diff --git a/.github/release-please.yml b/.github/release-please.yml index 6366b9c..884357c 100644 --- a/.github/release-please.yml +++ b/.github/release-please.yml @@ -1,2 +1,16 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + releaseType: terraform-module handleGHRelease: true diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index fcf18fe..de1fd4a 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -1,3 +1,17 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + name: "Close stale issues" on: schedule: diff --git a/.gitignore b/.gitignore index 84464e2..b372aea 100644 --- a/.gitignore +++ b/.gitignore @@ -43,3 +43,6 @@ credentials.json # Test files .kitchen/ + +# tf lock file +.terraform.lock.hcl diff --git a/Makefile b/Makefile index 6d34e48..5b71d3c 100644 --- a/Makefile +++ b/Makefile @@ -18,7 +18,7 @@ # Make will use bash instead of sh SHELL := /usr/bin/env bash -DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 0.13 +DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.0 DOCKER_IMAGE_DEVELOPER_TOOLS := cft/developer-tools REGISTRY_URL := gcr.io/cloud-foundation-cicd diff --git a/README.md b/README.md index 1bfa6a1..1e5577f 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,8 @@ This Terraform module makes it easier to manage [organization policies](https://cloud.google.com/resource-manager/docs/organization-policy/overview) for your Google Cloud environment, particularly when you want to have exclusion rules. This module will allow you to set a top-level org policy and then disable it on individual projects or folders easily. ## Compatibility -This module is meant for use with Terraform 0.13. If you haven't +This module is meant for use with Terraform 0.13+ and tested using Terraform 1.0+. If you find incompatibilities using Terraform >=0.13, please open an issue. + If you haven't [upgraded](https://www.terraform.io/upgrade-guides/0-13.html) and need a Terraform 0.12.x-compatible version of this module, the last released version intended for Terraform 0.12.x is [v4.0.0](https://registry.terraform.io/modules/terraform-google-modules/-org-policy/google/v4.0.0). diff --git a/boolean_constraints.tf b/boolean_constraints.tf index d890163..69de007 100644 --- a/boolean_constraints.tf +++ b/boolean_constraints.tf @@ -60,7 +60,7 @@ resource "google_project_organization_policy" "project_policy_boolean" { Exclude folders from policy (boolean constraint) *****************************************/ resource "google_folder_organization_policy" "policy_boolean_exclude_folders" { - for_each = (local.boolean_policy && ! local.project) ? var.exclude_folders : [] + for_each = (local.boolean_policy && !local.project) ? var.exclude_folders : [] folder = each.value constraint = var.constraint @@ -74,7 +74,7 @@ resource "google_folder_organization_policy" "policy_boolean_exclude_folders" { Exclude projects from policy (boolean constraint) *****************************************/ resource "google_project_organization_policy" "policy_boolean_exclude_projects" { - for_each = (local.boolean_policy && ! local.project) ? var.exclude_projects : [] + for_each = (local.boolean_policy && !local.project) ? var.exclude_projects : [] project = each.value constraint = var.constraint diff --git a/build/int.cloudbuild.yaml b/build/int.cloudbuild.yaml index b3bf477..2fe9a02 100644 --- a/build/int.cloudbuild.yaml +++ b/build/int.cloudbuild.yaml @@ -38,4 +38,4 @@ tags: - 'integration' substitutions: _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools' - _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '0.13' + _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.0' diff --git a/build/lint.cloudbuild.yaml b/build/lint.cloudbuild.yaml index e70d58a..d570491 100644 --- a/build/lint.cloudbuild.yaml +++ b/build/lint.cloudbuild.yaml @@ -21,4 +21,4 @@ tags: - 'lint' substitutions: _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools' - _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '0.13' + _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.0' diff --git a/list_constraints.tf b/list_constraints.tf index 403ec82..288282a 100644 --- a/list_constraints.tf +++ b/list_constraints.tf @@ -210,7 +210,7 @@ resource "google_project_organization_policy" "project_policy_list_allow_values" Exclude folders from policy (list constraint) *****************************************/ resource "google_folder_organization_policy" "folder_policy_list_exclude_folders" { - for_each = (local.list_policy && ! local.project) ? var.exclude_folders : [] + for_each = (local.list_policy && !local.project) ? var.exclude_folders : [] folder = each.value constraint = var.constraint @@ -224,7 +224,7 @@ resource "google_folder_organization_policy" "folder_policy_list_exclude_folders Exclude projects from policy (list constraint) *****************************************/ resource "google_project_organization_policy" "project_policy_list_exclude_projects" { - for_each = (local.list_policy && ! local.project) ? var.exclude_projects : [] + for_each = (local.list_policy && !local.project) ? var.exclude_projects : [] project = each.value constraint = var.constraint diff --git a/main.tf b/main.tf index 48e06c3..750e4ba 100644 --- a/main.tf +++ b/main.tf @@ -22,7 +22,7 @@ locals { folder = var.policy_for == "folder" project = var.policy_for == "project" boolean_policy = var.policy_type == "boolean" - list_policy = var.policy_type == "list" && ! local.invalid_config + list_policy = var.policy_type == "list" && !local.invalid_config // If allow/deny list empty and enforce is not set, enforce is set to true enforce = var.allow_list_length > 0 || var.deny_list_length > 0 ? null : var.enforce != false diff --git a/test/integration/boolean_org_exclude/inspec.yml b/test/integration/boolean_org_exclude/inspec.yml index bce75ce..cb3f544 100644 --- a/test/integration/boolean_org_exclude/inspec.yml +++ b/test/integration/boolean_org_exclude/inspec.yml @@ -1,3 +1,17 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + name: boolean_org_exclude attributes: diff --git a/test/integration/boolean_project_allow/inspec.yml b/test/integration/boolean_project_allow/inspec.yml index 36232d8..2086d64 100644 --- a/test/integration/boolean_project_allow/inspec.yml +++ b/test/integration/boolean_project_allow/inspec.yml @@ -1,3 +1,17 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + name: boolean_project_allow attributes: diff --git a/test/integration/list_folder_deny/inspec.yml b/test/integration/list_folder_deny/inspec.yml index c4d9a21..303c466 100644 --- a/test/integration/list_folder_deny/inspec.yml +++ b/test/integration/list_folder_deny/inspec.yml @@ -1,3 +1,17 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + name: list_folder_deny attributes: diff --git a/test/integration/list_org_exclude/inspec.yml b/test/integration/list_org_exclude/inspec.yml index c059425..c8a3aa5 100644 --- a/test/integration/list_org_exclude/inspec.yml +++ b/test/integration/list_org_exclude/inspec.yml @@ -1,3 +1,17 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + name: boolean_org_exclude attributes: