Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add variable validation in org policy v2 #149

Merged
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 0 additions & 24 deletions examples/basic_org_policies/versions.tf

This file was deleted.

24 changes: 0 additions & 24 deletions examples/boolean_org_exclude/versions.tf

This file was deleted.

24 changes: 0 additions & 24 deletions examples/boolean_project_allow/versions.tf

This file was deleted.

24 changes: 0 additions & 24 deletions examples/list_folder_deny/versions.tf

This file was deleted.

24 changes: 0 additions & 24 deletions examples/list_org_exclude/versions.tf

This file was deleted.

3 changes: 0 additions & 3 deletions examples/v2_boolean_org_enforce/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -25,9 +25,6 @@ module "gcp_org_policy_v2" {
policy_root_id = var.org_id
rules = [{
enforcement = true
allow = []
deny = []
conditions = []
}]
constraint = "compute.requireOsLogin"
policy_type = "boolean"
Expand Down
26 changes: 0 additions & 26 deletions examples/v2_boolean_org_enforce/versions.tf

This file was deleted.

37 changes: 28 additions & 9 deletions modules/org_policy_v2/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,8 +9,10 @@ Organization Policies are of two types `boolean` and `list`.
## Usage
Example usage is included in the [examples](./examples/org_policy_v2) folder, but simple usage is as follows:

- Bool organization policy

```hcl
module "gcp_org_policy_v2" {
module "gcp_org_policy_v2_bool" {
source = "terraform-google-modules/org-policy/google//modules/org_policy_v2"
version = "~> 5.2.0"

Expand All @@ -25,15 +27,10 @@ module "gcp_org_policy_v2" {
# Rule 1
{
enforcement = true
allow = []
deny = []
conditions = []
},
# Rule 2
{
enforcement = true
allow = []
deny = []
conditions = [{
description = "description of the condition"
expression = "resource.matchTagId('tagKeys/123456789', 'tagValues/123456789') && resource.matchTag('123456789/1234', 'abcd')"
Expand All @@ -45,6 +42,28 @@ module "gcp_org_policy_v2" {
}
```

- List organization policy

```hcl
module "gcp_org_policy_v2_list" {
source = "terraform-google-modules/org-policy/google//modules/org_policy_v2"
version = "~> 5.0"

policy_root = "organization"
policy_root_id = var.org_id
constraint = "gcp.resourceLocations"
policy_type = "list"

rules = [
# Rule 1
{
enforcement = true
allow = ["in:us-locations"]
}
]
}
```

### Variables
To control module's behavior, change variables' values regarding the following:

Expand Down Expand Up @@ -99,7 +118,7 @@ To control module's behavior, change variables' values regarding the following:
| policy\_root | Resource hierarchy node to apply the policy to: can be one of `organization`, `folder`, or `project`. | `string` | `"organization"` | no |
| policy\_root\_id | The policy root id, either of organization\_id, folder\_id or project\_id | `string` | `null` | no |
| policy\_type | The constraint type to work with (either 'boolean' or 'list') | `string` | `"list"` | no |
| rules | List of rules per policy. Up to 10. | <pre>list(object(<br> {<br> enforcement = bool<br> allow = list(string)<br> deny = list(string)<br> conditions = list(object(<br> {<br> description = string<br> expression = string<br> title = string<br> location = string<br> }<br> ))<br> }<br> ))</pre> | n/a | yes |
| rules | List of rules per policy. Up to 10. | <pre>list(object(<br> {<br> enforcement = bool<br> allow = optional(list(string), [])<br> deny = optional(list(string), [])<br> conditions = optional(list(object(<br> {<br> description = string<br> expression = string<br> title = string<br> location = string<br> }<br> )), [])<br> }<br> ))</pre> | n/a | yes |

## Outputs

Expand All @@ -114,15 +133,15 @@ To control module's behavior, change variables' values regarding the following:
---

## Compatibility
This module is meant for use with Terraform 0.13+ and tested using Terraform 1.0+. If you find incompatibilities using Terraform >=0.13, please open an issue.
This module is meant for use with Terraform 1.3+ and tested using Terraform 1.0+. If you find incompatibilities using Terraform >=1.3, please open an issue.
If you haven't
[upgraded](https://www.terraform.io/upgrade-guides/0-13.html) and need a Terraform
0.12.x-compatible version of this module, the last released version
intended for Terraform 0.12.x is [v4.0.0](https://registry.terraform.io/modules/terraform-google-modules/-org-policy/google/v4.0.0).

## Requirements
### Terraform plugins
- [Terraform](https://www.terraform.io/downloads.html) >= 0.13.0
- [Terraform](https://www.terraform.io/downloads.html) >= 1.3.0
- [terraform-provider-google](https://github.com/terraform-providers/terraform-provider-google) >= v2.5.0

### Permissions
Expand Down
12 changes: 8 additions & 4 deletions modules/org_policy_v2/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,10 @@ variable "policy_root" {
description = "Resource hierarchy node to apply the policy to: can be one of `organization`, `folder`, or `project`."
type = string
default = "organization"
validation {
condition = contains(["organization", "folder", "project"], var.policy_root)
error_message = "policy_root should be one of organization, folder, or project"
}
}

variable "policy_root_id" {
Expand Down Expand Up @@ -60,16 +64,16 @@ variable "rules" {
type = list(object(
{
enforcement = bool
allow = list(string)
deny = list(string)
conditions = list(object(
allow = optional(list(string), [])
deny = optional(list(string), [])
conditions = optional(list(object(
{
description = string
expression = string
title = string
location = string
}
))
)), [])
}
))
}
2 changes: 1 addition & 1 deletion modules/org_policy_v2/versions.tf
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
*/

terraform {
required_version = ">= 0.13"
required_version = ">= 1.3"
required_providers {

google = {
Expand Down