From ad420138adf636b492e002985e525ce48484702f Mon Sep 17 00:00:00 2001
From: Julio Castillo <jccb@google.com>
Date: Fri, 28 Oct 2022 14:57:11 +0200
Subject: [PATCH] Fix readme examples

---
 .../03-orchestration.tf                       |  6 ++-
 .../data-solutions/data-playground/main.tf    |  6 ++-
 blueprints/networking/filtering-proxy/main.tf |  7 +--
 modules/folder/README.md                      | 46 ++++++++++++++----
 modules/organization/README.md                | 47 +++++++++++++++----
 modules/project/README.md                     | 46 ++++++++++++++----
 6 files changed, 119 insertions(+), 39 deletions(-)

diff --git a/blueprints/data-solutions/data-platform-foundations/03-orchestration.tf b/blueprints/data-solutions/data-platform-foundations/03-orchestration.tf
index 7519fa8a..4ced84f2 100644
--- a/blueprints/data-solutions/data-platform-foundations/03-orchestration.tf
+++ b/blueprints/data-solutions/data-platform-foundations/03-orchestration.tf
@@ -67,8 +67,10 @@ module "orch-project" {
     "roles/storage.objectViewer" = [module.load-sa-df-0.iam_email]
   }
   oslogin = false
-  policy_boolean = {
-    "constraints/compute.requireOsLogin" = false
+  org_policies = {
+    "constraints/compute.requireOsLogin" = {
+      enforce = false
+    }
   }
   services = concat(var.project_services, [
     "artifactregistry.googleapis.com",
diff --git a/blueprints/data-solutions/data-playground/main.tf b/blueprints/data-solutions/data-playground/main.tf
index 2bcd69ab..3fb6999a 100644
--- a/blueprints/data-solutions/data-playground/main.tf
+++ b/blueprints/data-solutions/data-playground/main.tf
@@ -40,8 +40,10 @@ module "project" {
     "storage.googleapis.com",
     "storage-component.googleapis.com"
   ]
-  policy_boolean = {
-    # "constraints/compute.requireOsLogin" = false
+  org_policies = {
+    # "constraints/compute.requireOsLogin" = {
+    #   enforce = false
+    # }
     # Example of applying a project wide policy, mainly useful for Composer
   }
   service_encryption_key_ids = {
diff --git a/blueprints/networking/filtering-proxy/main.tf b/blueprints/networking/filtering-proxy/main.tf
index 884fbd30..97d6efec 100644
--- a/blueprints/networking/filtering-proxy/main.tf
+++ b/blueprints/networking/filtering-proxy/main.tf
@@ -226,13 +226,10 @@ module "folder-apps" {
   source = "../../../modules/folder"
   parent = var.root_node
   name   = "apps"
-  policy_list = {
+  org_policies = {
     # prevent VMs with public IPs in the apps folder
     "constraints/compute.vmExternalIpAccess" = {
-      inherit_from_parent = false
-      suggested_value     = null
-      status              = false
-      values              = []
+      deny = { all = true }
     }
   }
 }
diff --git a/modules/folder/README.md b/modules/folder/README.md
index 427f3906..84fa67e3 100644
--- a/modules/folder/README.md
+++ b/modules/folder/README.md
@@ -31,20 +31,46 @@ module "folder" {
   source = "./fabric/modules/folder"
   parent = "organizations/1234567890"
   name  = "Folder name"
-  policy_boolean = {
-    "constraints/compute.disableGuestAttributesAccess" = true
-    "constraints/compute.skipDefaultNetworkCreation" = true
-  }
-  policy_list = {
+  org_policies = {
+    "compute.disableGuestAttributesAccess" = {
+      enforce = true
+    }
+    "constraints/compute.skipDefaultNetworkCreation" = {
+      enforce = true
+    }
+    "iam.disableServiceAccountKeyCreation" = {
+      enforce = true
+    }
+    "iam.disableServiceAccountKeyUpload" = {
+      enforce = false
+      rules = [
+        {
+          condition = {
+            expression  = "resource.matchTagId(\"tagKeys/1234\", \"tagValues/1234\")"
+            title       = "condition"
+            description = "test condition"
+            location    = "somewhere"
+          }
+          enforce = true
+        }
+      ]
+    }
+    "constraints/iam.allowedPolicyMemberDomains" = {
+      allow = {
+        values = ["C0xxxxxxx", "C0yyyyyyy"]
+      }
+    }
     "constraints/compute.trustedImageProjects" = {
-      inherit_from_parent = null
-      suggested_value = null
-      status = true
-      values = ["projects/my-project"]
+      allow = {
+        values = ["projects/my-project"]
+      }
+    }
+    "constraints/compute.vmExternalIpAccess" = {
+      deny = { all = true }
     }
   }
 }
-# tftest modules=1 resources=4
+# tftest modules=1 resources=8
 ```
 
 ### Firewall policy factory
diff --git a/modules/organization/README.md b/modules/organization/README.md
index 1a06cf80..2ff6b6eb 100644
--- a/modules/organization/README.md
+++ b/modules/organization/README.md
@@ -19,20 +19,47 @@ module "org" {
   iam             = {
     "roles/resourcemanager.projectCreator" = ["group:cloud-admins@example.org"]
   }
-  policy_boolean = {
-    "constraints/compute.disableGuestAttributesAccess" = true
-    "constraints/compute.skipDefaultNetworkCreation"   = true
-  }
-  policy_list = {
+
+  org_policies = {
+    "compute.disableGuestAttributesAccess" = {
+      enforce = true
+    }
+    "constraints/compute.skipDefaultNetworkCreation" = {
+      enforce = true
+    }
+    "iam.disableServiceAccountKeyCreation" = {
+      enforce = true
+    }
+    "iam.disableServiceAccountKeyUpload" = {
+      enforce = false
+      rules = [
+        {
+          condition = {
+            expression  = "resource.matchTagId(\"tagKeys/1234\", \"tagValues/1234\")"
+            title       = "condition"
+            description = "test condition"
+            location    = "somewhere"
+          }
+          enforce = true
+        }
+      ]
+    }
+    "constraints/iam.allowedPolicyMemberDomains" = {
+      allow = {
+        values = ["C0xxxxxxx", "C0yyyyyyy"]
+      }
+    }
     "constraints/compute.trustedImageProjects" = {
-      inherit_from_parent = null
-      suggested_value     = null
-      status              = true
-      values              = ["projects/my-project"]
+      allow = {
+        values = ["projects/my-project"]
+      }
+    }
+    "constraints/compute.vmExternalIpAccess" = {
+      deny = { all = true }
     }
   }
 }
-# tftest modules=1 resources=6
+# tftest modules=1 resources=10
 ```
 
