Merge pull request #21 from averbuks/averbuks-org-policy-19

Fix combining module with folder/project creation
terraform-google-modules · Oct 17, 2019 · c4f410a · c4f410a
2 parents e77848f + 31befdb
commit c4f410a
Show file tree

Hide file tree

Showing 13 changed files with 75 additions and 38 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,13 +6,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
-## [2.0.1] - 2019-XX-YY
+Please add new unreleased features here.
 
+## [3.0.0] - 2019-XX-YY
+v3.0.0 is a backwards-incompatible release. Please see the [upgrading guide](./docs/upgrading_to_v3.0.md).
 ### Changed
 
-- Migrated to Cloud Build. [#18]
-
-Please add new unreleased features here.
+- **Breaking**: Fixed combining with folders/projects creation by adding `policy_for` input variable. [#19]
 
 ## [2.0.0] - 2019-07-25
 
@@ -24,10 +24,11 @@ Please add new unreleased features here.
 
 This is the initial release of the module, with full support for org policy management.
 
-[Unreleased]: https://github.com/terraform-google-modules/terraform-google-org-policy/compare/v2.0.1...HEAD
-[2.0.0]: https://github.com/terraform-google-modules/terraform-google-org-policy/compare/v2.0.0...v2.0.1
+[Unreleased]: https://github.com/terraform-google-modules/terraform-google-org-policy/compare/v3.0.0...HEAD
+[3.0.0]: https://github.com/terraform-google-modules/terraform-google-org-policy/compare/v2.0.0...v3.0.0
 [2.0.0]: https://github.com/terraform-google-modules/terraform-google-org-policy/compare/v1.0.0...v2.0.0
 [1.0.0]: https://github.com/terraform-google-modules/terraform-google-org-policy/releases/tag/v1.0.0
 
 [#11]: https://github.com/terraform-google-modules/terraform-google-org-policy/pull/11
 [#18]: https://github.com/terraform-google-modules/terraform-google-org-policy/pull/18
+[#19]: https://github.com/terraform-google-modules/terraform-google-org-policy/pull/19
diff --git a/README.md b/README.md
@@ -59,6 +59,7 @@ To control module's behavior, change variables' values regarding the following:
 | exclude\_projects | List of projects to exclude from the policy | list(string) | `<list>` | no |
 | folder\_id | The folder id for putting the policy | string | `"null"` | no |
 | organization\_id | The organization id for putting the policy | string | `"null"` | no |
+| policy\_for | Resource hierarchy node to apply the policy to: can be one of `organization`, `folder`, or `project`. | string | n/a | yes |
 | policy\_type | The constraint type to work with (either 'boolean' or 'list') | string | `"list"` | no |
 | project\_id | The project id for putting the policy | string | `"null"` | no |
 

diff --git a/build/lint.cloudbuild.yaml b/build/lint.cloudbuild.yaml
@@ -13,7 +13,7 @@
 # limitations under the License.
 
 steps:
-- name: 'gcr.io/cloud-foundation-cicd/cft/developer-tools:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+- name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
   id: 'lint'
   args: ['/usr/local/bin/test_lint.sh']
 tags:

diff --git a/docs/upgrading_to_v3.0.md b/docs/upgrading_to_v3.0.md
@@ -0,0 +1,44 @@
+# Upgrading to v3.0
+
+The v3.0 release of *org-policy* is a backwards incompatible
+release.
+
+## Migration Instructions
+
+In previous versions of this module the resource hirerarchy node was not defined explicitly which caused problems when the module is combined with project/folder creation. The `policy_for` variable was introduced to address that issue.
+
+### Update for project policies
+```diff
+ module "project_policy" {
+   source  = "terraform-google-modules/org-policy/google"
+-  version = "~> 2.0"
++  version = "~> 3.0"
+
++  policy_for = "project"
+   # ...
+ }
+```
+
+### Update for folder policies
+```diff
+ module "folder_policy" {
+   source  = "terraform-google-modules/org-policy/google"
+-  version = "~> 2.0"
++  version = "~> 3.0"
+
++  policy_for = "folder"
+   # ...
+ }
+```
+
+### Update for organization policies
+```diff
+ module "org_policy" {
+   source  = "terraform-google-modules/org-policy/google"
+-  version = "~> 2.0"
++  version = "~> 3.0"
+
++  policy_for = "organization"
+   # ...
+ }
+```
diff --git a/examples/boolean_org_exclude/main.tf b/examples/boolean_org_exclude/main.tf
@@ -27,6 +27,7 @@ provider "google" {
  *****************************************/
 module "org-disable-serial-port-access-deny-all-with-excludes" {
   source          = "../../"
+  policy_for      = "organization"
   organization_id = var.organization_id
   constraint      = "compute.disableSerialPortAccess"
   enforce         = true

diff --git a/examples/boolean_project_allow/main.tf b/examples/boolean_project_allow/main.tf
@@ -27,6 +27,7 @@ provider "google" {
  *****************************************/
 module "org-policy" {
   source      = "../../"
+  policy_for  = "project"
   project_id  = var.project_id
   constraint  = "compute.disableSerialPortAccess"
   policy_type = "boolean"

diff --git a/examples/list_folder_deny/main.tf b/examples/list_folder_deny/main.tf
@@ -27,6 +27,7 @@ provider "google" {
  *****************************************/
 module "org-policy" {
   source           = "../../"
+  policy_for       = "folder"
   folder_id        = var.folder_id
   constraint       = "serviceuser.services"
   policy_type      = "list"

diff --git a/examples/list_org_exclude/main.tf b/examples/list_org_exclude/main.tf
@@ -27,6 +27,7 @@ provider "google" {
  *****************************************/
 module "org-policy" {
   source            = "../../"
+  policy_for        = "organization"
   organization_id   = var.organization_id
   constraint        = "compute.trustedImageProjects"
   policy_type       = "list"

diff --git a/examples/list_restrict_domain/main.tf b/examples/list_restrict_domain/main.tf
@@ -31,6 +31,7 @@ data "google_organization" "org" {
 
 module "org-policy" {
   source            = "../../"
+  policy_for        = "organization"
   organization_id   = var.organization_id
   constraint        = "constraints/iam.allowedPolicyMemberDomains"
   policy_type       = "list"

diff --git a/main.tf b/main.tf
@@ -18,9 +18,9 @@
   Locals configuration for module logic
  *****************************************/
 locals {
-  organization                 = var.organization_id != null
-  folder                       = var.folder_id != null
-  project                      = var.project_id != null
+  organization                 = var.policy_for == "organization"
+  folder                       = var.policy_for == "folder"
+  project                      = var.policy_for == "project"
   boolean_policy               = var.policy_type == "boolean"
   list_policy                  = var.policy_type == "list" && ! local.invalid_config
   enforce                      = var.allow_list_length > 0 || var.deny_list_length > 0 ? null : var.enforce

diff --git a/test/integration/boolean_constraints/launch.sh b/test/integration/boolean_constraints/launch.sh
@@ -50,43 +50,35 @@ function create_main_tf_file() {
   echo "Creating main.tf file"
   touch main.tf
   cat <<EOF > main.tf
-
 provider "google" {
   version     = "~> 2.5.0"
 }
-
 module "org-policy-boolean-project" {
   source = "../../../"
-
+  policy_for  = "project"
   constraint  = "$PROJECT_CONSTRAINT"
   project_id  = "$PROJECT_ID"
   enforce     = "true"
   policy_type = "boolean"
 }
-
 module "org-policy-boolean-folder" {
   source = "../../../"
-
+  policy_for  = "folder"
   constraint  = "$FOLDER_CONSTRAINT"
   folder_id   = "$FOLDER_1_ID"
   enforce     = "true"
   policy_type = "boolean"
-
   exclude_projects = ["$PROJECT_EXCLUDE"]
 }
-
-
 module "org-policy-boolean-org" {
   source = "../../../"
-
+  policy_for       = "organization"
   constraint       = "$ORG_CONSTRAINT_BOOL"
   organization_id  = "$ORGANIZATION_ID"
   enforce          = "true"
   policy_type      = "boolean"
-
   exclude_folders  = ["$FOLDER_EXCLUDE"]
 }
-
 EOF
 }
 

diff --git a/test/integration/list_constraints/launch.sh b/test/integration/list_constraints/launch.sh
@@ -54,55 +54,45 @@ function create_main_tf_file() {
   echo "Creating main.tf file"
   touch main.tf
   cat <<EOF > main.tf
-
 provider "google" {
   version     = "~> 2.5.0"
 }
-
 module "org-policy-list-project" {
   source = "../../../"
-
+  policy_for  = "project"
   constraint  = "$PROJECT_CONSTRAINT_DENY_ALL"
   project_id  = "$PROJECT_ID"
   enforce     = "true"
   policy_type = "list"
 }
-
 module "org-policy-list-folder" {
   source = "../../../"
-
+  policy_for  = "folder"
   constraint  = "$FOLDER_CONSTRAINT_ALLOW_ALL"
   folder_id   = "$FOLDER_1_ID"
   enforce     = "false"
   policy_type = "list"
 }
-
 module "org-policy-list-org" {
   source = "../../../"
-
+  policy_for       = "organization"
   constraint       = "$ORG_CONSTRAINT"
   organization_id  = "$ORGANIZATION_ID"
   policy_type      = "list"
-
   exclude_folders  = ["$FOLDER_EXCLUDE"]
   exclude_projects = ["$PROJECT_EXCLUDE"]
-
   deny             = ["$ORG_CONSTRAINT_VALUE_1", "$ORG_CONSTRAINT_VALUE_2"]
   deny_list_length = "2"
-
 }
-
 module "org-policy-list-folder-2" {
   source = "../../../"
-
-  constraint       = "$FOLDER_2_CONSTRAINT"
-  folder_id        = "$FOLDER_2_ID"
-  policy_type      = "list"
-
+  policy_for        = "folder"
+  constraint        = "$FOLDER_2_CONSTRAINT"
+  folder_id         = "$FOLDER_2_ID"
+  policy_type       = "list"
   allow             = ["$FOLDER_2_CONSTRAINT_VALUE_1"]
   allow_list_length = "1"
 }
-
 EOF
 }
 

diff --git a/variables.tf b/variables.tf
@@ -14,6 +14,10 @@
  * limitations under the License.
  */
 
+variable "policy_for" {
+  description = "Resource hierarchy node to apply the policy to: can be one of `organization`, `folder`, or `project`."
+  type        = string
+}
 variable "organization_id" {
   description = "The organization id for putting the policy"
   type        = string