From 1d6573c561c4f49b728270a69361396d30995c35 Mon Sep 17 00:00:00 2001
From: Imran Nayer <imrannayer@google.com>
Date: Thu, 31 Oct 2024 20:44:28 +0000
Subject: [PATCH 1/3] added variable validation in org policy v2

---
 modules/org_policy_v2/variables.tf | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/modules/org_policy_v2/variables.tf b/modules/org_policy_v2/variables.tf
index ac65f0e..7ad6200 100644
--- a/modules/org_policy_v2/variables.tf
+++ b/modules/org_policy_v2/variables.tf
@@ -18,6 +18,10 @@ variable "policy_root" {
   description = "Resource hierarchy node to apply the policy to: can be one of `organization`, `folder`, or `project`."
   type        = string
   default     = "organization"
+  validation {
+    condition     = contains(["organization", "folder", "project"], var.policy_root)
+    error_message = "policy_root should be one of organization, folder, or project"
+  }
 }
 
 variable "policy_root_id" {

From 80afd91246e3da2014125b9ff74c470214fc6da7 Mon Sep 17 00:00:00 2001
From: Imran Nayer <imrannayer@google.com>
Date: Thu, 31 Oct 2024 21:00:55 +0000
Subject: [PATCH 2/3] fixed parent validation in org policy v2

---
 examples/basic_org_policies/versions.tf     | 24 -------------
 examples/boolean_org_exclude/versions.tf    | 24 -------------
 examples/boolean_project_allow/versions.tf  | 24 -------------
 examples/list_folder_deny/versions.tf       | 24 -------------
 examples/list_org_exclude/versions.tf       | 24 -------------
 examples/v2_boolean_org_enforce/main.tf     |  3 --
 examples/v2_boolean_org_enforce/versions.tf | 26 ---------------
 modules/org_policy_v2/README.md             | 37 ++++++++++++++++-----
 modules/org_policy_v2/variables.tf          |  8 ++---
 modules/org_policy_v2/versions.tf           |  2 +-
 10 files changed, 33 insertions(+), 163 deletions(-)
 delete mode 100644 examples/basic_org_policies/versions.tf
 delete mode 100644 examples/boolean_org_exclude/versions.tf
 delete mode 100644 examples/boolean_project_allow/versions.tf
 delete mode 100644 examples/list_folder_deny/versions.tf
 delete mode 100644 examples/list_org_exclude/versions.tf
 delete mode 100644 examples/v2_boolean_org_enforce/versions.tf

diff --git a/examples/basic_org_policies/versions.tf b/examples/basic_org_policies/versions.tf
deleted file mode 100644
index 2b719d1..0000000
--- a/examples/basic_org_policies/versions.tf
+++ /dev/null
@@ -1,24 +0,0 @@
-/**
- * Copyright 2021 Google LLC
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-terraform {
-  required_providers {
-    google = {
-      source = "hashicorp/google"
-    }
-  }
-  required_version = ">= 0.13"
-}
diff --git a/examples/boolean_org_exclude/versions.tf b/examples/boolean_org_exclude/versions.tf
deleted file mode 100644
index 2b719d1..0000000
--- a/examples/boolean_org_exclude/versions.tf
+++ /dev/null
@@ -1,24 +0,0 @@
-/**
- * Copyright 2021 Google LLC
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-terraform {
-  required_providers {
-    google = {
-      source = "hashicorp/google"
-    }
-  }
-  required_version = ">= 0.13"
-}
diff --git a/examples/boolean_project_allow/versions.tf b/examples/boolean_project_allow/versions.tf
deleted file mode 100644
index 2b719d1..0000000
--- a/examples/boolean_project_allow/versions.tf
+++ /dev/null
@@ -1,24 +0,0 @@
-/**
- * Copyright 2021 Google LLC
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-terraform {
-  required_providers {
-    google = {
-      source = "hashicorp/google"
-    }
-  }
-  required_version = ">= 0.13"
-}
diff --git a/examples/list_folder_deny/versions.tf b/examples/list_folder_deny/versions.tf
deleted file mode 100644
index 2b719d1..0000000
--- a/examples/list_folder_deny/versions.tf
+++ /dev/null
@@ -1,24 +0,0 @@
-/**
- * Copyright 2021 Google LLC
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-terraform {
-  required_providers {
-    google = {
-      source = "hashicorp/google"
-    }
-  }
-  required_version = ">= 0.13"
-}
diff --git a/examples/list_org_exclude/versions.tf b/examples/list_org_exclude/versions.tf
deleted file mode 100644
index 2b719d1..0000000
--- a/examples/list_org_exclude/versions.tf
+++ /dev/null
@@ -1,24 +0,0 @@
-/**
- * Copyright 2021 Google LLC
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-terraform {
-  required_providers {
-    google = {
-      source = "hashicorp/google"
-    }
-  }
-  required_version = ">= 0.13"
-}
diff --git a/examples/v2_boolean_org_enforce/main.tf b/examples/v2_boolean_org_enforce/main.tf
index 169be2f..97e624b 100644
--- a/examples/v2_boolean_org_enforce/main.tf
+++ b/examples/v2_boolean_org_enforce/main.tf
@@ -25,9 +25,6 @@ module "gcp_org_policy_v2" {
   policy_root_id = var.org_id
   rules = [{
     enforcement = true
-    allow       = []
-    deny        = []
-    conditions  = []
   }]
   constraint  = "compute.requireOsLogin"
   policy_type = "boolean"
diff --git a/examples/v2_boolean_org_enforce/versions.tf b/examples/v2_boolean_org_enforce/versions.tf
deleted file mode 100644
index a81c253..0000000
--- a/examples/v2_boolean_org_enforce/versions.tf
+++ /dev/null
@@ -1,26 +0,0 @@
-/**
- * Copyright 2021 Google LLC
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-terraform {
-  required_version = ">= 0.13"
-  required_providers {
-
-    google = {
-      source  = "hashicorp/google"
-      version = ">= 3.53"
-    }
-  }
-}
diff --git a/modules/org_policy_v2/README.md b/modules/org_policy_v2/README.md
index 1004ccd..80e3118 100644
--- a/modules/org_policy_v2/README.md
+++ b/modules/org_policy_v2/README.md
@@ -9,8 +9,10 @@ Organization Policies are of two types `boolean` and `list`.
 ## Usage
 Example usage is included in the [examples](./examples/org_policy_v2) folder, but simple usage is as follows:
 
