Merge pull request #930 from GoogleCloudPlatform/jccb/tf13-org-policies
Update project/folder/module to use new org policies API and tf1.3 optionals.
This commit is contained in:
commit
b668e80d5c
|
@ -53,12 +53,12 @@ jobs:
|
|||
run: |
|
||||
terraform fmt -recursive -check -diff $GITHUB_WORKSPACE
|
||||
|
||||
- name: Check documentation (fabric)
|
||||
- name: Check documentation
|
||||
id: documentation-fabric
|
||||
run: |
|
||||
python3 tools/check_documentation.py examples modules fast
|
||||
python3 tools/check_documentation.py modules fast blueprints
|
||||
|
||||
- name: Check documentation links (fabric)
|
||||
- name: Check documentation links
|
||||
id: documentation-links-fabric
|
||||
run: |
|
||||
python3 tools/check_links.py .
|
||||
|
|
|
@ -12,22 +12,22 @@ The codebase provisions the following list of resources:
|
|||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| [billing_account](variables.tf#L16) | Billing account id used as default for new projects. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L38) | Existing project id. | <code>string</code> | ✓ | |
|
||||
| [tfe_organization_id](variables.tf#L43) | | <code></code> | ✓ | |
|
||||
| [tfe_workspace_id](variables.tf#L48) | | <code></code> | ✓ | |
|
||||
| [issuer_uri](variables.tf#L65) | Terraform Enterprise uri. Replace the uri if a self hosted instance is used. | <code>string</code> | | <code>"https://app.terraform.io/"</code> |
|
||||
| [project_id](variables.tf#L43) | Existing project id. | <code>string</code> | ✓ | |
|
||||
| [tfe_organization_id](variables.tf#L48) | TFE organization id. | <code>string</code> | ✓ | |
|
||||
| [tfe_workspace_id](variables.tf#L53) | TFE workspace id. | <code>string</code> | ✓ | |
|
||||
| [issuer_uri](variables.tf#L21) | Terraform Enterprise uri. Replace the uri if a self hosted instance is used. | <code>string</code> | | <code>"https://app.terraform.io/"</code> |
|
||||
| [parent](variables.tf#L27) | Parent folder or organization in 'folders/folder_id' or 'organizations/org_id' format. | <code>string</code> | | <code>null</code> |
|
||||
| [project_create](variables.tf#L21) | Create project instead of using an existing one. | <code>bool</code> | | <code>true</code> |
|
||||
| [workload_identity_pool_id](variables.tf#L53) | Workload identity pool id. | <code>string</code> | | <code>"tfe-pool"</code> |
|
||||
| [workload_identity_pool_provider_id](variables.tf#L59) | Workload identity pool provider id. | <code>string</code> | | <code>"tfe-provider"</code> |
|
||||
| [project_create](variables.tf#L37) | Create project instead of using an existing one. | <code>bool</code> | | <code>true</code> |
|
||||
| [workload_identity_pool_id](variables.tf#L58) | Workload identity pool id. | <code>string</code> | | <code>"tfe-pool"</code> |
|
||||
| [workload_identity_pool_provider_id](variables.tf#L64) | Workload identity pool provider id. | <code>string</code> | | <code>"tfe-provider"</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| [impersonate_service_account_email](outputs.tf#L31) | | |
|
||||
| [project_id](outputs.tf#L16) | | |
|
||||
| [workload_identity_audience](outputs.tf#L26) | | |
|
||||
| [workload_identity_pool_provider_id](outputs.tf#L21) | GCP workload identity pool provider ID. | |
|
||||
| [impersonate_service_account_email](outputs.tf#L16) | Service account to be impersonated by workload identity. | |
|
||||
| [project_id](outputs.tf#L21) | GCP Project ID. | |
|
||||
| [workload_identity_audience](outputs.tf#L26) | TFC Workload Identity Audience. | |
|
||||
| [workload_identity_pool_provider_id](outputs.tf#L31) | GCP workload identity pool provider ID. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
|
|
@ -13,22 +13,22 @@
|
|||
# limitations under the License.
|
||||
|
||||
|
||||
output "impersonate_service_account_email" {
|
||||
description = "Service account to be impersonated by workload identity."
|
||||
value = module.sa-tfe.email
|
||||
}
|
||||
|
||||
output "project_id" {
|
||||
description = "GCP Project ID."
|
||||
value = module.project.project_id
|
||||
}
|
||||
|
||||
output "workload_identity_pool_provider_id" {
|
||||
description = "GCP workload identity pool provider ID."
|
||||
value = google_iam_workload_identity_pool_provider.tfe-pool-provider.name
|
||||
}
|
||||
|
||||
output "workload_identity_audience" {
|
||||
description = "TFC Workload Identity Audience."
|
||||
value = "//iam.googleapis.com/${google_iam_workload_identity_pool_provider.tfe-pool-provider.name}"
|
||||
}
|
||||
|
||||
output "impersonate_service_account_email" {
|
||||
description = "Service account to be impersonated by workload identity."
|
||||
value = module.sa-tfe.email
|
||||
output "workload_identity_pool_provider_id" {
|
||||
description = "GCP workload identity pool provider ID."
|
||||
value = google_iam_workload_identity_pool_provider.tfe-pool-provider.name
|
||||
}
|
||||
|
|
|
@ -18,10 +18,10 @@ variable "billing_account" {
|
|||
type = string
|
||||
}
|
||||
|
||||
variable "project_create" {
|
||||
description = "Create project instead of using an existing one."
|
||||
type = bool
|
||||
default = true
|
||||
variable "issuer_uri" {
|
||||
description = "Terraform Enterprise uri. Replace the uri if a self hosted instance is used."
|
||||
type = string
|
||||
default = "https://app.terraform.io/"
|
||||
}
|
||||
|
||||
variable "parent" {
|
||||
|
@ -34,6 +34,11 @@ variable "parent" {
|
|||
}
|
||||
}
|
||||
|
||||
variable "project_create" {
|
||||
description = "Create project instead of using an existing one."
|
||||
type = bool
|
||||
default = true
|
||||
}
|
||||
|
||||
variable "project_id" {
|
||||
description = "Existing project id."
|
||||
|
@ -61,9 +66,3 @@ variable "workload_identity_pool_provider_id" {
|
|||
type = string
|
||||
default = "tfe-provider"
|
||||
}
|
||||
|
||||
variable "issuer_uri" {
|
||||
description = "Terraform Enterprise uri. Replace the uri if a self hosted instance is used."
|
||||
type = string
|
||||
default = "https://app.terraform.io/"
|
||||
}
|
||||
|
|
|
@ -5,15 +5,14 @@ This terraform code is a part of [GCP Workload Identity Federation for Terraform
|
|||
The codebase provisions the following list of resources:
|
||||
|
||||
- GCS Bucket
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| [impersonate_service_account_email](variables.tf#L26) | | <code></code> | ✓ | |
|
||||
| [project_id](variables.tf#L16) | | <code></code> | ✓ | |
|
||||
| [workload_identity_pool_provider_id](variables.tf#L21) | GCP workload identity pool provider ID. | <code>string</code> | ✓ | |
|
||||
| [impersonate_service_account_email](variables.tf#L21) | Service account to be impersonated by workload identity. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L16) | GCP project ID. | <code>string</code> | ✓ | |
|
||||
| [workload_identity_pool_provider_id](variables.tf#L26) | GCP workload identity pool provider ID. | <code>string</code> | ✓ | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
|
|
@ -18,12 +18,12 @@ variable "project_id" {
|
|||
type = string
|
||||
}
|
||||
|
||||
variable "workload_identity_pool_provider_id" {
|
||||
description = "GCP workload identity pool provider ID."
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "impersonate_service_account_email" {
|
||||
description = "Service account to be impersonated by workload identity."
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "workload_identity_pool_provider_id" {
|
||||
description = "GCP workload identity pool provider ID."
|
||||
type = string
|
||||
}
|
||||
|
|
|
@ -67,8 +67,10 @@ module "orch-project" {
|
|||
"roles/storage.objectViewer" = [module.load-sa-df-0.iam_email]
|
||||
}
|
||||
oslogin = false
|
||||
policy_boolean = {
|
||||
"constraints/compute.requireOsLogin" = false
|
||||
org_policies = {
|
||||
"constraints/compute.requireOsLogin" = {
|
||||
enforce = false
|
||||
}
|
||||
}
|
||||
services = concat(var.project_services, [
|
||||
"artifactregistry.googleapis.com",
|
||||
|
|
|
@ -40,8 +40,10 @@ module "project" {
|
|||
"storage.googleapis.com",
|
||||
"storage-component.googleapis.com"
|
||||
]
|
||||
policy_boolean = {
|
||||
# "constraints/compute.requireOsLogin" = false
|
||||
org_policies = {
|
||||
# "constraints/compute.requireOsLogin" = {
|
||||
# enforce = false
|
||||
# }
|
||||
# Example of applying a project wide policy, mainly useful for Composer
|
||||
}
|
||||
service_encryption_key_ids = {
|
||||
|
|
|
@ -68,13 +68,13 @@ module "projects" {
|
|||
iam = try(each.value.iam, {})
|
||||
kms_service_agents = try(each.value.kms, {})
|
||||
labels = try(each.value.labels, {})
|
||||
org_policies = try(each.value.org_policies, null)
|
||||
org_policies = try(each.value.org_policies, {})
|
||||
service_accounts = try(each.value.service_accounts, {})
|
||||
services = try(each.value.services, [])
|
||||
service_identities_iam = try(each.value.service_identities_iam, {})
|
||||
vpc = try(each.value.vpc, null)
|
||||
}
|
||||
# tftest modules=7 resources=27
|
||||
# tftest modules=7 resources=28
|
||||
```
|
||||
|
||||
### Projects configuration
|
||||
|
@ -153,16 +153,16 @@ labels:
|
|||
environment: prod
|
||||
|
||||
# [opt] Org policy overrides defined at project level
|
||||
org_policies:
|
||||
policy_boolean:
|
||||
constraints/compute.disableGuestAttributesAccess: true
|
||||
policy_list:
|
||||
constraints/compute.trustedImageProjects:
|
||||
inherit_from_parent: null
|
||||
status: true
|
||||
suggested_value: null
|
||||
org_policies:
|
||||
constraints/compute.disableGuestAttributesAccess:
|
||||
enforce: true
|
||||
constraints/compute.trustedImageProjects:
|
||||
allow:
|
||||
values:
|
||||
- projects/fast-prod-iac-core-0
|
||||
- projects/fast-dev-iac-core-0
|
||||
constraints/compute.vmExternalIpAccess:
|
||||
deny:
|
||||
all: true
|
||||
|
||||
# [opt] Service account to create for the project and their roles on the project
|
||||
# in name => [roles] format
|
||||
|
@ -221,7 +221,7 @@ vpc:
|
|||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| [billing_account_id](variables.tf#L17) | Billing account id. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L119) | Project id. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L145) | Project id. | <code>string</code> | ✓ | |
|
||||
| [billing_alert](variables.tf#L22) | Billing alert configuration. | <code title="object({ amount = number thresholds = object({ current = list(number) forecasted = list(number) }) credit_treatment = string })">object({…})</code> | | <code>null</code> |
|
||||
| [defaults](variables.tf#L35) | Project factory default values. | <code title="object({ billing_account_id = string billing_alert = object({ amount = number thresholds = object({ current = list(number) forecasted = list(number) }) credit_treatment = string }) environment_dns_zone = string essential_contacts = list(string) labels = map(string) notification_channels = list(string) shared_vpc_self_link = string vpc_host_project = string })">object({…})</code> | | <code>null</code> |
|
||||
| [dns_zones](variables.tf#L57) | DNS private zones to create as child of var.defaults.environment_dns_zone. | <code>list(string)</code> | | <code>[]</code> |
|
||||
|
@ -231,13 +231,13 @@ vpc:
|
|||
| [iam](variables.tf#L81) | Custom IAM settings in role => [principal] format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [kms_service_agents](variables.tf#L87) | KMS IAM configuration in as service => [key]. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [labels](variables.tf#L93) | Labels to be assigned at project level. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [org_policies](variables.tf#L99) | Org-policy overrides at project level. | <code title="object({ policy_boolean = map(bool) policy_list = map(object({ inherit_from_parent = bool suggested_value = string status = bool values = list(string) })) })">object({…})</code> | | <code>null</code> |
|
||||
| [prefix](variables.tf#L113) | Prefix used for the project id. | <code>string</code> | | <code>null</code> |
|
||||
| [service_accounts](variables.tf#L124) | Service accounts to be created, and roles assigned them on the project. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [service_accounts_iam](variables.tf#L130) | IAM bindings on service account resources. Format is KEY => {ROLE => [MEMBERS]} | <code>map(map(list(string)))</code> | | <code>{}</code> |
|
||||
| [service_identities_iam](variables.tf#L144) | Custom IAM settings for service identities in service => [role] format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [services](variables.tf#L137) | Services to be enabled for the project. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [vpc](variables.tf#L151) | VPC configuration for the project. | <code title="object({ host_project = string gke_setup = object({ enable_security_admin = bool enable_host_service_agent = bool }) subnets_iam = map(list(string)) })">object({…})</code> | | <code>null</code> |
|
||||
| [org_policies](variables.tf#L99) | Org-policy overrides at project level. | <code title="map(object({ inherit_from_parent = optional(bool) # for list policies only. reset = optional(bool) allow = optional(object({ all = optional(bool) values = optional(list(string)) })) deny = optional(object({ all = optional(bool) values = optional(list(string)) })) enforce = optional(bool, true) # for boolean policies only. rules = optional(list(object({ allow = optional(object({ all = optional(bool) values = optional(list(string)) })) deny = optional(object({ all = optional(bool) values = optional(list(string)) })) enforce = optional(bool, true) # for boolean policies only. condition = object({ description = optional(string) expression = optional(string) location = optional(string) title = optional(string) }) })), []) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [prefix](variables.tf#L139) | Prefix used for the project id. | <code>string</code> | | <code>null</code> |
|
||||
| [service_accounts](variables.tf#L150) | Service accounts to be created, and roles assigned them on the project. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [service_accounts_iam](variables.tf#L156) | IAM bindings on service account resources. Format is KEY => {ROLE => [MEMBERS]} | <code>map(map(list(string)))</code> | | <code>{}</code> |
|
||||
| [service_identities_iam](variables.tf#L164) | Custom IAM settings for service identities in service => [role] format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [services](variables.tf#L171) | Services to be enabled for the project. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [vpc](variables.tf#L178) | VPC configuration for the project. | <code title="object({ host_project = string gke_setup = object({ enable_security_admin = bool enable_host_service_agent = bool }) subnets_iam = map(list(string)) })">object({…})</code> | | <code>null</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
|
|
@ -148,9 +148,8 @@ module "project" {
|
|||
contacts = { for c in local.essential_contacts : c => ["ALL"] }
|
||||
iam = local.iam
|
||||
labels = local.labels
|
||||
org_policies = try(var.org_policies, {})
|
||||
parent = var.folder_id
|
||||
policy_boolean = try(var.org_policies.policy_boolean, {})
|
||||
policy_list = try(var.org_policies.policy_list, {})
|
||||
service_encryption_key_ids = var.kms_service_agents
|
||||
services = local.services
|
||||
shared_vpc_service_config = var.vpc == null ? null : {
|
||||
|
|
|
@ -48,15 +48,15 @@ labels:
|
|||
|
||||
# [opt] Org policy overrides defined at project level
|
||||
org_policies:
|
||||
policy_boolean:
|
||||
constraints/compute.disableGuestAttributesAccess: true
|
||||
policy_list:
|
||||
constraints/compute.trustedImageProjects:
|
||||
inherit_from_parent: null
|
||||
status: true
|
||||
suggested_value: null
|
||||
constraints/compute.disableGuestAttributesAccess:
|
||||
enforce: true
|
||||
constraints/compute.trustedImageProjects:
|
||||
allow:
|
||||
values:
|
||||
- projects/fast-dev-iac-core-0
|
||||
constraints/compute.vmExternalIpAccess:
|
||||
deny:
|
||||
all: true
|
||||
|
||||
# [opt] Service account to create for the project and their roles on the project
|
||||
# in name => [roles] format
|
||||
|
|
|
@ -98,16 +98,42 @@ variable "labels" {
|
|||
|
||||
variable "org_policies" {
|
||||
description = "Org-policy overrides at project level."
