fixed parent validation in org policy v2

terraform-google-modules · Oct 31, 2024 · 80afd91 · 80afd91
1 parent 1d6573c
commit 80afd91
Show file tree

Hide file tree

Showing 10 changed files with 33 additions and 163 deletions.
diff --git a/examples/basic_org_policies/versions.tf b/examples/basic_org_policies/versions.tf
diff --git a/examples/boolean_org_exclude/versions.tf b/examples/boolean_org_exclude/versions.tf
diff --git a/examples/boolean_project_allow/versions.tf b/examples/boolean_project_allow/versions.tf
diff --git a/examples/list_folder_deny/versions.tf b/examples/list_folder_deny/versions.tf
diff --git a/examples/list_org_exclude/versions.tf b/examples/list_org_exclude/versions.tf
diff --git a/examples/v2_boolean_org_enforce/main.tf b/examples/v2_boolean_org_enforce/main.tf
@@ -25,9 +25,6 @@ module "gcp_org_policy_v2" {
   policy_root_id = var.org_id
   rules = [{
     enforcement = true
-    allow       = []
-    deny        = []
-    conditions  = []
   }]
   constraint  = "compute.requireOsLogin"
   policy_type = "boolean"

diff --git a/examples/v2_boolean_org_enforce/versions.tf b/examples/v2_boolean_org_enforce/versions.tf
diff --git a/modules/org_policy_v2/README.md b/modules/org_policy_v2/README.md
@@ -9,8 +9,10 @@ Organization Policies are of two types `boolean` and `list`.
 ## Usage
 Example usage is included in the [examples](./examples/org_policy_v2) folder, but simple usage is as follows:
 
+- Bool organization policy
+
 ```hcl
-module "gcp_org_policy_v2" {
+module "gcp_org_policy_v2_bool" {
   source           = "terraform-google-modules/org-policy/google//modules/org_policy_v2"
   version          = "~> 5.2.0"
 
@@ -25,15 +27,10 @@ module "gcp_org_policy_v2" {
     # Rule 1
     {
       enforcement = true
-      allow       = []
-      deny        = []
-      conditions  = []
     },
     # Rule 2
     {
       enforcement = true
-      allow       = []
-      deny        = []
       conditions  = [{
         description = "description of the condition"
         expression  = "resource.matchTagId('tagKeys/123456789', 'tagValues/123456789') && resource.matchTag('123456789/1234', 'abcd')"
@@ -45,6 +42,28 @@ module "gcp_org_policy_v2" {
 }
 ```
 
+- List organization policy
+
+```hcl
+module "gcp_org_policy_v2_list" {
+  source  = "terraform-google-modules/org-policy/google//modules/org_policy_v2"
+  version = "~> 5.0"
+
+  policy_root    = "organization"
+  policy_root_id = var.org_id
+  constraint     = "gcp.resourceLocations"
+  policy_type    = "list"
+
+  rules = [
+    # Rule 1
+    {
+      enforcement = true
+      allow       = ["in:us-locations"]
+    }
+  ]
+}
+```
+
 ### Variables
 To control module's behavior, change variables' values regarding the following:
 
@@ -99,7 +118,7 @@ To control module's behavior, change variables' values regarding the following:
 | policy\_root | Resource hierarchy node to apply the policy to: can be one of `organization`, `folder`, or `project`. | `string` | `"organization"` | no |
 | policy\_root\_id | The policy root id, either of organization\_id, folder\_id or project\_id | `string` | `null` | no |
 | policy\_type | The constraint type to work with (either 'boolean' or 'list') | `string` | `"list"` | no |
-| rules | List of rules per policy. Up to 10. | <pre>list(object(<br>    {<br>      enforcement = bool<br>      allow       = list(string)<br>      deny        = list(string)<br>      conditions = list(object(<br>        {<br>          description = string<br>          expression  = string<br>          title       = string<br>          location    = string<br>        }<br>      ))<br>    }<br>  ))</pre> | n/a | yes |
+| rules | List of rules per policy. Up to 10. | <pre>list(object(<br>    {<br>      enforcement = bool<br>      allow       = optional(list(string))<br>      deny        = optional(list(string))<br>      conditions = optional(list(object(<br>        {<br>          description = string<br>          expression  = string<br>          title       = string<br>          location    = string<br>        }<br>      )))<br>    }<br>  ))</pre> | n/a | yes |
 
 ## Outputs
 
@@ -114,15 +133,15 @@ To control module's behavior, change variables' values regarding the following:
 ---
 
 ## Compatibility
-This module is meant for use with Terraform 0.13+ and tested using Terraform 1.0+. If you find incompatibilities using Terraform >=0.13, please open an issue.
+This module is meant for use with Terraform 1.3+ and tested using Terraform 1.0+. If you find incompatibilities using Terraform >=1.3, please open an issue.
  If you haven't
 [upgraded](https://www.terraform.io/upgrade-guides/0-13.html) and need a Terraform
 0.12.x-compatible version of this module, the last released version
 intended for Terraform 0.12.x is [v4.0.0](https://registry.terraform.io/modules/terraform-google-modules/-org-policy/google/v4.0.0).
 
 ## Requirements
 ### Terraform plugins
-- [Terraform](https://www.terraform.io/downloads.html) >= 0.13.0
+- [Terraform](https://www.terraform.io/downloads.html) >= 1.3.0
 - [terraform-provider-google](https://github.com/terraform-providers/terraform-provider-google) >= v2.5.0
 
 ### Permissions

diff --git a/modules/org_policy_v2/variables.tf b/modules/org_policy_v2/variables.tf
@@ -64,16 +64,16 @@ variable "rules" {
   type = list(object(
     {
       enforcement = bool
-      allow       = list(string)
-      deny        = list(string)
-      conditions = list(object(
+      allow       = optional(list(string))
+      deny        = optional(list(string))
+      conditions = optional(list(object(
         {
           description = string
           expression  = string
           title       = string
           location    = string
         }
-      ))
+      )))
     }
   ))
 }
diff --git a/modules/org_policy_v2/versions.tf b/modules/org_policy_v2/versions.tf
@@ -15,7 +15,7 @@
  */
 
 terraform {
-  required_version = ">= 0.13"
+  required_version = ">= 1.3"
   required_providers {
 
     google = {