|
||||||
description = "test condition"
|
description = "test condition"
|
||||||
location = "xxx"
|
location = "xxx"
|
||||||
|
@ -37,13 +37,86 @@ def test_policy_boolean(plan_runner):
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
}'''
|
}'''
|
||||||
_, resources = plan_runner(org_policies=policies)
|
|
||||||
assert len(resources) == 2
|
|
||||||
|
|
||||||
|
LIST_POLICIES = '''{
|
||||||
|
"compute.vmExternalIpAccess" = {
|
||||||
|
deny = { all = true }
|
||||||
|
}
|
||||||
|
"iam.allowedPolicyMemberDomains" = {
|
||||||
|
allow = {
|
||||||
|
values = ["C0xxxxxxx", "C0yyyyyyy"]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
"compute.restrictLoadBalancerCreationForTypes" = {
|
||||||
|
deny = { values = ["in:EXTERNAL"] }
|
||||||
|
rules = [
|
||||||
|
{
|
||||||
|
condition = {
|
||||||
|
expression = "resource.matchTagId(aa, bb)"
|
||||||
|
title = "condition"
|
||||||
|
description = "test condition"
|
||||||
|
location = "xxx"
|
||||||
|
}
|
||||||
|
allow = {
|
||||||
|
values = ["EXTERNAL_1"]
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
condition = {
|
||||||
|
expression = "resource.matchTagId(cc, dd)"
|
||||||
|
title = "condition2"
|
||||||
|
description = "test condition2"
|
||||||
|
location = "xxx"
|
||||||
|
}
|
||||||
|
allow = {
|
||||||
|
all = true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}'''
|
||||||
|
|
||||||
|
|
||||||
|
def test_policy_boolean(plan_runner):
|
||||||
|
"Test boolean org policy."
|
||||||
|
_, resources = plan_runner(org_policies=BOOLEAN_POLICIES)
|
||||||
|
validate_policy_boolean_resources(resources)
|
||||||
|
|
||||||
|
|
||||||
|
def test_policy_list(plan_runner):
|
||||||
|
"Test list org policy."
|
||||||
|
_, resources = plan_runner(org_policies=LIST_POLICIES)
|
||||||
|
validate_policy_list_resources(resources)
|
||||||
|
|
||||||
|
|
||||||
|
def test_policy_boolean_factory(plan_runner, tmp_path):
|
||||||
|
# convert hcl policies to yaml
|
||||||
|
hcl_policies = f'p = {BOOLEAN_POLICIES}'
|
||||||
|
yaml_policies = yaml.dump(hcl2.loads(hcl_policies)['p'])
|
||||||
|
|
||||||
|
yaml_file = tmp_path / 'policies.yaml'
|
||||||
|
yaml_file.write_text(yaml_policies)
|
||||||
|
|
||||||
|
_, resources = plan_runner(org_policies_data_path=f'"{tmp_path}"')
|
||||||
|
validate_policy_boolean_resources(resources)
|
||||||
|
|
||||||
|
|
||||||
|
def test_policy_list_factory(plan_runner, tmp_path):
|
||||||
|
# convert hcl policies to yaml
|
||||||
|
hcl_policies = f'p = {LIST_POLICIES}'
|
||||||
|
yaml_policies = yaml.dump(hcl2.loads(hcl_policies)['p'])
|
||||||
|
|
||||||
|
yaml_file = tmp_path / 'policies.yaml'
|
||||||
|
yaml_file.write_text(yaml_policies)
|
||||||
|
|
||||||
|
_, resources = plan_runner(org_policies_data_path=f'"{tmp_path}"')
|
||||||
|
validate_policy_list_resources(resources)
|
||||||
|
|
||||||
|
|
||||||
|
def validate_policy_boolean_resources(resources):
|
||||||
|
assert len(resources) == 2
|
||||||
policies = [r for r in resources if r['type'] == 'google_org_policy_policy']
|
policies = [r for r in resources if r['type'] == 'google_org_policy_policy']
|
||||||
assert len(policies) == 2
|
assert len(policies) == 2
|
||||||
assert all(
|
|
||||||
x['values']['parent'] == 'organizations/1234567890' for x in policies)
