Support of GCP Custom Org Policy via Module

[Gauravkumargupta]

TL;DR

Google cloud supports the creation of custom organisation policy but we're not able to enforce the custom org policy via terraform module. I tried different versions of module i.e 5.4.0, 4.0.0, 3.0.2 but none works.

Expected behavior

It should be enforced as prebuilt policies enforcement are working fine via above module code.

Observed behavior

module.orgPolicy-RestrictOwnerEditorRole.google_organization_policy.org_policy_boolean[0]: Creating...
╷
│ Error: googleapi: Error 404: Requested entity was not found., notFound
│
│ with module.orgPolicy-RestrictOwnerEditorRole.google_organization_policy.org_policy_boolean[0],
│ on .terraform/modules/RestrictOwnerEditorRole/boolean_constraints.tf line 20, in resource "google_organization_policy" "org_policy_boolean":
│ 20: resource "google_organization_policy" "org_policy_boolean" {

Terraform Configuration

module "orgPolicy-RestrictOwnerEditorRole" {
 
  source = "git::https://github.com/terraform-google-modules/terraform-google-org-policy.git?ref=v5.4.0"
  organization_id = "org-id"
  constraint      = "constraints/custom.CusPolicyRestrictOwnerRole"
  policy_type     = "boolean"
  policy_for      = "organization"
  enforce         = true

}

Terraform Version

v3.2.3

Additional information

No response

[imrannayer]

@Gauravkumargupta you need to use org policy module v2 for custom constraint.

[Gauravkumargupta]

@imrannayer I'm getting below error while running the plan to create the custom org policy, using below backend.tf & main.tf

#backend.tf

provider "google" {
}

terraform {
required_version = ">=0.13.0"
}

#main.tf

resource "google_org_policy_custom_constraint" "constraint" {
#some code
}

#ERROR

The provider hashicorp/google does not support resource type "google_org_policy_custom_constraint"

[imrannayer]

Make sure you are using provider version 5.3+ as it was GA in version 5.3

[Gauravkumargupta]

@imrannayer we don’t set any specific version of google provider in our code, that means it takes the latest one. I shared the backend.tf code in above response. Does it require any change in backend.tf?

I'm also using below module to enforce the custom org policy once it's created via google_org_policy_custom_constraint resource block, can it be any dependency issue?

module "gcp_org_policy_v2" {
source = "terraform-google-modules/org-policy/google//modules/org_policy_v2"
version = "~> 5.2.0"
policy_root = "organization"
,
,
,
}

[Gauravkumargupta]

Also when I'm defining the specific version of google provider in backend.tf - it also throws error - not sure why it's checking for this condition at 12:56:42 "Finding hashicorp/google versions matching ">= 3.53.0, < 5.0.0, 5.34.0"..."

backend.tf

provider "google" {

}
provider "google-beta" {

}

terraform {
required_version = ">=0.13.0"

required_providers {
google = {
version = "5.34.0"
}
google-beta ={
version = "5.34.0"
}
}
}

Jenkins Job while running terraform init & plan:

12:56:42 Initializing the backend...
12:56:42
12:56:42 Successfully configured the backend "gcs"! Terraform will automatically
12:56:42 use this backend unless the backend configuration changes.
12:56:42
12:56:42 Initializing provider plugins...
12:56:42 - Finding hashicorp/google versions matching ">= 3.53.0, < 5.0.0, 5.34.0"...
12:56:42 - Finding hashicorp/google-beta versions matching "5.34.0"...
12:56:46 - Finding latest version of hashicorp/null...
12:56:49 - Installing hashicorp/google-beta v5.34.0...
12:56:50 - Installed hashicorp/google-beta v5.34.0 (signed by HashiCorp)
12:56:53 - Installing hashicorp/null v3.2.3...
12:56:54 - Installed hashicorp/null v3.2.3 (signed by HashiCorp)
12:56:54 ╷
12:56:54 │ Error: Failed to query available provider packages
12:56:54 │
12:56:54 │ Could not retrieve the list of available versions for provider
12:56:54 │ hashicorp/google: no available releases match the given constraints >=
12:56:54 │ 3.53.0, < 5.0.0, 5.34.0

[Gauravkumargupta]

@imrannayer I fixed the issue, the error was because the module version which I was using

source = "terraform-google-modules/org-policy/google//modules/org_policy_v2"
version = "~> 5.2.0"

when I switched to version 5.3.0 of module, I don't see no more error for resource type "google_org_policy_custom_constraint"

Is there any dependency on both?

[imrannayer]

You code was failing for 5.2 has max provider version 4.X allowed. 5.3 relaxed the requirement
Usually when u call module you allow minor version upgrade to keep up with new feature but avoid major upgrade which can be a breaking change. Your module version should as follows. This will allow automatic upgrade to any latest version 5.X and block 6.X version.

version = "~> 5.2"