|
||||
type = object({
|
||||
policy_boolean = map(bool)
|
||||
policy_list = map(object({
|
||||
inherit_from_parent = bool
|
||||
suggested_value = string
|
||||
status = bool
|
||||
values = list(string)
|
||||
type = map(object({
|
||||
inherit_from_parent = optional(bool) # for list policies only.
|
||||
reset = optional(bool)
|
||||
|
||||
# default (unconditional) values
|
||||
allow = optional(object({
|
||||
all = optional(bool)
|
||||
values = optional(list(string))
|
||||
}))
|
||||
})
|
||||
default = null
|
||||
deny = optional(object({
|
||||
all = optional(bool)
|
||||
values = optional(list(string))
|
||||
}))
|
||||
enforce = optional(bool, true) # for boolean policies only.
|
||||
|
||||
# conditional values
|
||||
rules = optional(list(object({
|
||||
allow = optional(object({
|
||||
all = optional(bool)
|
||||
values = optional(list(string))
|
||||
}))
|
||||
deny = optional(object({
|
||||
all = optional(bool)
|
||||
values = optional(list(string))
|
||||
}))
|
||||
enforce = optional(bool, true) # for boolean policies only.
|
||||
condition = object({
|
||||
description = optional(string)
|
||||
expression = optional(string)
|
||||
location = optional(string)
|
||||
title = optional(string)
|
||||
})
|
||||
})), [])
|
||||
}))
|
||||
default = {}
|
||||
nullable = false
|
||||
}
|
||||
|
||||
variable "prefix" {
|
||||
|
@ -134,12 +160,6 @@ variable "service_accounts_iam" {
|
|||
nullable = false
|
||||
}
|
||||
|
||||
variable "services" {
|
||||
description = "Services to be enabled for the project."
|
||||
type = list(string)
|
||||
default = []
|
||||
nullable = false
|
||||
}
|
||||
|
||||
variable "service_identities_iam" {
|
||||
description = "Custom IAM settings for service identities in service => [role] format."
|
||||
|
@ -148,6 +168,13 @@ variable "service_identities_iam" {
|
|||
nullable = false
|
||||
}
|
||||
|
||||
variable "services" {
|
||||
description = "Services to be enabled for the project."
|
||||
type = list(string)
|
||||
default = []
|
||||
nullable = false
|
||||
}
|
||||
|
||||
variable "vpc" {
|
||||
description = "VPC configuration for the project."
|
||||
type = object({
|
||||
|
@ -160,6 +187,3 @@ variable "vpc" {
|
|||
})
|
||||
default = null
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
|
|
@ -226,13 +226,10 @@ module "folder-apps" {
|
|||
source = "../../../modules/folder"
|
||||
parent = var.root_node
|
||||
name = "apps"
|
||||
policy_list = {
|
||||
org_policies = {
|
||||
# prevent VMs with public IPs in the apps folder
|
||||
"constraints/compute.vmExternalIpAccess" = {
|
||||
inherit_from_parent = false
|
||||
suggested_value = null
|
||||
status = false
|
||||
values = []
|
||||
deny = { all = true }
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -32,16 +32,9 @@ module "branch-sandbox-folder" {
|
|||
"roles/resourcemanager.folderAdmin" = [module.branch-sandbox-sa.0.iam_email]
|
||||
"roles/resourcemanager.projectCreator" = [module.branch-sandbox-sa.0.iam_email]
|
||||
}
|
||||
policy_boolean = {
|
||||
"constraints/sql.restrictPublicIp" = false
|
||||
}
|
||||
policy_list = {
|
||||
"constraints/compute.vmExternalIpAccess" = {
|
||||
inherit_from_parent = false
|
||||
suggested_value = null
|
||||
status = true
|
||||
values = []
|
||||
}
|
||||
org_policies = {
|
||||
"constraints/sql.restrictPublicIp" = { enforce = false }
|
||||
"constraints/compute.vmExternalIpAccess" = { allow = { all = true } }
|
||||
}
|
||||
tag_bindings = {
|
||||
context = try(
|
||||
|
|
|
@ -18,18 +18,11 @@
|
|||
|
||||
|
||||
locals {
|
||||
list_allow = {
|
||||
inherit_from_parent = false
|
||||
suggested_value = null
|
||||
status = true
|
||||
values = []
|
||||
}
|
||||
list_deny = {
|
||||
inherit_from_parent = false
|
||||
suggested_value = null
|
||||
status = false
|
||||
values = []
|
||||
}
|
||||
all_drs_domains = concat(
|
||||
[var.organization.customer_id],
|
||||
try(local.policy_configs.allowed_policy_member_domains, [])
|
||||
)
|
||||
|
||||
policy_configs = (
|
||||
var.organization_policy_configs == null
|
||||
? {}
|
||||
|
@ -74,74 +67,55 @@ module "organization" {
|
|||
} : {}
|
||||
)
|
||||
# sample subset of useful organization policies, edit to suit requirements
|
||||
policy_boolean = {
|
||||
# "constraints/cloudfunctions.requireVPCConnector" = true
|
||||
# "constraints/compute.disableGuestAttributesAccess" = true
|
||||
# "constraints/compute.disableInternetNetworkEndpointGroup" = true
|
||||
# "constraints/compute.disableNestedVirtualization" = true
|
||||
# "constraints/compute.disableSerialPortAccess" = true
|
||||
"constraints/compute.requireOsLogin" = true
|
||||
# "constraints/compute.restrictXpnProjectLienRemoval" = true
|
||||
"constraints/compute.skipDefaultNetworkCreation" = true
|
||||
# "constraints/compute.setNewProjectDefaultToZonalDNSOnly" = true
|
||||
"constraints/iam.automaticIamGrantsForDefaultServiceAccounts" = true
|
||||
"constraints/iam.disableServiceAccountKeyCreation" = true
|
||||
# "constraints/iam.disableServiceAccountKeyUpload" = true
|
||||
"constraints/sql.restrictPublicIp" = true
|
||||
"constraints/sql.restrictAuthorizedNetworks" = true
|
||||
"constraints/storage.uniformBucketLevelAccess" = true
|
||||
}
|
||||
policy_list = {
|
||||
# "constraints/cloudfunctions.allowedIngressSettings" = merge(
|
||||
# local.list_allow, { values = ["is:ALLOW_INTERNAL_ONLY"] }
|
||||
# )
|
||||
# "constraints/cloudfunctions.allowedVpcConnectorEgressSettings" = merge(
|
||||
# local.list_allow, { values = ["is:PRIVATE_RANGES_ONLY"] }
|
||||
# )
|
||||
"constraints/compute.restrictLoadBalancerCreationForTypes" = merge(
|
||||
local.list_allow, { values = ["in:INTERNAL"] }
|
||||
)
|
||||
"constraints/compute.vmExternalIpAccess" = local.list_deny
|
||||
"constraints/iam.allowedPolicyMemberDomains" = merge(
|
||||
local.list_allow, {
|
||||
values = concat(
|
||||
[var.organization.customer_id],
|
||||
try(local.policy_configs.allowed_policy_member_domains, [])
|
||||
)
|
||||
})
|
||||
"constraints/run.allowedIngress" = merge(
|
||||
local.list_allow, { values = ["is:internal"] }
|
||||
)
|
||||
# "constraints/run.allowedVPCEgress" = merge(
|
||||
# local.list_allow, { values = ["is:private-ranges-only"] }
|
||||
# )
|
||||
# "constraints/compute.restrictCloudNATUsage" = local.list_deny
|
||||
# "constraints/compute.restrictDedicatedInterconnectUsage" = local.list_deny
|
||||
# "constraints/compute.restrictPartnerInterconnectUsage" = local.list_deny
|
||||
# "constraints/compute.restrictProtocolForwardingCreationForTypes" = local.list_deny
|
||||
# "constraints/compute.restrictSharedVpcHostProjects" = local.list_deny
|
||||
# "constraints/compute.restrictSharedVpcSubnetworks" = local.list_deny
|
||||
# "constraints/compute.restrictVpcPeering" = local.list_deny
|
||||
# "constraints/compute.restrictVpnPeerIPs" = local.list_deny
|
||||
# "constraints/compute.vmCanIpForward" = local.list_deny
|
||||
# "constraints/gcp.resourceLocations" = {
|
||||
# inherit_from_parent = false
|
||||
# suggested_value = null
|
||||
# status = true
|
||||
# values = local.allowed_regions
|
||||
|
||||
org_policies = {
|
||||
"compute.disableGuestAttributesAccess" = { enforce = true }
|
||||
"compute.requireOsLogin" = { enforce = true }
|
||||
"compute.restrictLoadBalancerCreationForTypes" = { allow = { values = ["in:INTERNAL"] } }
|
||||
"compute.skipDefaultNetworkCreation" = { enforce = true }
|
||||
"compute.vmExternalIpAccess" = { deny = { all = true } }
|
||||
"iam.allowedPolicyMemberDomains" = { allow = { values = local.all_drs_domains } }
|
||||
"iam.automaticIamGrantsForDefaultServiceAccounts" = { enforce = true }
|
||||
"iam.disableServiceAccountKeyCreation" = { enforce = true }
|
||||
"iam.disableServiceAccountKeyUpload" = { enforce = true }
|
||||
"run.allowedIngress" = { allow = { values = ["is:INTERNAL"] } }
|
||||
"sql.restrictAuthorizedNetworks" = { enforce = true }
|
||||
"sql.restrictPublicIp" = { enforce = true }
|
||||
"storage.uniformBucketLevelAccess" = { enforce = true }
|
||||
|
||||
# "cloudfunctions.allowedIngressSettings" = {
|
||||
# allow = { values = ["is:ALLOW_INTERNAL_ONLY"] }
|
||||
# }
|
||||
# https://cloud.google.com/iam/docs/manage-workload-identity-pools-providers#restrict
|
||||
# "constraints/iam.workloadIdentityPoolProviders" = merge(
|
||||
# local.list_allow, { values = [
|
||||
# for k, v in coalesce(var.automation.federated_identity_providers, {}) :
|
||||
# v.issuer_uri
|
||||
# ] }
|
||||
# )
|
||||
# "constraints/iam.workloadIdentityPoolAwsAccounts" = merge(
|
||||
# local.list_allow, { values = [
|
||||
#
|
||||
# ] }
|
||||
# )
|
||||
# "cloudfunctions.allowedVpcConnectorEgressSettings" = {
|
||||
# allow = { values = ["is:PRIVATE_RANGES_ONLY"] }
|
||||
# }
|
||||
# "cloudfunctions.requireVPCConnector" = { enforce = true }
|
||||
# "compute.disableInternetNetworkEndpointGroup" = { enforce = true }
|
||||
# "compute.disableNestedVirtualization" = { enforce = true }
|
||||
# "compute.disableSerialPortAccess" = { enforce = true }
|
||||
# "compute.restrictCloudNATUsage" = { deny = { all = true }}
|
||||
# "compute.restrictDedicatedInterconnectUsage" = { deny = { all = true }}
|
||||
# "compute.restrictPartnerInterconnectUsage" = { deny = { all = true }}
|
||||
# "compute.restrictProtocolForwardingCreationForTypes" = { deny = { all = true }}
|
||||
# "compute.restrictSharedVpcHostProjects" = { deny = { all = true }}
|
||||
# "compute.restrictSharedVpcSubnetworks" = { deny = { all = true }}
|
||||
# "compute.restrictVpcPeering" = { deny = { all = true }}
|
||||
# "compute.restrictVpnPeerIPs" = { deny = { all = true }}
|
||||
# "compute.restrictXpnProjectLienRemoval" = { enforce = true }
|
||||
# "compute.setNewProjectDefaultToZonalDNSOnly" = { enforce = true }
|
||||
# "compute.vmCanIpForward" = { deny = { all = true }}
|
||||
# "gcp.resourceLocations" = {
|
||||
# allow = { values = local.allowed_regions }
|
||||
# }
|
||||
# "iam.workloadIdentityPoolProviders" = {
|
||||
# allow = {
|
||||
# values = [
|
||||
# for k, v in coalesce(var.automation.federated_identity_providers, {}) :
|
||||
# v.issuer_uri
|
||||
# ]
|
||||
# }
|
||||
# }
|
||||
# "run.allowedVPCEgress" = { allow = { values = ["is:private-ranges-only"] } }
|
||||
}
|
||||
tags = {
|
||||
(var.tag_names.context) = {
|
||||
|
|
|
@ -48,15 +48,15 @@ labels:
|
|||
|
||||
# [opt] Org policy overrides defined at project level
|
||||
org_policies:
|
||||
policy_boolean:
|
||||
constraints/compute.disableGuestAttributesAccess: true
|
||||
policy_list:
|
||||
constraints/compute.trustedImageProjects:
|
||||
inherit_from_parent: null
|
||||
status: true
|
||||
suggested_value: null
|
||||
constraints/compute.disableGuestAttributesAccess:
|
||||
enforce: true
|
||||
constraints/compute.trustedImageProjects:
|
||||
allow:
|
||||
values:
|
||||
- projects/fast-dev-iac-core-0
|
||||
constraints/compute.vmExternalIpAccess:
|
||||
deny:
|
||||
all: true
|
||||
|
||||
# [opt] Service account to create for the project and their roles on the project
|
||||
# in name => [roles] format
|
||||
|
|
|
@ -31,20 +31,46 @@ module "folder" {
|
|||
source = "./fabric/modules/folder"
|
||||
parent = "organizations/1234567890"
|
||||
name = "Folder name"
|
||||
policy_boolean = {
|
||||
"constraints/compute.disableGuestAttributesAccess" = true
|
||||
"constraints/compute.skipDefaultNetworkCreation" = true
|
||||
}
|
||||
policy_list = {
|
||||
org_policies = {
|
||||
"compute.disableGuestAttributesAccess" = {
|
||||
enforce = true
|
||||
}
|
||||
"constraints/compute.skipDefaultNetworkCreation" = {
|
||||
enforce = true
|
||||
}
|
||||
"iam.disableServiceAccountKeyCreation" = {
|
||||
enforce = true
|
||||
}
|
||||
"iam.disableServiceAccountKeyUpload" = {
|
||||
enforce = false
|
||||
rules = [
|
||||
{
|
||||
condition = {
|
||||
expression = "resource.matchTagId(\"tagKeys/1234\", \"tagValues/1234\")"