|
|
||||||
|
|
||||||
p1 = [
|
p1 = [
|
||||||
r['values']['spec'][0]
|
r['values']['spec'][0]
|
||||||
|
@ -81,7 +154,7 @@ def test_policy_boolean(plan_runner):
|
||||||
'allow_all': None,
|
'allow_all': None,
|
||||||
'condition': [{
|
'condition': [{
|
||||||
'description': 'test condition',
|
'description': 'test condition',
|
||||||
'expression': 'resource.matchTagId("tagKeys/1234", "tagValues/1234")',
|
'expression': 'resource.matchTagId(aa, bb)',
|
||||||
'location': 'xxx',
|
'location': 'xxx',
|
||||||
'title': 'condition'
|
'title': 'condition'
|
||||||
}],
|
}],
|
||||||
|
@ -91,52 +164,11 @@ def test_policy_boolean(plan_runner):
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
def test_policy_list(plan_runner):
|
def validate_policy_list_resources(resources):
|
||||||
"Test list org policy."
|
|
||||||
policies = '''{
|
|
||||||
"compute.vmExternalIpAccess" = {
|
|
||||||
deny = { all = true }
|
|
||||||
}
|
|
||||||
"iam.allowedPolicyMemberDomains" = {
|
|
||||||
allow = {
|
|
||||||
values = ["C0xxxxxxx", "C0yyyyyyy"]
|
|
||||||
}
|
|
||||||
}
|
|
||||||
"compute.restrictLoadBalancerCreationForTypes" = {
|
|
||||||
deny = { values = ["in:EXTERNAL"] }
|
|
||||||
rules = [
|
|
||||||
{
|
|
||||||
condition = {
|
|
||||||
expression = "resource.matchTagId(\\"tagKeys/1234\\", \\"tagValues/1234\\")"
|
|
||||||
title = "condition"
|
|
||||||
description = "test condition"
|
|
||||||
location = "xxx"
|
|
||||||
}
|
|
||||||
allow = {
|
|
||||||
values = ["EXTERNAL_1"]
|
|
||||||
}
|
|
||||||
},
|
|
||||||
{
|
|
||||||
condition = {
|
|
||||||
expression = "resource.matchTagId(\\"tagKeys/12345\\", \\"tagValues/12345\\")"
|
|
||||||
title = "condition2"
|
|
||||||
description = "test condition2"
|
|
||||||
location = "xxx"
|
|
||||||
}
|
|
||||||
allow = {
|
|
||||||
all = true
|
|
||||||
}
|
|
||||||
}
|
|
||||||
]
|
|
||||||
}
|
|
||||||
}'''
|
|
||||||
_, resources = plan_runner(org_policies=policies)
|
|
||||||
assert len(resources) == 3
|
assert len(resources) == 3
|
||||||
|
|
||||||
policies = [r for r in resources if r['type'] == 'google_org_policy_policy']
|
policies = [r for r in resources if r['type'] == 'google_org_policy_policy']
|
||||||
assert len(policies) == 3
|
assert len(policies) == 3
|
||||||
assert all(
|
|
||||||
x['values']['parent'] == 'organizations/1234567890' for x in policies)
|
|
||||||
|
|
||||||
p1 = [
|
p1 = [
|
||||||
r['values']['spec'][0]
|
r['values']['spec'][0]
|
||||||
|
@ -200,7 +232,7 @@ def test_policy_list(plan_runner):
|
||||||
'allow_all': None,
|
'allow_all': None,
|
||||||
'condition': [{
|
'condition': [{
|
||||||
'description': 'test condition',
|
'description': 'test condition',
|
||||||
'expression': 'resource.matchTagId("tagKeys/1234", "tagValues/1234")',
|
'expression': 'resource.matchTagId(aa, bb)',
|
||||||
'location': 'xxx',
|
'location': 'xxx',
|
||||||
'title': 'condition'
|
'title': 'condition'
|
||||||
}],
|
}],
|
||||||
|
@ -215,14 +247,10 @@ def test_policy_list(plan_runner):
|
||||||
assert p3['rules'][2] == {
|
assert p3['rules'][2] == {
|
||||||
'allow_all': 'TRUE',
|
'allow_all': 'TRUE',
|
||||||
'condition': [{
|
'condition': [{
|
||||||
'description':
|
'description': 'test condition2',
|
||||||