+- Bool organization policy
+
 ```hcl
-module "gcp_org_policy_v2" {
+module "gcp_org_policy_v2_bool" {
   source           = "terraform-google-modules/org-policy/google//modules/org_policy_v2"
   version          = "~> 5.2.0"
 
@@ -25,15 +27,10 @@ module "gcp_org_policy_v2" {
     # Rule 1
     {
       enforcement = true
-      allow       = []
-      deny        = []
-      conditions  = []
     },
     # Rule 2
     {
       enforcement = true
-      allow       = []
-      deny        = []
       conditions  = [{
         description = "description of the condition"
         expression  = "resource.matchTagId('tagKeys/123456789', 'tagValues/123456789') && resource.matchTag('123456789/1234', 'abcd')"
@@ -45,6 +42,28 @@ module "gcp_org_policy_v2" {
 }
 ```
 
+- List organization policy
+
+```hcl
+module "gcp_org_policy_v2_list" {
+  source  = "terraform-google-modules/org-policy/google//modules/org_policy_v2"
+  version = "~> 5.0"
+
+  policy_root    = "organization"
+  policy_root_id = var.org_id
+  constraint     = "gcp.resourceLocations"
+  policy_type    = "list"
+
+  rules = [
+    # Rule 1
+    {
+      enforcement = true
+      allow       = ["in:us-locations"]
+    }
+  ]
+}
+```
+
 ### Variables
 To control module's behavior, change variables' values regarding the following:
 
@@ -99,7 +118,7 @@ To control module's behavior, change variables' values regarding the following:
 | policy\_root | Resource hierarchy node to apply the policy to: can be one of `organization`, `folder`, or `project`. | `string` | `"organization"` | no |
 | policy\_root\_id | The policy root id, either of organization\_id, folder\_id or project\_id | `string` | `null` | no |
 | policy\_type | The constraint type to work with (either 'boolean' or 'list') | `string` | `"list"` | no |
-| rules | List of rules per policy. Up to 10. | <pre>list(object(<br>    {<br>      enforcement = bool<br>      allow       = list(string)<br>      deny        = list(string)<br>      conditions = list(object(<br>        {<br>          description = string<br>          expression  = string<br>          title       = string<br>          location    = string<br>        }<br>      ))<br>    }<br>  ))</pre> | n/a | yes |
+| rules | List of rules per policy. Up to 10. | <pre>list(object(<br>    {<br>      enforcement = bool<br>      allow       = optional(list(string))<br>      deny        = optional(list(string))<br>      conditions = optional(list(object(<br>        {<br>          description = string<br>          expression  = string<br>          title       = string<br>          location    = string<br>        }<br>      )))<br>    }<br>  ))</pre> | n/a | yes |
 
 ## Outputs
 
@@ -114,7 +133,7 @@ To control module's behavior, change variables' values regarding the following:
 ---
 