|
||||
title = "condition"
|
||||
description = "test condition"
|
||||
location = "somewhere"
|
||||
}
|
||||
enforce = true
|
||||
}
|
||||
]
|
||||
}
|
||||
"constraints/iam.allowedPolicyMemberDomains" = {
|
||||
allow = {
|
||||
values = ["C0xxxxxxx", "C0yyyyyyy"]
|
||||
}
|
||||
}
|
||||
"constraints/compute.trustedImageProjects" = {
|
||||
inherit_from_parent = null
|
||||
suggested_value = null
|
||||
status = true
|
||||
values = ["projects/my-project"]
|
||||
allow = {
|
||||
values = ["projects/my-project"]
|
||||
}
|
||||
}
|
||||
"constraints/compute.vmExternalIpAccess" = {
|
||||
deny = { all = true }
|
||||
}
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=4
|
||||
# tftest modules=1 resources=8
|
||||
```
|
||||
|
||||
### Firewall policy factory
|
||||
|
@ -259,7 +285,7 @@ module "folder" {
|
|||
| [iam.tf](./iam.tf) | IAM bindings, roles and audit logging resources. | <code>google_folder_iam_binding</code> · <code>google_folder_iam_member</code> |
|
||||
| [logging.tf](./logging.tf) | Log sinks and supporting resources. | <code>google_bigquery_dataset_iam_member</code> · <code>google_logging_folder_exclusion</code> · <code>google_logging_folder_sink</code> · <code>google_project_iam_member</code> · <code>google_pubsub_topic_iam_member</code> · <code>google_storage_bucket_iam_member</code> |
|
||||
| [main.tf](./main.tf) | Module-level locals and resources. | <code>google_essential_contacts_contact</code> · <code>google_folder</code> |
|
||||
| [organization-policies.tf](./organization-policies.tf) | Folder-level organization policies. | <code>google_folder_organization_policy</code> |
|
||||
| [organization-policies.tf](./organization-policies.tf) | Folder-level organization policies. | <code>google_org_policy_policy</code> |
|
||||
| [outputs.tf](./outputs.tf) | Module outputs. | |
|
||||
| [tags.tf](./tags.tf) | None | <code>google_tags_tag_binding</code> |
|
||||
| [variables.tf](./variables.tf) | Module variables. | |
|
||||
|
@ -282,10 +308,9 @@ module "folder" {
|
|||
| [logging_exclusions](variables.tf#L98) | Logging exclusions for this folder in the form {NAME -> FILTER}. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [logging_sinks](variables.tf#L105) | Logging sinks to create for this folder. | <code title="map(object({ destination = string type = string filter = string include_children = bool exclusions = map(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [name](variables.tf#L126) | Folder name. | <code>string</code> | | <code>null</code> |
|
||||
| [parent](variables.tf#L132) | Parent in folders/folder_id or organizations/org_id format. | <code>string</code> | | <code>null</code> |
|
||||
| [policy_boolean](variables.tf#L142) | Map of boolean org policies and enforcement value, set value to null for policy restore. | <code>map(bool)</code> | | <code>{}</code> |
|
||||
| [policy_list](variables.tf#L149) | Map of list org policies, status is true for allow, false for deny, null for restore. Values can only be used for allow or deny. | <code title="map(object({ inherit_from_parent = bool suggested_value = string status = bool values = list(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [tag_bindings](variables.tf#L161) | Tag bindings for this folder, in key => tag value id format. | <code>map(string)</code> | | <code>null</code> |
|
||||
| [org_policies](variables.tf#L132) | Organization policies applied to this folder keyed by policy name. | <code title="map(object({ inherit_from_parent = optional(bool) # for list policies only. reset = optional(bool) allow = optional(object({ all = optional(bool) values = optional(list(string)) })) deny = optional(object({ all = optional(bool) values = optional(list(string)) })) enforce = optional(bool, true) # for boolean policies only. rules = optional(list(object({ allow = optional(object({ all = optional(bool) values = optional(list(string)) })) deny = optional(object({ all = optional(bool) values = optional(list(string)) })) enforce = optional(bool, true) # for boolean policies only. condition = object({ description = optional(string) expression = optional(string) location = optional(string) title = optional(string) }) })), []) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [parent](variables.tf#L172) | Parent in folders/folder_id or organizations/org_id format. | <code>string</code> | | <code>null</code> |
|
||||
| [tag_bindings](variables.tf#L182) | Tag bindings for this folder, in key => tag value id format. | <code>map(string)</code> | | <code>null</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
@ -295,7 +320,7 @@ module "folder" {
|
|||
| [firewall_policy_id](outputs.tf#L21) | Map of firewall policy ids created in this folder. | |
|
||||
| [folder](outputs.tf#L26) | Folder resource. | |
|
||||
| [id](outputs.tf#L31) | Folder id. | |
|
||||
| [name](outputs.tf#L41) | Folder name. | |
|
||||
| [sink_writer_identities](outputs.tf#L46) | Writer identities created for each sink. | |
|
||||
| [name](outputs.tf#L40) | Folder name. | |
|
||||
| [sink_writer_identities](outputs.tf#L45) | Writer identities created for each sink. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
|
|
@ -16,75 +16,79 @@
|
|||
|
||||
# tfdoc:file:description Folder-level organization policies.
|
||||
|
||||
resource "google_folder_organization_policy" "boolean" {
|
||||
for_each = var.policy_boolean
|
||||
folder = local.folder.name
|
||||
constraint = each.key
|
||||
|
||||
dynamic "boolean_policy" {
|
||||
for_each = each.value == null ? [] : [each.value]
|
||||
iterator = policy
|
||||
content {
|
||||
enforced = policy.value
|
||||
}
|
||||
}
|
||||
|
||||
dynamic "restore_policy" {
|
||||
for_each = each.value == null ? [""] : []
|
||||
content {
|
||||
default = true
|
||||
}
|
||||
locals {
|
||||
org_policies = {
|
||||
for k, v in var.org_policies :
|
||||
k => merge(v, {
|
||||
is_boolean_policy = v.allow == null && v.deny == null
|
||||
has_values = (
|
||||
length(coalesce(try(v.allow.values, []), [])) > 0 ||
|
||||
length(coalesce(try(v.deny.values, []), [])) > 0
|
||||
)
|
||||
rules = [
|
||||
for r in v.rules :
|
||||
merge(r, {
|
||||
has_values = (
|
||||
length(coalesce(try(r.allow.values, []), [])) > 0 ||
|
||||
length(coalesce(try(r.deny.values, []), [])) > 0
|
||||
)
|
||||
})
|
||||
]
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
resource "google_folder_organization_policy" "list" {
|
||||
for_each = var.policy_list
|
||||
folder = local.folder.name
|
||||
constraint = each.key
|
||||
resource "google_org_policy_policy" "default" {
|
||||
for_each = local.org_policies
|
||||
name = "${local.folder.name}/policies/${each.key}"
|
||||
parent = local.folder.name
|
||||
|
||||
dynamic "list_policy" {
|
||||
for_each = each.value.status == null ? [] : [each.value]
|
||||
iterator = policy
|
||||
content {
|
||||
inherit_from_parent = policy.value.inherit_from_parent
|
||||
suggested_value = policy.value.suggested_value
|
||||
dynamic "allow" {
|
||||
for_each = policy.value.status ? [""] : []
|
||||
spec {
|
||||
inherit_from_parent = each.value.inherit_from_parent
|
||||
reset = each.value.reset
|
||||
|
||||
rules {
|
||||
allow_all = try(each.value.allow.all, null) == true ? "TRUE" : null
|
||||
deny_all = try(each.value.deny.all, null) == true ? "TRUE" : null
|
||||
enforce = (
|
||||
each.value.is_boolean_policy && each.value.enforce != null
|
||||
? upper(tostring(each.value.enforce))
|
||||
: null
|
||||
)
|
||||
dynamic "values" {
|
||||
for_each = each.value.has_values ? [1] : []
|
||||
content {
|
||||
values = (
|
||||
try(length(policy.value.values) > 0, false)
|
||||
? policy.value.values
|
||||
: null
|
||||
)
|
||||
all = (
|
||||
try(length(policy.value.values) > 0, false)
|
||||
? null
|
||||
: true
|
||||
)
|
||||
allowed_values = try(each.value.allow.values, null)
|
||||
denied_values = try(each.value.deny.values, null)
|
||||
}
|
||||
}
|
||||
dynamic "deny" {
|
||||
for_each = policy.value.status ? [] : [""]
|
||||
content {
|
||||
values = (
|
||||
try(length(policy.value.values) > 0, false)
|
||||
? policy.value.values
|
||||
: null
|
||||
)
|
||||
all = (
|
||||
try(length(policy.value.values) > 0, false)
|
||||
? null
|
||||
: true
|
||||
)
|
||||
}
|
||||
|
||||
dynamic "rules" {
|
||||
for_each = each.value.rules
|
||||
iterator = rule
|
||||
content {
|
||||
allow_all = try(rule.value.allow.all, false) == true ? "TRUE" : null
|
||||
deny_all = try(rule.value.deny.all, false) == true ? "TRUE" : null
|
||||
enforce = (
|
||||
each.value.is_boolean_policy && rule.value.enforce != null
|
||||
? upper(tostring(rule.value.enforce))
|
||||
: null
|
||||
)
|
||||
condition {
|
||||
description = rule.value.condition.description
|
||||
expression = rule.value.condition.expression
|
||||
location = rule.value.condition.location
|
||||
title = rule.value.condition.title
|
||||
}
|
||||
dynamic "values" {
|
||||
for_each = rule.value.has_values ? [1] : []
|
||||
content {
|
||||
allowed_values = try(rule.value.allow.values, null)
|
||||
denied_values = try(rule.value.deny.values, null)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
dynamic "restore_policy" {
|
||||
for_each = each.value.status == null ? [true] : []
|
||||
content {
|
||||
default = true
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -33,8 +33,7 @@ output "id" {
|
|||
value = local.folder.name
|
||||
depends_on = [
|
||||
google_folder_iam_binding.authoritative,
|
||||
google_folder_organization_policy.boolean,
|
||||
google_folder_organization_policy.list
|
||||
google_org_policy_policy.default,
|
||||
]
|
||||
}
|
||||
|
||||
|
|
|
@ -129,6 +129,46 @@ variable "name" {
|
|||
default = null
|
||||
}
|
||||
|
||||
variable "org_policies" {
|
||||
description = "Organization policies applied to this folder keyed by policy name."
|
||||
type = map(object({
|
||||
inherit_from_parent = optional(bool) # for list policies only.
|
||||
reset = optional(bool)
|
||||
|
||||
# default (unconditional) values
|
||||
allow = optional(object({
|
||||
all = optional(bool)
|
||||
values = optional(list(string))
|
||||
}))
|
||||
deny = optional(object({
|
||||
all = optional(bool)
|
||||
values = optional(list(string))
|
||||
}))
|
||||
enforce = optional(bool, true) # for boolean policies only.
|
||||
|
||||
# conditional values
|
||||
rules = optional(list(object({
|
||||
allow = optional(object({
|
||||
all = optional(bool)
|
||||
values = optional(list(string))
|
||||
}))
|
||||
deny = optional(object({
|
||||
all = optional(bool)
|
||||
values = optional(list(string))
|
||||
}))
|
||||
enforce = optional(bool, true) # for boolean policies only.
|
||||
condition = object({
|
||||
description = optional(string)
|
||||
expression = optional(string)
|
||||
location = optional(string)
|
||||
title = optional(string)
|
||||
})
|
||||
})), [])
|
||||
}))
|
||||
default = {}
|
||||
nullable = false
|
||||
}
|
||||
|
||||
variable "parent" {
|
||||
description = "Parent in folders/folder_id or organizations/org_id format."
|
||||
type = string
|
||||
|
@ -139,25 +179,6 @@ variable "parent" {
|
|||
}
|
||||
}
|
||||
|
||||
variable "policy_boolean" {
|
||||
description = "Map of boolean org policies and enforcement value, set value to null for policy restore."
|
||||
type = map(bool)
|
||||
default = {}
|
||||
nullable = false
|
||||
}
|
||||
|
||||
variable "policy_list" {
|
||||
description = "Map of list org policies, status is true for allow, false for deny, null for restore. Values can only be used for allow or deny."
|
||||
type = map(object({
|
||||
inherit_from_parent = bool
|
||||
suggested_value = string
|
||||
status = bool
|
||||
values = list(string)
|
||||
}))
|
||||
default = {}
|
||||
nullable = false
|
||||
}
|
||||
|
||||
variable "tag_bindings" {
|
||||
description = "Tag bindings for this folder, in key => tag value id format."