'test condition2',
|
'expression': 'resource.matchTagId(cc, dd)',
|
||||||
'expression':
|
'location': 'xxx',
|
||||||
'resource.matchTagId("tagKeys/12345", "tagValues/12345")',
|
'title': 'condition2'
|
||||||
'location':
|
|
||||||
'xxx',
|
|
||||||
'title':
|
|
||||||
'condition2'
|
|
||||||
}],
|
}],
|
||||||
'deny_all': None,
|
'deny_all': None,
|
||||||
'enforce': None,
|
'enforce': None,
|
||||||
|
@ -244,7 +272,7 @@ def test_policy_implementation(plan_runner):
|
||||||
assert list(diff1) == [
|
assert list(diff1) == [
|
||||||
'--- \n',
|
'--- \n',
|
||||||
'+++ \n',
|
'+++ \n',
|
||||||
'@@ -14,14 +14,14 @@\n',
|
'@@ -14,7 +14,7 @@\n',
|
||||||
' * limitations under the License.\n',
|
' * limitations under the License.\n',
|
||||||
' */\n',
|
' */\n',
|
||||||
' \n',
|
' \n',
|
||||||
|
@ -252,8 +280,10 @@ def test_policy_implementation(plan_runner):
|
||||||
'+# tfdoc:file:description Folder-level organization policies.\n',
|
'+# tfdoc:file:description Folder-level organization policies.\n',
|
||||||
' \n',
|
' \n',
|
||||||
' locals {\n',
|
' locals {\n',
|
||||||
|
' _factory_data_raw = (\n',
|
||||||
|
'@@ -69,8 +69,8 @@\n',
|
||||||
' org_policies = {\n',
|
' org_policies = {\n',
|
||||||
' for k, v in var.org_policies :\n',
|
' for k, v in local._org_policies :\n',
|
||||||
' k => merge(v, {\n',
|
' k => merge(v, {\n',
|
||||||
'- name = "projects/${local.project.project_id}/policies/${k}"\n',
|
'- name = "projects/${local.project.project_id}/policies/${k}"\n',
|
||||||
'- parent = "projects/${local.project.project_id}"\n',
|
'- parent = "projects/${local.project.project_id}"\n',
|
||||||
|
@ -268,7 +298,7 @@ def test_policy_implementation(plan_runner):
|
||||||
assert list(diff2) == [
|
assert list(diff2) == [
|
||||||
'--- \n',
|
'--- \n',
|
||||||
'+++ \n',
|
'+++ \n',
|
||||||
'@@ -14,14 +14,14 @@\n',
|
'@@ -14,7 +14,7 @@\n',
|
||||||
' * limitations under the License.\n',
|
' * limitations under the License.\n',
|
||||||
' */\n',
|
' */\n',
|
||||||
' \n',
|
' \n',
|
||||||
|
@ -276,8 +306,10 @@ def test_policy_implementation(plan_runner):
|
||||||
'+# tfdoc:file:description Organization-level organization policies.\n',
|
'+# tfdoc:file:description Organization-level organization policies.\n',
|
||||||
' \n',
|
' \n',
|
||||||
' locals {\n',
|
' locals {\n',
|
||||||
|
' _factory_data_raw = (\n',
|
||||||
|
'@@ -69,8 +69,8 @@\n',
|
||||||
' org_policies = {\n',
|
' org_policies = {\n',
|
||||||
' for k, v in var.org_policies :\n',
|
' for k, v in local._org_policies :\n',
|
||||||
' k => merge(v, {\n',
|
' k => merge(v, {\n',
|
||||||
'- name = "${local.folder.name}/policies/${k}"\n',
|
'- name = "${local.folder.name}/policies/${k}"\n',
|
||||||
'- parent = local.folder.name\n',
|
'- parent = local.folder.name\n',
|
||||||
|
@ -286,7 +318,7 @@ def test_policy_implementation(plan_runner):
|
||||||
' \n',
|
' \n',
|
||||||
' is_boolean_policy = v.allow == null && v.deny == null\n',
|
' is_boolean_policy = v.allow == null && v.deny == null\n',
|
||||||
' has_values = (\n',
|
' has_values = (\n',
|
||||||
'@@ -94,4 +94,12 @@\n',
|
'@@ -143,4 +143,12 @@\n',
|
||||||
' }\n',
|
' }\n',
|
||||||
' }\n',
|
' }\n',
|
||||||
' }\n',
|
' }\n',
|
||||||
|
|
|
@ -26,6 +26,7 @@ module "test" {