 ## IAM
diff --git a/modules/project/README.md b/modules/project/README.md
index 4847a01c..8e6c64d4 100644
--- a/modules/project/README.md
+++ b/modules/project/README.md
@@ -167,20 +167,46 @@ module "project" {
     "container.googleapis.com",
     "stackdriver.googleapis.com"
   ]
-  policy_boolean = {
-    "constraints/compute.disableGuestAttributesAccess" = true
-    "constraints/compute.skipDefaultNetworkCreation" = true
-  }
-  policy_list = {
+  org_policies = {
+    "compute.disableGuestAttributesAccess" = {
+      enforce = true
+    }
+    "constraints/compute.skipDefaultNetworkCreation" = {
+      enforce = true
+    }
+    "iam.disableServiceAccountKeyCreation" = {
+      enforce = true
+    }
+    "iam.disableServiceAccountKeyUpload" = {
+      enforce = false
+      rules = [
+        {
+          condition = {
+            expression  = "resource.matchTagId(\"tagKeys/1234\", \"tagValues/1234\")"
+            title       = "condition"
+            description = "test condition"
+            location    = "somewhere"
+          }
+          enforce = true
+        }
+      ]
+    }
+    "constraints/iam.allowedPolicyMemberDomains" = {
+      allow = {
+        values = ["C0xxxxxxx", "C0yyyyyyy"]
+      }
+    }
     "constraints/compute.trustedImageProjects" = {
-      inherit_from_parent = null
-      suggested_value = null
-      status = true
-      values = ["projects/my-project"]
+      allow = {
+        values = ["projects/my-project"]
+      }
+    }
+    "constraints/compute.vmExternalIpAccess" = {
+      deny = { all = true }
     }
   }
 }
-# tftest modules=1 resources=6
+# tftest modules=1 resources=10
 ```
 
 ## Logging Sinks