|
||||
type = map(string)
|
||||
|
|
|
@ -19,20 +19,47 @@ module "org" {
|
|||
iam = {
|
||||
"roles/resourcemanager.projectCreator" = ["group:cloud-admins@example.org"]
|
||||
}
|
||||
policy_boolean = {
|
||||
"constraints/compute.disableGuestAttributesAccess" = true
|
||||
"constraints/compute.skipDefaultNetworkCreation" = true
|
||||
}
|
||||
policy_list = {
|
||||
|
||||
org_policies = {
|
||||
"compute.disableGuestAttributesAccess" = {
|
||||
enforce = true
|
||||
}
|
||||
"constraints/compute.skipDefaultNetworkCreation" = {
|
||||
enforce = true
|
||||
}
|
||||
"iam.disableServiceAccountKeyCreation" = {
|
||||
enforce = true
|
||||
}
|
||||
"iam.disableServiceAccountKeyUpload" = {
|
||||
enforce = false
|
||||
rules = [
|
||||
{
|
||||
condition = {
|
||||
expression = "resource.matchTagId(\"tagKeys/1234\", \"tagValues/1234\")"
|
||||
title = "condition"
|
||||
description = "test condition"
|
||||
location = "somewhere"
|
||||
}
|
||||
enforce = true
|
||||
}
|
||||
]
|
||||
}
|
||||
"constraints/iam.allowedPolicyMemberDomains" = {
|
||||
allow = {
|
||||
values = ["C0xxxxxxx", "C0yyyyyyy"]
|
||||
}
|
||||
}
|
||||
"constraints/compute.trustedImageProjects" = {
|
||||
inherit_from_parent = null
|
||||
suggested_value = null
|
||||
status = true
|
||||
values = ["projects/my-project"]
|
||||
allow = {
|
||||
values = ["projects/my-project"]
|
||||
}
|
||||
}
|
||||
"constraints/compute.vmExternalIpAccess" = {
|
||||
deny = { all = true }
|
||||
}
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=6
|
||||
# tftest modules=1 resources=10
|
||||
```
|
||||
|
||||
## IAM
|
||||
|
@ -281,7 +308,7 @@ module "org" {
|
|||
| [iam.tf](./iam.tf) | IAM bindings, roles and audit logging resources. | <code>google_organization_iam_audit_config</code> · <code>google_organization_iam_binding</code> · <code>google_organization_iam_custom_role</code> · <code>google_organization_iam_member</code> · <code>google_organization_iam_policy</code> |
|
||||
| [logging.tf](./logging.tf) | Log sinks and supporting resources. | <code>google_bigquery_dataset_iam_member</code> · <code>google_logging_organization_exclusion</code> · <code>google_logging_organization_sink</code> · <code>google_project_iam_member</code> · <code>google_pubsub_topic_iam_member</code> · <code>google_storage_bucket_iam_member</code> |
|
||||
| [main.tf](./main.tf) | Module-level locals and resources. | <code>google_essential_contacts_contact</code> |
|
||||
| [organization-policies.tf](./organization-policies.tf) | Organization-level organization policies. | <code>google_organization_policy</code> |
|
||||
| [organization-policies.tf](./organization-policies.tf) | Organization-level organization policies. | <code>google_org_policy_policy</code> |
|
||||
| [outputs.tf](./outputs.tf) | Module outputs. | |
|
||||
| [tags.tf](./tags.tf) | None | <code>google_tags_tag_binding</code> · <code>google_tags_tag_key</code> · <code>google_tags_tag_key_iam_binding</code> · <code>google_tags_tag_value</code> · <code>google_tags_tag_value_iam_binding</code> |
|
||||
| [variables.tf](./variables.tf) | Module variables. | |
|
||||
|
@ -291,7 +318,7 @@ module "org" {
|
|||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| [organization_id](variables.tf#L151) | Organization id in organizations/nnnnnn format. | <code>string</code> | ✓ | |
|
||||
| [organization_id](variables.tf#L191) | Organization id in organizations/nnnnnn format. | <code>string</code> | ✓ | |
|
||||
| [contacts](variables.tf#L17) | List of essential contacts for this resource. Must be in the form EMAIL -> [NOTIFICATION_TYPES]. Valid notification types are ALL, SUSPENSION, SECURITY, TECHNICAL, BILLING, LEGAL, PRODUCT_UPDATES. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [custom_roles](variables.tf#L24) | Map of role name => list of permissions to create in this project. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [firewall_policies](variables.tf#L31) | Hierarchical firewall policy rules created in the organization. | <code title="map(map(object({ action = string description = string direction = string logging = bool ports = map(list(string)) priority = number ranges = list(string) target_resources = list(string) target_service_accounts = list(string) })))">map(map(object({…})))</code> | | <code>{}</code> |
|
||||
|
@ -306,10 +333,9 @@ module "org" {
|
|||
| [iam_bindings_authoritative](variables.tf#L116) | IAM authoritative bindings, in {ROLE => [MEMBERS]} format. Roles and members not explicitly listed will be cleared. Bindings should also be authoritative when using authoritative audit config. Use with caution. | <code>map(list(string))</code> | | <code>null</code> |
|
||||
| [logging_exclusions](variables.tf#L122) | Logging exclusions for this organization in the form {NAME -> FILTER}. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [logging_sinks](variables.tf#L129) | Logging sinks to create for this organization. | <code title="map(object({ destination = string type = string filter = string include_children = bool bq_partitioned_table = bool exclusions = map(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [policy_boolean](variables.tf#L160) | Map of boolean org policies and enforcement value, set value to null for policy restore. | <code>map(bool)</code> | | <code>{}</code> |
|
||||
| [policy_list](variables.tf#L167) | Map of list org policies, status is true for allow, false for deny, null for restore. Values can only be used for allow or deny. | <code title="map(object({ inherit_from_parent = bool suggested_value = string status = bool values = list(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [tag_bindings](variables.tf#L179) | Tag bindings for this organization, in key => tag value id format. | <code>map(string)</code> | | <code>null</code> |
|
||||
| [tags](variables.tf#L185) | Tags by key name. The `iam` attribute behaves like the similarly named one at module level. | <code title="map(object({ description = string iam = map(list(string)) values = map(object({ description = string iam = map(list(string)) })) }))">map(object({…}))</code> | | <code>null</code> |
|
||||
| [org_policies](variables.tf#L151) | Organization policies applied to this organization keyed by policy name. | <code title="map(object({ inherit_from_parent = optional(bool) # for list policies only. reset = optional(bool) allow = optional(object({ all = optional(bool) values = optional(list(string)) })) deny = optional(object({ all = optional(bool) values = optional(list(string)) })) enforce = optional(bool, true) # for boolean policies only. rules = optional(list(object({ allow = optional(object({ all = optional(bool) values = optional(list(string)) })) deny = optional(object({ all = optional(bool) values = optional(list(string)) })) enforce = optional(bool, true) # for boolean policies only. condition = object({ description = optional(string) expression = optional(string) location = optional(string) title = optional(string) }) })), []) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [tag_bindings](variables.tf#L200) | Tag bindings for this organization, in key => tag value id format. | <code>map(string)</code> | | <code>null</code> |
|
||||
| [tags](variables.tf#L206) | Tags by key name. The `iam` attribute behaves like the similarly named one at module level. | <code title="map(object({ description = string iam = map(list(string)) values = map(object({ description = string iam = map(list(string)) })) }))">map(object({…}))</code> | | <code>null</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
@ -320,8 +346,8 @@ module "org" {
|
|||
| [firewall_policies](outputs.tf#L36) | Map of firewall policy resources created in the organization. | |
|
||||
| [firewall_policy_id](outputs.tf#L41) | Map of firewall policy ids created in the organization. | |
|
||||
| [organization_id](outputs.tf#L46) | Organization id dependent on module resources. | |
|
||||
| [sink_writer_identities](outputs.tf#L64) | Writer identities created for each sink. | |
|
||||
| [tag_keys](outputs.tf#L72) | Tag key resources. | |
|
||||
| [tag_values](outputs.tf#L79) | Tag value resources. | |
|
||||
| [sink_writer_identities](outputs.tf#L63) | Writer identities created for each sink. | |
|
||||
| [tag_keys](outputs.tf#L71) | Tag key resources. | |
|
||||
| [tag_values](outputs.tf#L78) | Tag value resources. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
|
|
@ -16,83 +16,79 @@
|
|||
|
||||
# tfdoc:file:description Organization-level organization policies.
|
||||
|
||||
resource "google_organization_policy" "boolean" {
|
||||
for_each = var.policy_boolean
|
||||
org_id = local.organization_id_numeric
|
||||
constraint = each.key
|
||||
|
||||
dynamic "boolean_policy" {
|
||||
for_each = each.value == null ? [] : [each.value]
|
||||
iterator = policy
|
||||
content {
|
||||
enforced = policy.value
|
||||
}
|
||||
locals {
|
||||
org_policies = {
|
||||
for k, v in var.org_policies :
|
||||
k => merge(v, {
|
||||
is_boolean_policy = v.allow == null && v.deny == null
|
||||
has_values = (
|
||||
length(coalesce(try(v.allow.values, []), [])) > 0 ||
|
||||
length(coalesce(try(v.deny.values, []), [])) > 0
|
||||
)
|
||||
rules = [
|
||||
for r in v.rules :
|
||||
merge(r, {
|
||||
has_values = (
|
||||
length(coalesce(try(r.allow.values, []), [])) > 0 ||
|
||||
length(coalesce(try(r.deny.values, []), [])) > 0
|
||||
)
|
||||
})
|
||||
]
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
dynamic "restore_policy" {
|
||||
for_each = each.value == null ? [""] : []
|
||||
content {
|
||||
default = true
|
||||
}
|
||||
}
|
||||
|
||||
depends_on = [
|
||||
google_organization_iam_audit_config.config,
|
||||
google_organization_iam_binding.authoritative,
|
||||
google_organization_iam_custom_role.roles,
|
||||
google_organization_iam_member.additive,
|
||||
google_organization_iam_policy.authoritative,
|
||||
]
|
||||
}
|
||||
|
||||
resource "google_organization_policy" "list" {
|
||||
for_each = var.policy_list
|
||||
org_id = local.organization_id_numeric
|
||||
constraint = each.key
|
||||
|
||||
dynamic "list_policy" {
|
||||
for_each = each.value.status == null ? [] : [each.value]
|
||||
iterator = policy
|
||||
content {
|
||||
inherit_from_parent = policy.value.inherit_from_parent
|
||||
suggested_value = policy.value.suggested_value
|
||||
dynamic "allow" {
|
||||
for_each = policy.value.status ? [""] : []
|
||||
content {
|
||||
values = (
|
||||
try(length(policy.value.values) > 0, false)
|
||||
? policy.value.values
|
||||
: null
|
||||
)
|
||||
all = (
|
||||
try(length(policy.value.values) > 0, false)
|
||||
? null
|
||||
: true
|
||||
)
|
||||
}
|
||||
}
|
||||
dynamic "deny" {
|
||||
for_each = policy.value.status ? [] : [""]
|
||||
content {
|
||||
values = (
|
||||
try(length(policy.value.values) > 0, false)
|
||||
? policy.value.values
|
||||
: null
|
||||
)
|
||||
all = (
|
||||
try(length(policy.value.values) > 0, false)
|
||||
? null
|
||||
: true
|
||||
)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
dynamic "restore_policy" {
|
||||
for_each = each.value.status == null ? [true] : []
|
||||
content {
|
||||
default = true
|
||||
resource "google_org_policy_policy" "default" {
|
||||
for_each = local.org_policies
|
||||
name = "${var.organization_id}/policies/${each.key}"
|
||||
parent = var.organization_id
|
||||
|
||||
spec {
|
||||
inherit_from_parent = each.value.inherit_from_parent
|
||||
reset = each.value.reset
|
||||
|
||||
rules {
|
||||
allow_all = try(each.value.allow.all, null) == true ? "TRUE" : null
|
||||
deny_all = try(each.value.deny.all, null) == true ? "TRUE" : null
|
||||
enforce = (
|
||||
each.value.is_boolean_policy && each.value.enforce != null
|
||||
? upper(tostring(each.value.enforce))
|
||||
: null
|
||||
)
|
||||
dynamic "values" {
|
||||
for_each = each.value.has_values ? [1] : []
|
||||
content {
|
||||
allowed_values = try(each.value.allow.values, null)
|
||||
denied_values = try(each.value.deny.values, null)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
dynamic "rules" {
|
||||
for_each = each.value.rules
|
||||
iterator = rule
|
||||
content {
|
||||
allow_all = try(rule.value.allow.all, false) == true ? "TRUE" : null
|
||||
deny_all = try(rule.value.deny.all, false) == true ? "TRUE" : null
|
||||
enforce = (
|
||||
each.value.is_boolean_policy && rule.value.enforce != null
|
||||
? upper(tostring(rule.value.enforce))
|
||||
: null
|
||||
)
|
||||
condition {
|
||||
description = rule.value.condition.description
|
||||
expression = rule.value.condition.expression
|
||||
location = rule.value.condition.location
|
||||
title = rule.value.condition.title
|
||||
}
|
||||
dynamic "values" {
|
||||
for_each = rule.value.has_values ? [1] : []
|
||||
content {
|
||||
allowed_values = try(rule.value.allow.values, null)
|
||||
denied_values = try(rule.value.deny.values, null)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -103,4 +99,5 @@ resource "google_organization_policy" "list" {
|
|||
google_organization_iam_member.additive,
|
||||
google_organization_iam_policy.authoritative,
|
||||
]
|
||||
|
||||
}
|
||||
|
|
|
@ -52,8 +52,7 @@ output "organization_id" {
|
|||
google_organization_iam_custom_role.roles,
|
||||
google_organization_iam_member.additive,
|
||||
google_organization_iam_policy.authoritative,
|
||||
google_organization_policy.boolean,
|
||||
google_organization_policy.list,
|
||||
google_org_policy_policy.default,
|
||||
google_tags_tag_key.default,
|
||||
google_tags_tag_key_iam_binding.default,
|
||||
google_tags_tag_value.default,
|
||||
|
|
|
@ -148,6 +148,46 @@ variable "logging_sinks" {
|
|||
nullable = false
|
||||
}
|
||||
|
||||
variable "org_policies" {
|
||||
description = "Organization policies applied to this organization keyed by policy name."
|
||||
type = map(object({
|
||||
inherit_from_parent = optional(bool) # for list policies only.
|
||||
reset = optional(bool)
|
||||
|
||||
# default (unconditional) values
|
||||
allow = optional(object({
|
||||
all = optional(bool)
|
||||
values = optional(list(string))
|
||||
}))
|
||||
deny = optional(object({
|
||||
all = optional(bool)
|
||||
values = optional(list(string))
|
||||
}))
|
||||
enforce = optional(bool, true) # for boolean policies only.
|
||||
|
||||
# conditional values
|
||||
rules = optional(list(object({
|
||||
allow = optional(object({
|
||||
all = optional(bool)
|
||||
values = optional(list(string))
|
||||
}))
|
||||
deny = optional(object({
|
||||
all = optional(bool)
|
||||
values = optional(list(string))
|
||||
}))
|
||||
enforce = optional(bool, true) # for boolean policies only.
|
||||
condition = object({
|
||||
description = optional(string)
|
||||
expression = optional(string)
|
||||
location = optional(string)
|
||||
title = optional(string)
|
||||
})
|
||||
})), [])
|
||||
}))
|
||||
default = {}
|
||||
nullable = false
|
||||
}
|
||||
|
||||
variable "organization_id" {
|
||||
description = "Organization id in organizations/nnnnnn format."
|
||||
type = string
|
||||
|
@ -157,25 +197,6 @@ variable "organization_id" {
|
|||
}
|
||||
}
|
||||
|
||||
variable "policy_boolean" {
|
||||
description = "Map of boolean org policies and enforcement value, set value to null for policy restore."