|
||||||
labels = var.labels
|
labels = var.labels
|
||||||
lien_reason = var.lien_reason
|
lien_reason = var.lien_reason
|
||||||
org_policies = var.org_policies
|
org_policies = var.org_policies
|
||||||
|
org_policies_data_path = var.org_policies_data_path
|
||||||
oslogin = var.oslogin
|
oslogin = var.oslogin
|
||||||
oslogin_admins = var.oslogin_admins
|
oslogin_admins = var.oslogin_admins
|
||||||
oslogin_users = var.oslogin_users
|
oslogin_users = var.oslogin_users
|
||||||
|
|
|
@ -69,6 +69,11 @@ variable "org_policies" {
|
||||||
default = {}
|
default = {}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
variable "org_policies_data_path" {
|
||||||
|
type = any
|
||||||
|
default = null
|
||||||
|
}
|
||||||
|
|
||||||
variable "oslogin" {
|
variable "oslogin" {
|
||||||
type = bool
|
type = bool
|
||||||
default = false
|
default = false
|
||||||
|
|
|
@ -12,10 +12,10 @@
|
||||||
# See the License for the specific language governing permissions and
|
# See the License for the specific language governing permissions and
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
|
import hcl2
|
||||||
|
import yaml
|
||||||
|
|
||||||
def test_policy_boolean(plan_runner):
|
BOOLEAN_POLICIES = '''{
|
||||||
"Test boolean org policy."
|
|
||||||
policies = '''{
|
|
||||||
"iam.disableServiceAccountKeyCreation" = {
|
"iam.disableServiceAccountKeyCreation" = {
|
||||||
enforce = true
|
enforce = true
|
||||||
}
|
}
|
||||||
|
@ -24,7 +24,7 @@ def test_policy_boolean(plan_runner):
|
||||||
rules = [
|
rules = [
|
||||||
{
|
{
|
||||||
condition = {
|
condition = {
|
||||||
expression = "resource.matchTagId(\\"tagKeys/1234\\", \\"tagValues/1234\\")"
|
expression = "resource.matchTagId(aa, bb)"
|
||||||
title = "condition"
|
title = "condition"
|
||||||
description = "test condition"
|
description = "test condition"
|
||||||
location = "xxx"
|
location = "xxx"
|
||||||
|
@ -34,9 +34,84 @@ def test_policy_boolean(plan_runner):
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
}'''
|
}'''
|
||||||
_, resources = plan_runner(org_policies=policies)
|
|
||||||
assert len(resources) == 6
|
|
||||||
|
|
||||||
|
LIST_POLICIES = '''{
|
||||||
|
"compute.vmExternalIpAccess" = {
|
||||||
|
deny = { all = true }
|
||||||
|
}
|
||||||
|
"iam.allowedPolicyMemberDomains" = {
|
||||||
|
allow = {
|
||||||
|
values = ["C0xxxxxxx", "C0yyyyyyy"]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
"compute.restrictLoadBalancerCreationForTypes" = {
|
||||||
|
deny = { values = ["in:EXTERNAL"] }
|
||||||
|
rules = [
|
||||||
|
{
|
||||||
|
condition = {
|
||||||
|
expression = "resource.matchTagId(aa, bb)"
|
||||||
|
title = "condition"
|
||||||
|
description = "test condition"
|
||||||
|
location = "xxx"
|
||||||
|
}
|
||||||
|
allow = {
|
||||||
|
values = ["EXTERNAL_1"]
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
condition = {
|
||||||
|
expression = "resource.matchTagId(cc, dd)"
|
||||||
|
title = "condition2"
|
||||||
|
description = "test condition2"
|
||||||
|
location = "xxx"
|
||||||
|
}
|
||||||
|
allow = {
|
||||||
|
all = true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}'''
|
||||||
|
|
||||||
|
|
||||||
|
def test_policy_boolean(plan_runner):
|
||||||
|
"Test boolean org policy."