 ## Compatibility
-This module is meant for use with Terraform 0.13+ and tested using Terraform 1.0+. If you find incompatibilities using Terraform >=0.13, please open an issue.
+This module is meant for use with Terraform 1.3+ and tested using Terraform 1.0+. If you find incompatibilities using Terraform >=1.3, please open an issue.
  If you haven't
 [upgraded](https://www.terraform.io/upgrade-guides/0-13.html) and need a Terraform
 0.12.x-compatible version of this module, the last released version
@@ -122,7 +141,7 @@ intended for Terraform 0.12.x is [v4.0.0](https://registry.terraform.io/modules/
 
 ## Requirements
 ### Terraform plugins
-- [Terraform](https://www.terraform.io/downloads.html) >= 0.13.0
+- [Terraform](https://www.terraform.io/downloads.html) >= 1.3.0
 - [terraform-provider-google](https://github.com/terraform-providers/terraform-provider-google) >= v2.5.0
 
 ### Permissions
diff --git a/modules/org_policy_v2/variables.tf b/modules/org_policy_v2/variables.tf
index 7ad6200..7e1bf3d 100644
--- a/modules/org_policy_v2/variables.tf
+++ b/modules/org_policy_v2/variables.tf
@@ -64,16 +64,16 @@ variable "rules" {
   type = list(object(
     {
       enforcement = bool
-      allow       = list(string)
-      deny        = list(string)
-      conditions = list(object(
+      allow       = optional(list(string))
+      deny        = optional(list(string))
+      conditions = optional(list(object(
         {
           description = string
           expression  = string
           title       = string
           location    = string
         }
-      ))
+      )))
     }
   ))
 }
diff --git a/modules/org_policy_v2/versions.tf b/modules/org_policy_v2/versions.tf
index f00903a..ce838e7 100644
--- a/modules/org_policy_v2/versions.tf
+++ b/modules/org_policy_v2/versions.tf
@@ -15,7 +15,7 @@
  */
 
 terraform {
-  required_version = ">= 0.13"
+  required_version = ">= 1.3"
   required_providers {
 
     google = {

From 0d5606dc2d6863e6283c6aa50f57aa576e4c3ac9 Mon Sep 17 00:00:00 2001
From: Imran Nayer <imrannayer@google.com>
Date: Tue, 5 Nov 2024 03:27:23 +0000
Subject: [PATCH 3/3] fixed null value error

---
 modules/org_policy_v2/README.md    | 2 +-
 modules/org_policy_v2/variables.tf | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/modules/org_policy_v2/README.md b/modules/org_policy_v2/README.md
index 80e3118..bf071f2 100644
--- a/modules/org_policy_v2/README.md
+++ b/modules/org_policy_v2/README.md
@@ -118,7 +118,7 @@ To control module's behavior, change variables' values regarding the following:
 | policy\_root | Resource hierarchy node to apply the policy to: can be one of `organization`, `folder`, or `project`. | `string` | `"organization"` | no |
 | policy\_root\_id | The policy root id, either of organization\_id, folder\_id or project\_id | `string` | `null` | no |
 | policy\_type | The constraint type to work with (either 'boolean' or 'list') | `string` | `"list"` | no |
-| rules | List of rules per policy. Up to 10. | <pre>list(object(<br>    {<br>      enforcement = bool<br>      allow       = optional(list(string))<br>      deny        = optional(list(string))<br>      conditions = optional(list(object(<br>        {<br>          description = string<br>          expression  = string<br>          title       = string<br>          location    = string<br>        }<br>      )))<br>    }<br>  ))</pre> | n/a | yes |
+| rules | List of rules per policy. Up to 10. | <pre>list(object(<br>    {<br>      enforcement = bool<br>      allow       = optional(list(string), [])<br>      deny        = optional(list(string), [])<br>      conditions = optional(list(object(<br>        {<br>          description = string<br>          expression  = string<br>          title       = string<br>          location    = string<br>        }<br>      )), [])<br>    }<br>  ))</pre> | n/a | yes |
 
 ## Outputs
 
diff --git a/modules/org_policy_v2/variables.tf b/modules/org_policy_v2/variables.tf
index 7e1bf3d..73af8ca 100644
--- a/modules/org_policy_v2/variables.tf
+++ b/modules/org_policy_v2/variables.tf
@@ -64,8 +64,8 @@ variable "rules" {
   type = list(object(
     {
       enforcement = bool
-      allow       = optional(list(string))
-      deny        = optional(list(string))
+      allow       = optional(list(string), [])
+      deny        = optional(list(string), [])
       conditions = optional(list(object(
         {
           description = string
@@ -73,7 +73,7 @@ variable "rules" {
           title       = string
           location    = string
         }
-      )))
+      )), [])
     }
   ))
 }