|
||||
type = map(bool)
|
||||
default = {}
|
||||
nullable = false
|
||||
}
|
||||
|
||||
variable "policy_list" {
|
||||
description = "Map of list org policies, status is true for allow, false for deny, null for restore. Values can only be used for allow or deny."
|
||||
type = map(object({
|
||||
inherit_from_parent = bool
|
||||
suggested_value = string
|
||||
status = bool
|
||||
values = list(string)
|
||||
}))
|
||||
default = {}
|
||||
nullable = false
|
||||
}
|
||||
|
||||
variable "tag_bindings" {
|
||||
description = "Tag bindings for this organization, in key => tag value id format."
|
||||
type = map(string)
|
||||
|
|
|
@ -167,20 +167,46 @@ module "project" {
|
|||
"container.googleapis.com",
|
||||
"stackdriver.googleapis.com"
|
||||
]
|
||||
policy_boolean = {
|
||||
"constraints/compute.disableGuestAttributesAccess" = true
|
||||
"constraints/compute.skipDefaultNetworkCreation" = true
|
||||
}
|
||||
policy_list = {
|
||||
org_policies = {
|
||||
"compute.disableGuestAttributesAccess" = {
|
||||
enforce = true
|
||||
}
|
||||
"constraints/compute.skipDefaultNetworkCreation" = {
|
||||
enforce = true
|
||||
}
|
||||
"iam.disableServiceAccountKeyCreation" = {
|
||||
enforce = true
|
||||
}
|
||||
"iam.disableServiceAccountKeyUpload" = {
|
||||
enforce = false
|
||||
rules = [
|
||||
{
|
||||
condition = {
|
||||
expression = "resource.matchTagId(\"tagKeys/1234\", \"tagValues/1234\")"
|
||||
title = "condition"
|
||||
description = "test condition"
|
||||
location = "somewhere"
|
||||
}
|
||||
enforce = true
|
||||
}
|
||||
]
|
||||
}
|
||||
"constraints/iam.allowedPolicyMemberDomains" = {
|
||||
allow = {
|
||||
values = ["C0xxxxxxx", "C0yyyyyyy"]
|
||||
}
|
||||
}
|
||||
"constraints/compute.trustedImageProjects" = {
|
||||
inherit_from_parent = null
|
||||
suggested_value = null
|
||||
status = true
|
||||
values = ["projects/my-project"]
|
||||
allow = {
|
||||
values = ["projects/my-project"]
|
||||
}
|
||||
}
|
||||
"constraints/compute.vmExternalIpAccess" = {
|
||||
deny = { all = true }
|
||||
}
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=6
|
||||
# tftest modules=1 resources=10
|
||||
```
|
||||
|
||||
## Logging Sinks
|
||||
|
@ -349,7 +375,7 @@ output "compute_robot" {
|
|||
| [iam.tf](./iam.tf) | Generic and OSLogin-specific IAM bindings and roles. | <code>google_project_iam_binding</code> · <code>google_project_iam_custom_role</code> · <code>google_project_iam_member</code> |
|
||||
| [logging.tf](./logging.tf) | Log sinks and supporting resources. | <code>google_bigquery_dataset_iam_member</code> · <code>google_logging_project_exclusion</code> · <code>google_logging_project_sink</code> · <code>google_project_iam_member</code> · <code>google_pubsub_topic_iam_member</code> · <code>google_storage_bucket_iam_member</code> |
|
||||
| [main.tf](./main.tf) | Module-level locals and resources. | <code>google_compute_project_metadata_item</code> · <code>google_essential_contacts_contact</code> · <code>google_monitoring_monitored_project</code> · <code>google_project</code> · <code>google_project_service</code> · <code>google_resource_manager_lien</code> |
|
||||
| [organization-policies.tf](./organization-policies.tf) | Project-level organization policies. | <code>google_project_organization_policy</code> |
|
||||
| [organization-policies.tf](./organization-policies.tf) | Project-level organization policies. | <code>google_org_policy_policy</code> |
|
||||
| [outputs.tf](./outputs.tf) | Module outputs. | |
|
||||
| [service-accounts.tf](./service-accounts.tf) | Service identities and supporting resources. | <code>google_kms_crypto_key_iam_member</code> · <code>google_project_default_service_accounts</code> · <code>google_project_iam_member</code> · <code>google_project_service_identity</code> |
|
||||
| [shared-vpc.tf](./shared-vpc.tf) | Shared VPC project-level configuration. | <code>google_compute_shared_vpc_host_project</code> · <code>google_compute_shared_vpc_service_project</code> · <code>google_project_iam_member</code> |
|
||||
|
@ -367,8 +393,8 @@ output "compute_robot" {
|
|||
| [billing_account](variables.tf#L23) | Billing account id. | <code>string</code> | | <code>null</code> |
|
||||
| [contacts](variables.tf#L29) | List of essential contacts for this resource. Must be in the form EMAIL -> [NOTIFICATION_TYPES]. Valid notification types are ALL, SUSPENSION, SECURITY, TECHNICAL, BILLING, LEGAL, PRODUCT_UPDATES. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [custom_roles](variables.tf#L36) | Map of role name => list of permissions to create in this project. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [default_service_account](variables.tf#L49) | Project default service account setting: can be one of `delete`, `deprivilege`, `disable`, or `keep`. | <code>string</code> | | <code>"keep"</code> |
|
||||
| [descriptive_name](variables.tf#L43) | Name of the project name. Used for project name instead of `name` variable. | <code>string</code> | | <code>null</code> |
|
||||
| [default_service_account](variables.tf#L43) | Project default service account setting: can be one of `delete`, `deprivilege`, `disable`, or `keep`. | <code>string</code> | | <code>"keep"</code> |
|
||||
| [descriptive_name](variables.tf#L49) | Name of the project name. Used for project name instead of `name` variable. | <code>string</code> | | <code>null</code> |
|
||||
| [group_iam](variables.tf#L55) | Authoritative IAM binding for organization groups, in {GROUP_EMAIL => [ROLES]} format. Group emails need to be static. Can be used in combination with the `iam` variable. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [iam](variables.tf#L62) | IAM bindings in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [iam_additive](variables.tf#L69) | IAM additive bindings in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
|
@ -378,23 +404,22 @@ output "compute_robot" {
|
|||
| [logging_exclusions](variables.tf#L95) | Logging exclusions for this project in the form {NAME -> FILTER}. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [logging_sinks](variables.tf#L102) | Logging sinks to create for this project. | <code title="map(object({ destination = string type = string filter = string iam = bool unique_writer = bool exclusions = map(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [metric_scopes](variables.tf#L124) | List of projects that will act as metric scopes for this project. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [oslogin](variables.tf#L136) | Enable OS Login. | <code>bool</code> | | <code>false</code> |
|
||||
| [oslogin_admins](variables.tf#L142) | List of IAM-style identities that will be granted roles necessary for OS Login administrators. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [oslogin_users](variables.tf#L150) | List of IAM-style identities that will be granted roles necessary for OS Login users. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [parent](variables.tf#L157) | Parent folder or organization in 'folders/folder_id' or 'organizations/org_id' format. | <code>string</code> | | <code>null</code> |
|
||||
| [policy_boolean](variables.tf#L167) | Map of boolean org policies and enforcement value, set value to null for policy restore. | <code>map(bool)</code> | | <code>{}</code> |
|
||||
| [policy_list](variables.tf#L174) | Map of list org policies, status is true for allow, false for deny, null for restore. Values can only be used for allow or deny. | <code title="map(object({ inherit_from_parent = bool suggested_value = string status = bool values = list(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [prefix](variables.tf#L186) | Prefix used to generate project id and name. | <code>string</code> | | <code>null</code> |
|
||||
| [project_create](variables.tf#L192) | Create project. When set to false, uses a data source to reference existing project. | <code>bool</code> | | <code>true</code> |
|
||||
| [service_config](variables.tf#L198) | Configure service API activation. | <code title="object({ disable_on_destroy = bool disable_dependent_services = bool })">object({…})</code> | | <code title="{ disable_on_destroy = false disable_dependent_services = false }">{…}</code> |
|
||||
| [service_encryption_key_ids](variables.tf#L210) | Cloud KMS encryption key in {SERVICE => [KEY_URL]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [service_perimeter_bridges](variables.tf#L217) | Name of VPC-SC Bridge perimeters to add project into. See comment in the variables file for format. | <code>list(string)</code> | | <code>null</code> |
|
||||
| [service_perimeter_standard](variables.tf#L224) | Name of VPC-SC Standard perimeter to add project into. See comment in the variables file for format. | <code>string</code> | | <code>null</code> |
|
||||
| [services](variables.tf#L230) | Service APIs to enable. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [shared_vpc_host_config](variables.tf#L236) | Configures this project as a Shared VPC host project (mutually exclusive with shared_vpc_service_project). | <code title="object({ enabled = bool service_projects = optional(list(string), []) })">object({…})</code> | | <code>null</code> |
|
||||
| [shared_vpc_service_config](variables.tf#L245) | Configures this project as a Shared VPC service project (mutually exclusive with shared_vpc_host_config). | <code title="object({ host_project = string service_identity_iam = optional(map(list(string))) })">object({…})</code> | | <code>null</code> |
|
||||
| [skip_delete](variables.tf#L255) | Allows the underlying resources to be destroyed without destroying the project itself. | <code>bool</code> | | <code>false</code> |
|
||||
| [tag_bindings](variables.tf#L261) | Tag bindings for this project, in key => tag value id format. | <code>map(string)</code> | | <code>null</code> |
|
||||
| [org_policies](variables.tf#L136) | Organization policies applied to this project keyed by policy name. | <code title="map(object({ inherit_from_parent = optional(bool) # for list policies only. reset = optional(bool) allow = optional(object({ all = optional(bool) values = optional(list(string)) })) deny = optional(object({ all = optional(bool) values = optional(list(string)) })) enforce = optional(bool, true) # for boolean policies only. rules = optional(list(object({ allow = optional(object({ all = optional(bool) values = optional(list(string)) })) deny = optional(object({ all = optional(bool) values = optional(list(string)) })) enforce = optional(bool, true) # for boolean policies only. condition = object({ description = optional(string) expression = optional(string) location = optional(string) title = optional(string) }) })), []) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [oslogin](variables.tf#L176) | Enable OS Login. | <code>bool</code> | | <code>false</code> |
|
||||
| [oslogin_admins](variables.tf#L182) | List of IAM-style identities that will be granted roles necessary for OS Login administrators. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [oslogin_users](variables.tf#L190) | List of IAM-style identities that will be granted roles necessary for OS Login users. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [parent](variables.tf#L197) | Parent folder or organization in 'folders/folder_id' or 'organizations/org_id' format. | <code>string</code> | | <code>null</code> |
|
||||
| [prefix](variables.tf#L207) | Prefix used to generate project id and name. | <code>string</code> | | <code>null</code> |
|
||||
| [project_create](variables.tf#L213) | Create project. When set to false, uses a data source to reference existing project. | <code>bool</code> | | <code>true</code> |
|
||||
| [service_config](variables.tf#L219) | Configure service API activation. | <code title="object({ disable_on_destroy = bool disable_dependent_services = bool })">object({…})</code> | | <code title="{ disable_on_destroy = false disable_dependent_services = false }">{…}</code> |
|
||||
| [service_encryption_key_ids](variables.tf#L231) | Cloud KMS encryption key in {SERVICE => [KEY_URL]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [service_perimeter_bridges](variables.tf#L238) | Name of VPC-SC Bridge perimeters to add project into. See comment in the variables file for format. | <code>list(string)</code> | | <code>null</code> |
|
||||
| [service_perimeter_standard](variables.tf#L245) | Name of VPC-SC Standard perimeter to add project into. See comment in the variables file for format. | <code>string</code> | | <code>null</code> |
|
||||
| [services](variables.tf#L251) | Service APIs to enable. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [shared_vpc_host_config](variables.tf#L257) | Configures this project as a Shared VPC host project (mutually exclusive with shared_vpc_service_project). | <code title="object({ enabled = bool service_projects = optional(list(string), []) })">object({…})</code> | | <code>null</code> |
|
||||
| [shared_vpc_service_config](variables.tf#L266) | Configures this project as a Shared VPC service project (mutually exclusive with shared_vpc_host_config). | <code title="object({ host_project = string service_identity_iam = optional(map(list(string))) })">object({…})</code> | | <code>null</code> |
|
||||
| [skip_delete](variables.tf#L276) | Allows the underlying resources to be destroyed without destroying the project itself. | <code>bool</code> | | <code>false</code> |
|
||||
| [tag_bindings](variables.tf#L282) | Tag bindings for this project, in key => tag value id format. | <code>map(string)</code> | | <code>null</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
@ -402,9 +427,9 @@ output "compute_robot" {
|
|||
|---|---|:---:|
|
||||
| [custom_roles](outputs.tf#L17) | Ids of the created custom roles. | |
|
||||
| [name](outputs.tf#L25) | Project name. | |
|
||||
| [number](outputs.tf#L38) | Project number. | |
|
||||
| [project_id](outputs.tf#L56) | Project id. | |
|
||||
| [service_accounts](outputs.tf#L76) | Product robot service accounts in project. | |
|
||||
| [sink_writer_identities](outputs.tf#L92) | Writer identities created for each sink. | |
|
||||
| [number](outputs.tf#L37) | Project number. | |
|
||||
| [project_id](outputs.tf#L54) | Project id. | |
|
||||
| [service_accounts](outputs.tf#L73) | Product robot service accounts in project. | |
|
||||
| [sink_writer_identities](outputs.tf#L89) | Writer identities created for each sink. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