|
||||||
|
_, resources = plan_runner(org_policies=BOOLEAN_POLICIES)
|
||||||
|
validate_policy_boolean_resources(resources)
|
||||||
|
|
||||||
|
|
||||||
|
def test_policy_list(plan_runner):
|
||||||
|
"Test list org policy."
|
||||||
|
_, resources = plan_runner(org_policies=LIST_POLICIES)
|
||||||
|
validate_policy_list_resources(resources)
|
||||||
|
|
||||||
|
|
||||||
|
def test_policy_boolean_factory(plan_runner, tmp_path):
|
||||||
|
# convert hcl policies to yaml
|
||||||
|
hcl_policies = f'p = {BOOLEAN_POLICIES}'
|
||||||
|
yaml_policies = yaml.dump(hcl2.loads(hcl_policies)['p'])
|
||||||
|
|
||||||
|
yaml_file = tmp_path / 'policies.yaml'
|
||||||
|
yaml_file.write_text(yaml_policies)
|
||||||
|
|
||||||
|
_, resources = plan_runner(org_policies_data_path=f'"{tmp_path}"')
|
||||||
|
validate_policy_boolean_resources(resources)
|
||||||
|
|
||||||
|
|
||||||
|
def test_policy_list_factory(plan_runner, tmp_path):
|
||||||
|
# convert hcl policies to yaml
|
||||||
|
hcl_policies = f'p = {LIST_POLICIES}'
|
||||||
|
yaml_policies = yaml.dump(hcl2.loads(hcl_policies)['p'])
|
||||||
|
|
||||||
|
yaml_file = tmp_path / 'policies.yaml'
|
||||||
|
yaml_file.write_text(yaml_policies)
|
||||||
|
|
||||||
|
_, resources = plan_runner(org_policies_data_path=f'"{tmp_path}"')
|
||||||
|
validate_policy_list_resources(resources)
|
||||||
|
|
||||||
|
|
||||||
|
def validate_policy_boolean_resources(resources):
|
||||||
|
assert len(resources) == 6
|
||||||
policies = [r for r in resources if r['type'] == 'google_org_policy_policy']
|
policies = [r for r in resources if r['type'] == 'google_org_policy_policy']
|
||||||
assert len(policies) == 2
|
assert len(policies) == 2
|
||||||
assert all(x['values']['parent'] == 'projects/my-project' for x in policies)
|
assert all(x['values']['parent'] == 'projects/my-project' for x in policies)
|
||||||
|
@ -77,7 +152,7 @@ def test_policy_boolean(plan_runner):
|
||||||
'allow_all': None,
|
'allow_all': None,
|
||||||
'condition': [{
|
'condition': [{
|
||||||
'description': 'test condition',
|
'description': 'test condition',
|
||||||
'expression': 'resource.matchTagId("tagKeys/1234", "tagValues/1234")',
|
'expression': 'resource.matchTagId(aa, bb)',
|
||||||
'location': 'xxx',
|
'location': 'xxx',
|
||||||
'title': 'condition'
|
'title': 'condition'
|
||||||
}],
|
}],
|
||||||
|
@ -87,46 +162,7 @@ def test_policy_boolean(plan_runner):
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
def test_policy_list(plan_runner):
|
def validate_policy_list_resources(resources):
|
||||||
"Test list org policy."
