From f64c43e8936bfd51ca9ade4a3862c47d419d8bb2 Mon Sep 17 00:00:00 2001
From: Julio Castillo <jccb@google.com>
Date: Thu, 3 Nov 2022 12:12:50 +0100
Subject: [PATCH] Add org policy factory example

---
 modules/folder/README.md       |  4 +++
 modules/organization/README.md |  4 +++
 modules/project/README.md      | 63 ++++++++++++++++++++++++++++++++++
 3 files changed, 71 insertions(+)

diff --git a/modules/folder/README.md b/modules/folder/README.md
index ee1e9e5b..3a0c3a11 100644
--- a/modules/folder/README.md
+++ b/modules/folder/README.md
@@ -75,6 +75,10 @@ module "folder" {
 # tftest modules=1 resources=8
 ```
 
+### Organization policy factory
+
+See the [organization policy factory in the project module](../project#Organization-policy-factory).
+
 ### Firewall policy factory
 
 In the same way as for the [organization](../organization) module, the in-built factory allows you to define a single policy, using one file for rules, and an optional file for CIDR range substitution variables. Remember that non-absolute paths are relative to the root module (the folder where you run `terraform`).
diff --git a/modules/organization/README.md b/modules/organization/README.md
index 5073a132..57e561c1 100644
--- a/modules/organization/README.md
+++ b/modules/organization/README.md
@@ -76,6 +76,10 @@ If you set audit policies via the `iam_audit_config_authoritative` variable, be
 
 Some care must also be takend with the `groups_iam` variable (and in some situations with the additive variables) to ensure that variable keys are static values, so that Terraform is able to compute the dependency graph.
 
+### Organization policy factory
+
+See the [organization policy factory in the project module](../project#Organization-policy-factory).
+
 ## Hierarchical firewall policies
 
 Hirerarchical firewall policies can be managed in two ways:
diff --git a/modules/project/README.md b/modules/project/README.md
index 4cbf49e6..eea627eb 100644
--- a/modules/project/README.md
+++ b/modules/project/README.md
@@ -211,6 +211,69 @@ module "project" {
 # tftest modules=1 resources=10
 ```
 
+### Organization policy factory
+
+Organization policies can be loaded from a directory containing YAML files where each file defines one or more constraints. The structure of the YAML files is exactly the same as the `org_policies` variable.
+
+The example below deploys the same organization policies shown in the previous section using two YAML files.
+
+```hcl
+module "folder" {
+  source                 = "./fabric/modules/folder"
+  parent                 = "organizations/1234567890"
+  name                   = "Folder name"
+  org_policies_data_path = "/my/path"
+}
+# tftest skip
+```
+
+```yaml
+# /my/path/boolean.yaml
+iam.disableServiceAccountKeyCreation:
+  enforce: true
+
+iam.disableServiceAccountKeyUpload:
+  enforce: false
+  rules:
+    - condition:
+        expression: resource.matchTagId("tagKeys/1234", "tagValues/1234")
+        title: condition
+        description: test condition
+        location: xxx
+      enforce: true
+```
+
+```yaml
+# /my/path/list.yaml
+compute.vmExternalIpAccess:
+  deny:
+    all: true
+
+iam.allowedPolicyMemberDomains:
+  allow:
+    values:
+      - C0xxxxxxx
+      - C0yyyyyyy
+
+compute.restrictLoadBalancerCreationForTypes:
+  deny:
+    values: ["in:EXTERNAL"]
+  rules:
+    - condition:
+        expression: resource.matchTagId("tagKeys/1234", "tagValues/1234")
+        title: condition
+        description: test condition
+      allow:
+        values: ["in:EXTERNAL"]
+    - condition:
+        expression: resource.matchTagId("tagKeys/12345", "tagValues/12345")
+        title: condition2
+        description: test condition2
+      allow:
+        all: true
+```
+
+
 ## Logging Sinks
 
 ```hcl