|
|
@ -16,75 +16,79 @@
|
|||
|
||||
# tfdoc:file:description Project-level organization policies.
|
||||
|
||||
resource "google_project_organization_policy" "boolean" {
|
||||
for_each = var.policy_boolean
|
||||
project = local.project.project_id
|
||||
constraint = each.key
|
||||
|
||||
dynamic "boolean_policy" {
|
||||
for_each = each.value == null ? [] : [each.value]
|
||||
iterator = policy
|
||||
content {
|
||||
enforced = policy.value
|
||||
}
|
||||
}
|
||||
|
||||
dynamic "restore_policy" {
|
||||
for_each = each.value == null ? [""] : []
|
||||
content {
|
||||
default = true
|
||||
}
|
||||
locals {
|
||||
org_policies = {
|
||||
for k, v in var.org_policies :
|
||||
k => merge(v, {
|
||||
is_boolean_policy = v.allow == null && v.deny == null
|
||||
has_values = (
|
||||
length(coalesce(try(v.allow.values, []), [])) > 0 ||
|
||||
length(coalesce(try(v.deny.values, []), [])) > 0
|
||||
)
|
||||
rules = [
|
||||
for r in v.rules :
|
||||
merge(r, {
|
||||
has_values = (
|
||||
length(coalesce(try(r.allow.values, []), [])) > 0 ||
|
||||
length(coalesce(try(r.deny.values, []), [])) > 0
|
||||
)
|
||||
})
|
||||
]
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
resource "google_project_organization_policy" "list" {
|
||||
for_each = var.policy_list
|
||||
project = local.project.project_id
|
||||
constraint = each.key
|
||||
resource "google_org_policy_policy" "default" {
|
||||
for_each = local.org_policies
|
||||
name = "projects/${local.project.project_id}/policies/${each.key}"
|
||||
parent = "projects/${local.project.project_id}"
|
||||
|
||||
dynamic "list_policy" {
|
||||
for_each = each.value.status == null ? [] : [each.value]
|
||||
iterator = policy
|
||||
content {
|
||||
inherit_from_parent = policy.value.inherit_from_parent
|
||||
suggested_value = policy.value.suggested_value
|
||||
dynamic "allow" {
|
||||
for_each = policy.value.status ? [""] : []
|
||||
spec {
|
||||
inherit_from_parent = each.value.inherit_from_parent
|
||||
reset = each.value.reset
|
||||
|
||||
rules {
|
||||
allow_all = try(each.value.allow.all, null) == true ? "TRUE" : null
|
||||
deny_all = try(each.value.deny.all, null) == true ? "TRUE" : null
|
||||
enforce = (
|
||||
each.value.is_boolean_policy && each.value.enforce != null
|
||||
? upper(tostring(each.value.enforce))
|
||||
: null
|
||||
)
|
||||
dynamic "values" {
|
||||
for_each = each.value.has_values ? [1] : []
|
||||
content {
|
||||
values = (
|
||||
try(length(policy.value.values) > 0, false)
|
||||
? policy.value.values
|
||||
: null
|
||||
)
|
||||
all = (
|
||||
try(length(policy.value.values) > 0, false)
|
||||
? null
|
||||
: true
|
||||
)
|
||||
allowed_values = try(each.value.allow.values, null)
|
||||
denied_values = try(each.value.deny.values, null)
|
||||
}
|
||||
}
|
||||
dynamic "deny" {
|
||||
for_each = policy.value.status ? [] : [""]
|
||||
content {
|
||||
values = (
|
||||
try(length(policy.value.values) > 0, false)
|
||||
? policy.value.values
|
||||
: null
|
||||
)
|
||||
all = (
|
||||
try(length(policy.value.values) > 0, false)
|
||||
? null
|
||||
: true
|
||||
)
|
||||
}
|
||||
|
||||
dynamic "rules" {
|
||||
for_each = each.value.rules
|
||||
iterator = rule
|
||||
content {
|
||||
allow_all = try(rule.value.allow.all, false) == true ? "TRUE" : null
|
||||
deny_all = try(rule.value.deny.all, false) == true ? "TRUE" : null
|
||||
enforce = (
|
||||
each.value.is_boolean_policy && rule.value.enforce != null
|
||||
? upper(tostring(rule.value.enforce))
|
||||
: null
|
||||
)
|
||||
condition {
|
||||
description = rule.value.condition.description
|
||||
expression = rule.value.condition.expression
|
||||
location = rule.value.condition.location
|
||||
title = rule.value.condition.title
|
||||
}
|
||||
dynamic "values" {
|
||||
for_each = rule.value.has_values ? [1] : []
|
||||
content {
|
||||
allowed_values = try(rule.value.allow.values, null)
|
||||
denied_values = try(rule.value.deny.values, null)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
dynamic "restore_policy" {
|
||||
for_each = each.value.status == null ? [true] : []
|
||||
content {
|
||||
default = true
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -26,8 +26,7 @@ output "name" {
|
|||
description = "Project name."
|
||||
value = local.project.name
|
||||
depends_on = [
|
||||
google_project_organization_policy.boolean,
|
||||
google_project_organization_policy.list,
|
||||
google_org_policy_policy.default,
|
||||
google_project_service.project_services,
|
||||
google_compute_shared_vpc_service_project.service_projects,
|
||||
google_project_iam_member.shared_vpc_host_robots,
|
||||
|
@ -39,8 +38,7 @@ output "number" {
|
|||
description = "Project number."
|
||||
value = local.project.number
|
||||
depends_on = [
|
||||
google_project_organization_policy.boolean,
|
||||
google_project_organization_policy.list,
|
||||
google_org_policy_policy.default,
|
||||
google_project_service.project_services,
|
||||
google_compute_shared_vpc_host_project.shared_vpc_host,
|
||||
google_compute_shared_vpc_service_project.shared_vpc_service,
|
||||
|
@ -59,8 +57,7 @@ output "project_id" {
|
|||
depends_on = [
|
||||
google_project.project,
|
||||
data.google_project.project,
|
||||
google_project_organization_policy.boolean,
|
||||
google_project_organization_policy.list,
|
||||
google_org_policy_policy.default,
|
||||
google_project_service.project_services,
|
||||
google_compute_shared_vpc_host_project.shared_vpc_host,
|
||||
google_compute_shared_vpc_service_project.shared_vpc_service,
|
||||
|
|
|
@ -40,18 +40,18 @@ variable "custom_roles" {
|
|||
nullable = false
|
||||
}
|
||||
|
||||
variable "descriptive_name" {
|
||||
description = "Name of the project name. Used for project name instead of `name` variable."
|
||||
type = string
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "default_service_account" {
|
||||
description = "Project default service account setting: can be one of `delete`, `deprivilege`, `disable`, or `keep`."
|
||||
default = "keep"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "descriptive_name" {
|
||||
description = "Name of the project name. Used for project name instead of `name` variable."
|
||||
type = string
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "group_iam" {
|
||||
description = "Authoritative IAM binding for organization groups, in {GROUP_EMAIL => [ROLES]} format. Group emails need to be static. Can be used in combination with the `iam` variable."
|
||||
type = map(list(string))
|
||||
|
@ -133,6 +133,46 @@ variable "name" {
|
|||
type = string
|
||||
}
|
||||
|
||||
variable "org_policies" {
|
||||
description = "Organization policies applied to this project keyed by policy name."
|
||||
type = map(object({
|
||||
inherit_from_parent = optional(bool) # for list policies only.
|
||||
reset = optional(bool)
|
||||
|
||||
# default (unconditional) values
|
||||
allow = optional(object({
|
||||
all = optional(bool)
|
||||
values = optional(list(string))
|
||||
}))
|
||||
deny = optional(object({
|
||||
all = optional(bool)
|
||||
values = optional(list(string))
|
||||
}))
|
||||
enforce = optional(bool, true) # for boolean policies only.
|
||||
|
||||
# conditional values
|
||||
rules = optional(list(object({
|
||||
allow = optional(object({
|
||||
all = optional(bool)
|
||||
values = optional(list(string))
|
||||
}))
|
||||
deny = optional(object({
|
||||
all = optional(bool)
|
||||
values = optional(list(string))
|
||||
}))
|
||||
enforce = optional(bool, true) # for boolean policies only.
|
||||
condition = object({
|
||||
description = optional(string)
|
||||
expression = optional(string)
|
||||
location = optional(string)
|
||||
title = optional(string)
|
||||
})
|
||||
})), [])
|
||||
}))
|
||||
default = {}
|
||||
nullable = false
|
||||
}
|
||||
|
||||
variable "oslogin" {
|
||||
description = "Enable OS Login."
|
||||
type = bool
|
||||
|
@ -164,25 +204,6 @@ variable "parent" {
|
|||
}
|
||||
}
|
||||
|
||||
variable "policy_boolean" {
|
||||
description = "Map of boolean org policies and enforcement value, set value to null for policy restore."
|
||||
type = map(bool)
|
||||
default = {}
|
||||
nullable = false
|
||||
}
|
||||
|
||||
variable "policy_list" {
|
||||
description = "Map of list org policies, status is true for allow, false for deny, null for restore. Values can only be used for allow or deny."
|
||||
type = map(object({
|
||||
inherit_from_parent = bool
|
||||
suggested_value = string
|
||||
status = bool
|
||||
values = list(string)
|
||||
}))
|
||||
default = {}
|
||||
nullable = false
|
||||
}
|
||||
|
||||
variable "prefix" {
|
||||
description = "Prefix used to generate project id and name."
|
||||
type = string
|
||||
|
|
|
@ -22,10 +22,9 @@ module "test" {
|
|||
iam = var.iam
|
||||
iam_additive = var.iam_additive
|
||||
iam_additive_members = var.iam_additive_members
|
||||
policy_boolean = var.policy_boolean
|
||||
policy_list = var.policy_list
|
||||
firewall_policies = var.firewall_policies
|
||||
firewall_policy_association = var.firewall_policy_association
|
||||
logging_sinks = var.logging_sinks
|
||||
logging_exclusions = var.logging_exclusions
|
||||
org_policies = var.org_policies
|
||||
}
|
||||
|
|
|
@ -34,16 +34,6 @@ variable "iam_additive_members" {
|
|||
default = {}
|
||||
}
|
||||
|
||||
variable "policy_boolean" {
|
||||
type = any
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "policy_list" {
|
||||
type = any
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "firewall_policies" {
|
||||
type = any
|
||||
default = {}
|
||||
|
@ -63,3 +53,8 @@ variable "logging_exclusions" {
|
|||
type = any
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "org_policies" {
|
||||
type = any
|
||||
default = {}
|
||||
}
|
||||
|
|
|
@ -12,56 +12,212 @@
|
|||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
def test_sink(plan_runner):
|
||||
"Test folder-level sink."
|
||||
policy_boolean = '{policy-a = true, policy-b = false, policy-c = null}'
|
||||
_, resources = plan_runner(policy_boolean=policy_boolean)
|
||||
|
||||
def test_policy_boolean(plan_runner):
|
||||
"Test boolean org policy."
|
||||
policies = '''{
|
||||
"iam.disableServiceAccountKeyCreation" = {
|
||||
enforce = true
|
||||
}
|
||||
"iam.disableServiceAccountKeyUpload" = {
|
||||
enforce = false
|
||||
rules = [
|
||||
{
|
||||
condition = {
|
||||
expression = "resource.matchTagId(\\"tagKeys/1234\\", \\"tagValues/1234\\")"
|
||||
title = "condition"
|
||||
description = "test condition"
|
||||
location = "xxx"
|
||||
}
|
||||
enforce = true
|
||||
}
|
||||
]
|
||||
}
|
||||
}'''
|
||||
_, resources = plan_runner(org_policies=policies)
|
||||
assert len(resources) == 3
|
||||
|
||||
policies = [r for r in resources if r['type'] == 'google_org_policy_policy']
|
||||
assert len(policies) == 2
|
||||
|
||||
p1 = [
|
||||
r['values']['spec'][0]
|
||||
for r in policies
|
||||
if r['index'] == 'iam.disableServiceAccountKeyCreation'
|
||||
][0]
|
||||
|
||||
assert p1['inherit_from_parent'] is None
|
||||
assert p1['reset'] is None
|
||||
assert p1['rules'] == [{
|
||||
'allow_all': None,
|
||||
'condition': [],
|
||||
'deny_all': None,
|
||||
'enforce': 'TRUE',
|
||||
'values': []
|
||||
}]
|
||||
|
||||
p2 = [
|
||||
r['values']['spec'][0]
|
||||
for r in policies
|
||||
if r['index'] == 'iam.disableServiceAccountKeyUpload'
|
||||
][0]
|
||||
|
||||
assert p2['inherit_from_parent'] is None
|
||||
assert p2['reset'] is None
|
||||
assert len(p2['rules']) == 2
|
||||
assert p2['rules'][0] == {
|
||||
'allow_all': None,
|
||||
'condition': [],
|
||||
'deny_all': None,
|
||||
'enforce': 'FALSE',
|
||||
'values': []
|
||||
}
|
||||
assert p2['rules'][1] == {
|
||||
'allow_all': None,
|
||||
'condition': [{
|
||||
'description': 'test condition',
|
||||
'expression': 'resource.matchTagId("tagKeys/1234", "tagValues/1234")',
|
||||
'location': 'xxx',
|
||||
'title': 'condition'
|
||||
}],
|
||||
'deny_all': None,
|
||||
'enforce': 'TRUE',
|
||||
'values': []
|
||||
}
|
||||
|
||||
|
||||
def test_policy_list(plan_runner):
|
||||
"Test list org policy."
|
||||
policies = '''{
|
||||
"compute.vmExternalIpAccess" = {
|
||||
deny = { all = true }
|
||||
}
|
||||
"iam.allowedPolicyMemberDomains" = {
|
||||
allow = {
|
||||
values = ["C0xxxxxxx", "C0yyyyyyy"]
|
||||
}
|
||||
}
|
||||
"compute.restrictLoadBalancerCreationForTypes" = {
|
||||
deny = { values = ["in:EXTERNAL"] }
|
||||
rules = [
|
||||
{
|
||||
condition = {
|
||||
expression = "resource.matchTagId(\\"tagKeys/1234\\", \\"tagValues/1234\\")"
|
||||
title = "condition"
|
||||
description = "test condition"
|
||||
location = "xxx"
|
||||
}
|
||||
allow = {
|
||||
values = ["EXTERNAL_1"]
|
||||
}
|
||||
},
|
||||
{
|
||||
condition = {
|
||||
expression = "resource.matchTagId(\\"tagKeys/12345\\", \\"tagValues/12345\\")"
|
||||
title = "condition2"
|
||||
description = "test condition2"
|
||||
location = "xxx"
|
||||
}
|
||||
allow = {
|
||||
all = true
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
}'''
|
||||
_, resources = plan_runner(org_policies=policies)
|
||||
assert len(resources) == 4
|
||||
resources = [r for r in resources if r['type']
|
||||
== 'google_folder_organization_policy']
|
||||
assert sorted([r['index'] for r in resources]) == [
|
||||
'policy-a',
|
||||
'policy-b',
|
||||
'policy-c',
|
||||
]
|
||||
policy_values = []
|
||||
for resource in resources:
|
||||
for policy in ('boolean_policy', 'restore_policy'):
|
||||
value = resource['values'][policy]
|
||||
if value:
|
||||
policy_values.append((resource['index'], policy,) + value[0].popitem())
|
||||
assert sorted(policy_values) == [
|
||||
('policy-a', 'boolean_policy', 'enforced', True),
|
||||
('policy-b', 'boolean_policy', 'enforced', False),
|
||||
('policy-c', 'restore_policy', 'default', True),
|
||||
]
|
||||
|
||||
policies = [r for r in resources if r['type'] == 'google_org_policy_policy']
|
||||
assert len(policies) == 3
|
||||
|
||||
def test_exclussions(plan_runner):
|
||||
"Test folder-level logging exclusions."
