Merge remote-tracking branch 'origin/mc-parameterized' into mc-parame…

…terized

mmv1/products/orgpolicy/Policy.yaml

@@ -57,7 +57,6 @@ examples:
   - name: 'org_policy_policy_parameters_enforce'
     primary_resource_id: 'primary'
     exclude_test: true
-    min_version: 'beta'
 parameters:
   - name: 'parent'
     type: String
@@ -127,7 +126,6 @@ properties:
               custom_expand: 'templates/terraform/custom_expand/enum_bool.go.tmpl'
             - name: 'parameters'
               description: 'Optional. Required for Managed Constraints if parameters defined in constraints. Pass parameter values when policy enforcement is enabled. Ensure that parameter value types match those defined in the constraint definition. For example: { \"allowedLocations\" : [\"us-east1\", \"us-west1\"], \"allowAll\" : true }'
-              min_version: beta
               custom_flatten: 'templates/terraform/custom_flatten/json_schema.tmpl'
               custom_expand: 'templates/terraform/custom_expand/json_schema.tmpl'
               state_func: 'func(v interface{}) string { s, _ := structure.NormalizeJsonString(v); return s }'
@@ -211,7 +209,6 @@ properties:
               custom_expand: 'templates/terraform/custom_expand/enum_bool.go.tmpl'
             - name: 'parameters'
               description: 'Optional. Required for Managed Constraints if parameters defined in constraints. Pass parameter values when policy enforcement is enabled. Ensure that parameter value types match those defined in the constraint definition. For example: { \"allowedLocations\" : [\"us-east1\", \"us-west1\"], \"allowAll\" : true }'
-              min_version: beta
               custom_flatten: 'templates/terraform/custom_flatten/json_schema.tmpl'
               custom_expand: 'templates/terraform/custom_expand/json_schema.tmpl'
               state_func: 'func(v interface{}) string { s, _ := structure.NormalizeJsonString(v); return s }'

mmv1/templates/terraform/examples/org_policy_policy_parameters_enforce.tf.tmpl

@@ -1,15 +1,11 @@
 resource "google_org_policy_policy" "primary" {
-  provider = google-beta
-  name     = "projects/${google_project.basic.name}/policies/iam.managed.disableServiceAccountKeyUpload"
+  name     = "projects/${google_project.basic.name}/policies/compute.managed.restrictDiskCreation"
   parent   = "projects/${google_project.basic.name}"
 
   spec {
     rules {
-      enforce = "FALSE"
-      parameters {
-      	"allowAll" : true
-	"allowedLocations" : ["us-east1", "us-west1"]
-      }
+      enforce = "TRUE"
+      parameters = jsonencode({"isSizeLimitCheck" : true, "allowedDiskTypes" : ["pd-ssd", "pd-standard"]})
     }
   }
 }

mmv1/third_party/terraform/services/orgpolicy/resource_org_policy_policy_test.go

@@ -458,20 +458,95 @@ func testAccCheckOrgPolicyPolicyDestroyProducer(t *testing.T) func(s *terraform.
 		return nil
 	}
 }
+func TestAccOrgPolicyPolicy_EnforceParameterizedMCPolicy(t *testing.T) {
+	// Skip this test as no constraints yet launched in production, verified functionality with manual testing.
+	t.Skip()
+	t.Parallel()
 
+	context := map[string]interface{}{
+		"org_id":        envvar.GetTestOrgFromEnv(t),
+		"random_suffix": acctest.RandString(t, 10),
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckOrgPolicyPolicyDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccOrgPolicyPolicy_EnforceParameterizedMCPolicy(context),
+			},
+			{
+				ResourceName:            "google_org_policy_policy.primary",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"name", "spec.0.rules.0.condition.0.expression"},
+			},
+		},
+	})
+}
 func testAccOrgPolicyPolicy_EnforceParameterizedMCPolicy(context map[string]interface{}) string {
-        return acctest.Nprintf(`
+	return acctest.Nprintf(`
 resource "google_org_policy_policy" "primary" {
-  name   = "projects/${google_project.basic.name}/policies/constraints/compute.managed.restrictDiskCreation"
+  name   = "projects/${google_project.basic.name}/policies/essentialcontacts.managed.allowedContactDomains"
   parent = "projects/${google_project.basic.name}"
 
   spec {
     rules {
       enforce = "TRUE"
-      parameters {
-	"isSizeLimitCheck" = True,
-        "allowedDiskTypes" = ["pd-ssd"]
-      }
+      parameters = "{\"allowedDomains\": [\"@google.com\"]}"
+    }
+  }
+}
+
+resource "google_project" "basic" {
+  project_id = "tf-test-id%{random_suffix}"
+  name       = "tf-test-id%{random_suffix}"
+  org_id     = "%{org_id}"
+  deletion_policy = "DELETE"
+}
+
+
+`, context)
+}
+
+func TestAccOrgPolicyPolicy_EnforceParameterizedMCDryRunPolicy(t *testing.T) {
+	// Skip this test as no constraints yet launched in production, verified functionality with manual testing.
+	t.Skip()
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"org_id":        envvar.GetTestOrgFromEnv(t),
+		"random_suffix": acctest.RandString(t, 10),
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckOrgPolicyPolicyDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccOrgPolicyPolicy_EnforceParameterizedMCDryRunPolicy(context),
+			},
+			{
+				ResourceName:            "google_org_policy_policy.primary",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"name", "spec.0.rules.0.condition.0.expression"},
+			},
+		},
+	})
+}
+func testAccOrgPolicyPolicy_EnforceParameterizedMCDryRunPolicy(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_org_policy_policy" "primary" {
+  name   = "projects/${google_project.basic.name}/policies/essentialcontacts.managed.allowedContactDomains"
+  parent = "projects/${google_project.basic.name}"
+
+  dry_run_spec {
+    rules {
+      enforce = "TRUE"
+      parameters = "{\"allowedDomains\": [\"@google.com\"]}"
     }
   }
 }