|
|
||||||
policies = '''{
|
|
||||||
"compute.vmExternalIpAccess" = {
|
|
||||||
deny = { all = true }
|
|
||||||
}
|
|
||||||
"iam.allowedPolicyMemberDomains" = {
|
|
||||||
allow = {
|
|
||||||
values = ["C0xxxxxxx", "C0yyyyyyy"]
|
|
||||||
}
|
|
||||||
}
|
|
||||||
"compute.restrictLoadBalancerCreationForTypes" = {
|
|
||||||
deny = { values = ["in:EXTERNAL"] }
|
|
||||||
rules = [
|
|
||||||
{
|
|
||||||
condition = {
|
|
||||||
expression = "resource.matchTagId(\\"tagKeys/1234\\", \\"tagValues/1234\\")"
|
|
||||||
title = "condition"
|
|
||||||
description = "test condition"
|
|
||||||
location = "xxx"
|
|
||||||
}
|
|
||||||
allow = {
|
|
||||||
values = ["EXTERNAL_1"]
|
|
||||||
}
|
|
||||||
},
|
|
||||||
{
|
|
||||||
condition = {
|
|
||||||
expression = "resource.matchTagId(\\"tagKeys/12345\\", \\"tagValues/12345\\")"
|
|
||||||
title = "condition2"
|
|
||||||
description = "test condition2"
|
|
||||||
location = "xxx"
|
|
||||||
}
|
|
||||||
allow = {
|
|
||||||
all = true
|
|
||||||
}
|
|
||||||
}
|
|
||||||
]
|
|
||||||
}
|
|
||||||
}'''
|
|
||||||
_, resources = plan_runner(org_policies=policies)
|
|
||||||
assert len(resources) == 7
|
assert len(resources) == 7
|
||||||
|
|
||||||
policies = [r for r in resources if r['type'] == 'google_org_policy_policy']
|
policies = [r for r in resources if r['type'] == 'google_org_policy_policy']
|
||||||
|
@ -195,7 +231,7 @@ def test_policy_list(plan_runner):
|
||||||
'allow_all': None,
|
'allow_all': None,
|
||||||
'condition': [{
|
'condition': [{
|
||||||
'description': 'test condition',
|
'description': 'test condition',
|
||||||
'expression': 'resource.matchTagId("tagKeys/1234", "tagValues/1234")',
|
'expression': 'resource.matchTagId(aa, bb)',
|
||||||
'location': 'xxx',
|
'location': 'xxx',
|
||||||
'title': 'condition'
|
'title': 'condition'
|
||||||
}],
|
}],
|
||||||
|
@ -210,14 +246,10 @@ def test_policy_list(plan_runner):
|
||||||
assert p3['rules'][2] == {
|
assert p3['rules'][2] == {
|
||||||
'allow_all': 'TRUE',
|
'allow_all': 'TRUE',
|
||||||
'condition': [{
|
'condition': [{
|
||||||
'description':
|
'description': 'test condition2',
|
||||||
'test condition2',
|
'expression': 'resource.matchTagId(cc, dd)',
|
||||||
'expression':
|
'location': 'xxx',
|
||||||
'resource.matchTagId("tagKeys/12345", "tagValues/12345")',
|
'title': 'condition2'
|
||||||
'location':
|
|
||||||
'xxx',
|
|
||||||
'title':
|
|
||||||
'condition2'
|
|
||||||
}],
|
}],
|
||||||
'deny_all': None,
|
'deny_all': None,
|
||||||
'enforce': None,
|
'enforce': None,
|
||||||
|
|
Loading…
Reference in New Issue