|
||||
policy_list = (
|
||||
'{'
|
||||
'policy-a = {inherit_from_parent = true, suggested_value = null, status = true, values = []}, '
|
||||
'policy-b = {inherit_from_parent = null, suggested_value = "foo", status = false, values = ["bar"]}, '
|
||||
'policy-c = {inherit_from_parent = null, suggested_value = true, status = null, values = null}'
|
||||
'}'
|
||||
)
|
||||
_, resources = plan_runner(policy_list=policy_list)
|
||||
assert len(resources) == 4
|
||||
resources = [r for r in resources if r['type']
|
||||
== 'google_folder_organization_policy']
|
||||
assert sorted([r['index'] for r in resources]) == [
|
||||
'policy-a',
|
||||
'policy-b',
|
||||
'policy-c',
|
||||
]
|
||||
values = [r['values'] for r in resources]
|
||||
assert [r['constraint'] for r in values] == [
|
||||
'policy-a', 'policy-b', 'policy-c'
|
||||
]
|
||||
assert values[0]['list_policy'][0]['allow'] == [
|
||||
{'all': True, 'values': None}]
|
||||
assert values[1]['list_policy'][0]['deny'] == [
|
||||
{'all': False, 'values': ["bar"]}]
|
||||
assert values[2]['restore_policy'] == [{'default': True}]
|
||||
p1 = [
|
||||
r['values']['spec'][0]
|
||||
for r in policies
|
||||
if r['index'] == 'compute.vmExternalIpAccess'
|
||||
][0]
|
||||
assert p1['inherit_from_parent'] is None
|
||||
assert p1['reset'] is None
|
||||
assert p1['rules'] == [{
|
||||
'allow_all': None,
|
||||
'condition': [],
|
||||
'deny_all': 'TRUE',
|
||||
'enforce': None,
|
||||
'values': []
|
||||
}]
|
||||
|
||||
p2 = [
|
||||
r['values']['spec'][0]
|
||||
for r in policies
|
||||
if r['index'] == 'iam.allowedPolicyMemberDomains'
|
||||
][0]
|
||||
assert p2['inherit_from_parent'] is None
|
||||
assert p2['reset'] is None
|
||||
assert p2['rules'] == [{
|
||||
'allow_all':
|
||||
None,
|
||||
'condition': [],
|
||||
'deny_all':
|
||||
None,
|
||||
'enforce':
|
||||
None,
|
||||
'values': [{
|
||||
'allowed_values': [
|
||||
'C0xxxxxxx',
|
||||
'C0yyyyyyy',
|
||||
],
|
||||
'denied_values': None
|
||||
}]
|
||||
}]
|
||||
|
||||
p3 = [
|
||||
r['values']['spec'][0]
|
||||
for r in policies
|
||||
if r['index'] == 'compute.restrictLoadBalancerCreationForTypes'
|
||||
][0]
|
||||
assert p3['inherit_from_parent'] is None
|
||||
assert p3['reset'] is None
|
||||
assert len(p3['rules']) == 3
|
||||
assert p3['rules'][0] == {
|
||||
'allow_all': None,
|
||||
'condition': [],
|
||||
'deny_all': None,
|
||||
'enforce': None,
|
||||
'values': [{
|
||||
'allowed_values': None,
|
||||
'denied_values': ['in:EXTERNAL']
|
||||
}]
|
||||
}
|
||||
|
||||
assert p3['rules'][1] == {
|
||||
'allow_all': None,
|
||||
'condition': [{
|
||||
'description': 'test condition',
|
||||
'expression': 'resource.matchTagId("tagKeys/1234", "tagValues/1234")',
|
||||
'location': 'xxx',
|
||||
'title': 'condition'
|
||||
}],
|
||||
'deny_all': None,
|
||||
'enforce': None,
|
||||
'values': [{
|
||||
'allowed_values': ['EXTERNAL_1'],
|
||||
'denied_values': None
|
||||
}]
|
||||
}
|
||||
|
||||
assert p3['rules'][2] == {
|
||||
'allow_all': 'TRUE',
|
||||
'condition': [{
|
||||
'description':
|
||||
'test condition2',
|
||||
'expression':
|
||||
'resource.matchTagId("tagKeys/12345", "tagValues/12345")',
|
||||
'location':
|
||||
'xxx',
|
||||
'title':
|
||||
'condition2'
|
||||
}],
|
||||
'deny_all': None,
|
||||
'enforce': None,
|
||||
'values': []
|
||||
}
|
||||
|
|
|
@ -28,8 +28,7 @@ module "test" {
|
|||
iam_audit_config = var.iam_audit_config
|
||||
logging_sinks = var.logging_sinks
|
||||
logging_exclusions = var.logging_exclusions
|
||||
policy_boolean = var.policy_boolean
|
||||
policy_list = var.policy_list
|
||||
org_policies = var.org_policies
|
||||
tag_bindings = var.tag_bindings
|
||||
tags = var.tags
|
||||
}
|
||||
|
|
|
@ -44,16 +44,6 @@ variable "iam_audit_config" {
|
|||
default = {}
|
||||
}
|
||||
|
||||
variable "policy_boolean" {
|
||||
type = any
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "policy_list" {
|
||||
type = any
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "firewall_policies" {
|
||||
type = any
|
||||
default = {}
|
||||
|
@ -79,6 +69,11 @@ variable "logging_exclusions" {
|
|||
default = {}
|
||||
}
|
||||
|
||||
variable "org_policies" {
|
||||
type = any
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "tag_bindings" {
|
||||
type = any
|
||||
default = null
|
||||
|
|
|
@ -12,13 +12,14 @@
|
|||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
|
||||
def test_audit_config(plan_runner):
|
||||
"Test audit config."
|
||||
iam_audit_config = '{allServices={DATA_READ=[], DATA_WRITE=["user:me@example.org"]}}'
|
||||
_, resources = plan_runner(iam_audit_config=iam_audit_config)
|
||||
assert len(resources) == 1
|
||||
log_types = set(r['log_type']
|
||||
for r in resources[0]['values']['audit_log_config'])
|
||||
log_types = set(
|
||||
r['log_type'] for r in resources[0]['values']['audit_log_config'])
|
||||
assert log_types == set(['DATA_READ', 'DATA_WRITE'])
|
||||
|
||||
|
||||
|
@ -28,21 +29,21 @@ def test_iam(plan_runner):
|
|||
'{'
|
||||
'"owners@example.org" = ["roles/owner", "roles/resourcemanager.folderAdmin"],'
|
||||
'"viewers@example.org" = ["roles/viewer"]'
|
||||
'}'
|
||||
)
|
||||
iam = (
|
||||
'{'
|
||||
'"roles/owner" = ["user:one@example.org", "user:two@example.org"],'
|
||||
'"roles/browser" = ["domain:example.org"]'
|
||||
'}'
|
||||
)
|
||||
'}')
|
||||
iam = ('{'
|
||||
'"roles/owner" = ["user:one@example.org", "user:two@example.org"],'
|
||||
'"roles/browser" = ["domain:example.org"]'
|
||||
'}')
|
||||
_, resources = plan_runner(group_iam=group_iam, iam=iam)
|
||||
roles = sorted([(r['values']['role'], sorted(r['values']['members']))
|
||||
for r in resources if r['type'] == 'google_organization_iam_binding'])
|
||||
for r in resources
|
||||
if r['type'] == 'google_organization_iam_binding'])
|
||||
assert roles == [
|
||||
('roles/browser', ['domain:example.org']),
|
||||
('roles/owner', ['group:owners@example.org', 'user:one@example.org',
|
||||
'user:two@example.org']),
|
||||
('roles/owner', [
|
||||
'group:owners@example.org', 'user:one@example.org',
|
||||
'user:two@example.org'
|
||||
]),
|
||||
('roles/resourcemanager.folderAdmin', ['group:owners@example.org']),
|
||||
('roles/viewer', ['group:viewers@example.org']),
|
||||
]
|
||||
|
@ -50,55 +51,12 @@ def test_iam(plan_runner):
|
|||
|
||||
def test_iam_additive_members(plan_runner):
|
||||
"Test IAM additive members."
|
||||
iam = (
|
||||
'{"user:one@example.org" = ["roles/owner"],'
|
||||
'"user:two@example.org" = ["roles/owner", "roles/editor"]}'
|
||||
)
|
||||
iam = ('{"user:one@example.org" = ["roles/owner"],'
|
||||
'"user:two@example.org" = ["roles/owner", "roles/editor"]}')
|
||||
_, resources = plan_runner(iam_additive_members=iam)
|
||||
roles = set((r['values']['role'], r['values']['member'])
|
||||
for r in resources if r['type'] == 'google_organization_iam_member')
|
||||
assert roles == set([
|
||||
('roles/owner', 'user:one@example.org'),
|
||||
('roles/owner', 'user:two@example.org'),
|
||||
('roles/editor', 'user:two@example.org')
|
||||
])
|
||||
|
||||
|
||||
def test_policy_boolean(plan_runner):
|
||||
"Test boolean org policy."
|
||||
policy_boolean = '{policy-a = true, policy-b = false, policy-c = null}'
|
||||
_, resources = plan_runner(policy_boolean=policy_boolean)
|
||||
assert len(resources) == 3
|
||||
constraints = set(r['values']['constraint'] for r in resources)
|
||||
assert set(constraints) == set(['policy-a', 'policy-b', 'policy-c'])
|
||||
policies = []
|
||||
for resource in resources:
|
||||
for policy in ('boolean_policy', 'restore_policy'):
|
||||
value = resource['values'][policy]
|
||||
if value:
|
||||
policies.append((policy,) + value[0].popitem())
|
||||
assert set(policies) == set([
|
||||
('boolean_policy', 'enforced', True),
|
||||
('boolean_policy', 'enforced', False),
|
||||
('restore_policy', 'default', True)])
|
||||
|
||||
|
||||
def test_policy_list(plan_runner):
|
||||
"Test list org policy."
|
||||
policy_list = (
|
||||
'{'
|
||||
'policy-a = {inherit_from_parent = true, suggested_value = null, status = true, values = []}, '
|
||||
'policy-b = {inherit_from_parent = null, suggested_value = "foo", status = false, values = ["bar"]}, '
|
||||
'policy-c = {inherit_from_parent = null, suggested_value = true, status = null, values = null}'
|
||||
'}'
|
||||
)
|
||||
_, resources = plan_runner(policy_list=policy_list)
|
||||
assert len(resources) == 3
|
||||
values = [r['values'] for r in resources]
|
||||
assert [r['constraint']
|
||||
for r in values] == ['policy-a', 'policy-b', 'policy-c']
|
||||
assert values[0]['list_policy'][0]['allow'] == [
|
||||
{'all': True, 'values': None}]
|
||||
assert values[1]['list_policy'][0]['deny'] == [
|
||||
{'all': False, 'values': ["bar"]}]
|
||||
assert values[2]['restore_policy'] == [{'default': True}]
|
||||
for r in resources
|
||||
if r['type'] == 'google_organization_iam_member')
|
||||
assert roles == set([('roles/owner', 'user:one@example.org'),
|
||||
('roles/owner', 'user:two@example.org'),
|
||||
('roles/editor', 'user:two@example.org')])
|
||||
|
|
|
@ -0,0 +1,227 @@
|
|||
# Copyright 2022 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
|
||||
def test_policy_boolean(plan_runner):
|
||||
"Test boolean org policy."
|
||||
policies = '''{
|
||||
"iam.disableServiceAccountKeyCreation" = {
|
||||
enforce = true
|
||||
}
|
||||
"iam.disableServiceAccountKeyUpload" = {
|
||||
enforce = false
|
||||
rules = [
|
||||
{
|
||||
condition = {
|
||||
expression = "resource.matchTagId(\\"tagKeys/1234\\", \\"tagValues/1234\\")"
|
||||
title = "condition"
|
||||
description = "test condition"
|
||||
location = "xxx"
|
||||
}
|
||||
enforce = true
|
||||
}
|
||||
]
|
||||
}
|
||||
}'''
|
||||
_, resources = plan_runner(org_policies=policies)
|
||||
assert len(resources) == 2
|
||||
|
||||
policies = [r for r in resources if r['type'] == 'google_org_policy_policy']
|
||||
assert len(policies) == 2
|
||||
assert all(
|
||||
x['values']['parent'] == 'organizations/1234567890' for x in policies)
|
||||
|
||||
p1 = [
|
||||
r['values']['spec'][0]
|
||||
for r in policies
|
||||
if r['index'] == 'iam.disableServiceAccountKeyCreation'
|
||||
][0]
|
||||
|
||||
assert p1['inherit_from_parent'] is None
|
||||
assert p1['reset'] is None
|
||||
assert p1['rules'] == [{
|
||||
'allow_all': None,
|
||||
'condition': [],
|
||||
'deny_all': None,
|
||||
'enforce': 'TRUE',
|
||||
'values': []
|
||||
}]
|
||||
|
||||
p2 = [
|
||||
r['values']['spec'][0]
|
||||
for r in policies
|
||||
if r['index'] == 'iam.disableServiceAccountKeyUpload'
|
||||
][0]
|
||||
|
||||
assert p2['inherit_from_parent'] is None
|
||||
assert p2['reset'] is None
|
||||
assert len(p2['rules']) == 2
|
||||
assert p2['rules'][0] == {
|
||||
'allow_all': None,
|
||||
'condition': [],
|
||||
'deny_all': None,
|
||||
'enforce': 'FALSE',
|
||||
'values': []
|
||||
}
|
||||
assert p2['rules'][1] == {
|
||||
'allow_all': None,
|
||||
'condition': [{
|
||||
'description': 'test condition',
|
||||
'expression': 'resource.matchTagId("tagKeys/1234", "tagValues/1234")',
|
||||
'location': 'xxx',
|
||||
'title': 'condition'
|
||||
}],
|
||||
'deny_all': None,
|
||||
'enforce': 'TRUE',
|
||||
'values': []
|
||||
}
|
||||
|
||||
|
||||
def test_policy_list(plan_runner):
|
||||
"Test list org policy."
|
||||
policies = '''{
|
||||
"compute.vmExternalIpAccess" = {
|
||||
deny = { all = true }
|
||||
}
|
||||
"iam.allowedPolicyMemberDomains" = {
|
||||
allow = {
|
||||
values = ["C0xxxxxxx", "C0yyyyyyy"]
|
||||
}
|
||||
}
|
||||
"compute.restrictLoadBalancerCreationForTypes" = {
|
||||
deny = { values = ["in:EXTERNAL"] }
|
||||
rules = [
|
||||
{
|
||||
condition = {
|
||||
expression = "resource.matchTagId(\\"tagKeys/1234\\", \\"tagValues/1234\\")"
|
||||
title = "condition"
|
||||
description = "test condition"
|
||||
location = "xxx"
|
||||
}
|
||||
allow = {
|
||||
values = ["EXTERNAL_1"]
|
||||
}
|
||||
},
|
||||
{
|
||||
condition = {
|
||||
expression = "resource.matchTagId(\\"tagKeys/12345\\", \\"tagValues/12345\\")"
|
||||
title = "condition2"
|
||||
description = "test condition2"
|
||||
location = "xxx"
|
||||
}
|
||||
allow = {
|
||||
all = true
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
}'''
|
||||
_, resources = plan_runner(org_policies=policies)
|
||||
assert len(resources) == 3
|
||||
|
||||
policies = [r for r in resources if r['type'] == 'google_org_policy_policy']
|
||||
assert len(policies) == 3
|
||||
assert all(
|
||||
x['values']['parent'] == 'organizations/1234567890' for x in policies)
|
||||
|
||||
p1 = [
|
||||
r['values']['spec'][0]
|
||||
for r in policies
|
||||
if r['index'] == 'compute.vmExternalIpAccess'
|
||||
][0]
|
||||
assert p1['inherit_from_parent'] is None
|
||||
assert p1['reset'] is None
|
||||
assert p1['rules'] == [{
|
||||
'allow_all': None,
|
||||
'condition': [],
|
||||
'deny_all': 'TRUE',
|
||||
'enforce': None,
|
||||
'values': []
|
||||
}]
|
||||
|
||||
p2 = [
|
||||
r['values']['spec'][0]
|
||||
for r in policies
|
||||
if r['index'] == 'iam.allowedPolicyMemberDomains'
|
||||
][0]
|
||||
assert p2['inherit_from_parent'] is None
|
||||
assert p2['reset'] is None
|
||||
assert p2['rules'] == [{
|
||||
'allow_all':
|
||||
None,
|
||||
'condition': [],
|
||||
'deny_all':
|
||||
None,
|
||||
'enforce':
|
||||
None,
|
||||
'values': [{
|
||||
'allowed_values': [
|
||||
'C0xxxxxxx',
|
||||
'C0yyyyyyy',
|
||||
],
|
||||
'denied_values': None
|
||||
}]
|
||||
}]
|
||||
|
||||
p3 = [
|
||||
r['values']['spec'][0]
|
||||
for r in policies
|
||||
if r['index'] == 'compute.restrictLoadBalancerCreationForTypes'
|
||||
][0]
|
||||
assert p3['inherit_from_parent'] is None
|
||||
assert p3['reset'] is None
|
||||
assert len(p3['rules']) == 3
|
||||
assert p3['rules'][0] == {
|
||||
'allow_all': None,
|
||||
'condition': [],
|
||||
'deny_all': None,
|
||||
'enforce': None,
|
||||
'values': [{
|
||||
'allowed_values': None,
|
||||
'denied_values': ['in:EXTERNAL']
|
||||
}]
|
||||
}
|
||||
|
||||
assert p3['rules'][1] == {
|
||||
'allow_all': None,
|
||||
'condition': [{
|
||||
'description': 'test condition',
|
||||
'expression': 'resource.matchTagId("tagKeys/1234", "tagValues/1234")',
|
||||
'location': 'xxx',
|
||||
'title': 'condition'
|
||||
}],
|
||||
'deny_all': None,
|
||||
'enforce': None,
|
||||
'values': [{
|
||||
'allowed_values': ['EXTERNAL_1'],
|
||||
'denied_values': None
|
||||
}]
|
||||
}
|
||||
|
||||
assert p3['rules'][2] == {
|
||||
'allow_all': 'TRUE',
|
||||
'condition': [{
|
||||
'description':
|
||||
'test condition2',
|
||||
'expression':
|
||||
'resource.matchTagId("tagKeys/12345", "tagValues/12345")',
|
||||
'location':
|
||||
'xxx',
|
||||
'title':
|
||||
'condition2'
|
||||
}],
|
||||
'deny_all': None,
|
||||
'enforce': None,
|
||||
'values': []
|
||||
}
|
|
@ -25,12 +25,11 @@ module "test" {
|
|||
iam_additive_members = var.iam_additive_members
|
||||
labels = var.labels
|
||||
lien_reason = var.lien_reason
|
||||
org_policies = var.org_policies
|
||||
oslogin = var.oslogin
|
||||
oslogin_admins = var.oslogin_admins
|
||||
oslogin_users = var.oslogin_users
|
||||
parent = var.parent
|
||||
policy_boolean = var.policy_boolean
|
||||
policy_list = var.policy_list
|
||||
prefix = var.prefix
|
||||
service_encryption_key_ids = var.service_encryption_key_ids
|
||||
services = var.services
|
||||
|
@ -63,4 +62,3 @@ module "test-svpc-service" {
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -64,6 +64,11 @@ variable "lien_reason" {
|
|||
default = ""
|
||||
}
|
||||
|
||||
variable "org_policies" {
|
||||
type = any
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "oslogin" {
|
||||
type = bool
|
||||
default = false
|
||||
|
@ -84,21 +89,6 @@ variable "parent" {
|
|||
default = null
|
||||
}
|
||||
|
||||
variable "policy_boolean" {
|
||||
type = map(bool)
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "policy_list" {
|
||||
type = map(object({
|
||||
inherit_from_parent = bool
|
||||
suggested_value = string
|
||||
status = bool
|
||||
values = list(string)
|
||||
}))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "prefix" {
|
||||
type = string
|
||||
default = null
|
||||
|
|
|
@ -12,47 +12,214 @@
|
|||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
|
||||
def test_policy_boolean(plan_runner):
|
||||
"Test boolean org policy."
|
||||
policy_boolean = '{policy-a = true, policy-b = false, policy-c = null}'
|
||||
_, resources = plan_runner(policy_boolean=policy_boolean)
|
||||
assert len(resources) == 7
|
||||
resources = [r for r in resources if r['type']
|
||||
== 'google_project_organization_policy']
|
||||
assert sorted([r['index'] for r in resources]) == [
|
||||
'policy-a', 'policy-b', 'policy-c'
|
||||
]
|
||||
policy_values = []
|
||||
for resource in resources:
|
||||
for policy in ('boolean_policy', 'restore_policy'):
|
||||
value = resource['values'][policy]
|
||||
if value:
|
||||
policy_values.append((policy,) + value[0].popitem())
|
||||
assert sorted(policy_values) == [
|
||||
('boolean_policy', 'enforced', False),
|
||||
('boolean_policy', 'enforced', True),
|
||||
('restore_policy', 'default', True)
|
||||
]
|
||||
policies = '''{
|
||||
"iam.disableServiceAccountKeyCreation" = {
|
||||
enforce = true
|
||||
}
|
||||
"iam.disableServiceAccountKeyUpload" = {
|
||||
enforce = false
|
||||
rules = [
|
||||
{
|
||||
condition = {
|
||||
expression = "resource.matchTagId(\\"tagKeys/1234\\", \\"tagValues/1234\\")"
|
||||
title = "condition"
|
||||
description = "test condition"
|
||||
location = "xxx"
|
||||
}
|
||||
enforce = true
|
||||
}
|
||||
]
|
||||
}
|
||||
}'''
|
||||
_, resources = plan_runner(org_policies=policies)
|
||||
assert len(resources) == 6
|
||||
|
||||
policies = [r for r in resources if r['type'] == 'google_org_policy_policy']
|
||||
assert len(policies) == 2
|
||||
assert all(x['values']['parent'] == 'projects/my-project' for x in policies)
|
||||
|
||||
p1 = [
|
||||
r['values']['spec'][0]
|
||||
for r in policies
|
||||
if r['index'] == 'iam.disableServiceAccountKeyCreation'
|
||||
][0]
|
||||
|
||||
assert p1['inherit_from_parent'] is None
|
||||
assert p1['reset'] is None
|
||||
assert p1['rules'] == [{
|
||||
'allow_all': None,
|
||||
'condition': [],
|
||||
'deny_all': None,
|
||||
'enforce': 'TRUE',
|
||||
'values': []
|
||||
}]
|
||||
|
||||
p2 = [
|
||||
r['values']['spec'][0]
|
||||
for r in policies
|
||||
if r['index'] == 'iam.disableServiceAccountKeyUpload'
|
||||
][0]
|
||||
|
||||
assert p2['inherit_from_parent'] is None
|
||||
assert p2['reset'] is None
|
||||
assert len(p2['rules']) == 2
|
||||
assert p2['rules'][0] == {
|
||||
'allow_all': None,
|
||||
'condition': [],
|
||||
'deny_all': None,
|
||||
'enforce': 'FALSE',
|
||||
'values': []
|
||||
}
|
||||
assert p2['rules'][1] == {
|
||||
'allow_all': None,
|
||||
'condition': [{
|
||||
'description': 'test condition',
|
||||
'expression': 'resource.matchTagId("tagKeys/1234", "tagValues/1234")',
|
||||
'location': 'xxx',
|
||||
'title': 'condition'
|
||||
}],
|
||||
'deny_all': None,
|
||||
'enforce': 'TRUE',
|
||||
'values': []
|
||||
}
|
||||
|
||||
|
||||
def test_policy_list(plan_runner):
|
||||
"Test list org policy."
|
||||
policy_list = (
|
||||
'{'
|
||||
'policy-a = {inherit_from_parent = true, suggested_value = null, status = true, values = []}, '
|
||||
'policy-b = {inherit_from_parent = null, suggested_value = "foo", status = false, values = ["bar"]}, '
|
||||
'policy-c = {inherit_from_parent = null, suggested_value = true, status = null, values = null}'
|
||||
'}'
|
||||
)
|
||||
_, resources = plan_runner(policy_list=policy_list)
|
||||
policies = '''{
|
||||
"compute.vmExternalIpAccess" = {
|
||||
deny = { all = true }
|
||||
}
|
||||
"iam.allowedPolicyMemberDomains" = {
|
||||
allow = {
|
||||
values = ["C0xxxxxxx", "C0yyyyyyy"]
|
||||
}
|
||||
}
|
||||
"compute.restrictLoadBalancerCreationForTypes" = {
|
||||
deny = { values = ["in:EXTERNAL"] }
|
||||
rules = [
|
||||
{
|
||||
condition = {
|
||||
expression = "resource.matchTagId(\\"tagKeys/1234\\", \\"tagValues/1234\\")"
|
||||
title = "condition"
|
||||
description = "test condition"
|
||||
location = "xxx"
|
||||
}
|
||||
allow = {
|
||||
values = ["EXTERNAL_1"]
|
||||
}
|
||||
},
|
||||
{
|
||||
condition = {
|
||||
expression = "resource.matchTagId(\\"tagKeys/12345\\", \\"tagValues/12345\\")"
|
||||
title = "condition2"
|
||||
description = "test condition2"
|
||||
location = "xxx"
|
||||
}
|
||||
allow = {
|
||||
all = true
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
}'''
|
||||
_, resources = plan_runner(org_policies=policies)
|
||||
assert len(resources) == 7
|
||||
values = [r['values'] for r in resources if r['type']
|
||||
== 'google_project_organization_policy']
|
||||
assert [r['constraint'] for r in values] == [
|
||||
'policy-a', 'policy-b', 'policy-c'
|
||||
]
|
||||
assert values[0]['list_policy'][0]['allow'] == [
|
||||
{'all': True, 'values': None}]
|
||||
assert values[1]['list_policy'][0]['deny'] == [
|
||||
{'all': False, 'values': ["bar"]}]
|
||||
assert values[2]['restore_policy'] == [{'default': True}]
|
||||
|
||||
policies = [r for r in resources if r['type'] == 'google_org_policy_policy']
|
||||
assert len(policies) == 3
|
||||
assert all(x['values']['parent'] == 'projects/my-project' for x in policies)
|
||||
|
||||
p1 = [
|
||||
r['values']['spec'][0]
|
||||
for r in policies
|
||||
if r['index'] == 'compute.vmExternalIpAccess'
|
||||
][0]
|
||||
assert p1['inherit_from_parent'] is None
|
||||
assert p1['reset'] is None
|
||||
assert p1['rules'] == [{
|
||||
'allow_all': None,
|
||||
'condition': [],
|
||||
'deny_all': 'TRUE',
|
||||
'enforce': None,
|
||||
'values': []
|
||||
}]
|
||||
|
||||
p2 = [
|
||||
r['values']['spec'][0]
|
||||
for r in policies
|
||||
if r['index'] == 'iam.allowedPolicyMemberDomains'
|
||||
][0]
|
||||
assert p2['inherit_from_parent'] is None
|
||||
assert p2['reset'] is None
|
||||
assert p2['rules'] == [{
|
||||
'allow_all':
|
||||
None,
|
||||
'condition': [],
|
||||
'deny_all':
|
||||
None,
|
||||
'enforce':
|
||||
None,
|
||||
'values': [{
|
||||
'allowed_values': [
|
||||
'C0xxxxxxx',
|
||||
'C0yyyyyyy',
|
||||
],
|
||||
'denied_values': None
|
||||
}]
|
||||
}]
|
||||
|
||||
p3 = [
|
||||
r['values']['spec'][0]
|
||||
for r in policies
|
||||
if r['index'] == 'compute.restrictLoadBalancerCreationForTypes'
|
||||
][0]
|
||||
assert p3['inherit_from_parent'] is None
|
||||
assert p3['reset'] is None
|
||||
assert len(p3['rules']) == 3
|
||||
assert p3['rules'][0] == {
|
||||
'allow_all': None,
|
||||
'condition': [],
|
||||
'deny_all': None,
|
||||
'enforce': None,
|
||||
'values': [{
|
||||
'allowed_values': None,
|
||||
'denied_values': ['in:EXTERNAL']
|
||||
}]
|
||||
}
|
||||
|
||||
assert p3['rules'][1] == {
|
||||
'allow_all': None,
|
||||
'condition': [{
|
||||
'description': 'test condition',
|
||||
'expression': 'resource.matchTagId("tagKeys/1234", "tagValues/1234")',
|
||||
'location': 'xxx',
|
||||
'title': 'condition'
|
||||
}],
|
||||
'deny_all': None,
|
||||
'enforce': None,
|
||||
'values': [{
|
||||
'allowed_values': ['EXTERNAL_1'],
|
||||
'denied_values': None
|
||||
}]
|
||||
}
|
||||
|
||||
assert p3['rules'][2] == {
|
||||
'allow_all': 'TRUE',
|
||||
'condition': [{
|
||||
'description':
|
||||
'test condition2',
|
||||
'expression':
|
||||
'resource.matchTagId("tagKeys/12345", "tagValues/12345")',
|
||||
'location':
|
||||
'xxx',
|
||||
'title':
|
||||
'condition2'
|
||||
}],
|
||||
'deny_all': None,
|
||||
'enforce': None,
|
||||
'values': []
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue