Add Policy Parameters support for Managed constraints

GoogleCloudPlatform · Oct 24, 2024 · b3536a2 · b3536a2
1 parent 075e151
commit b3536a2
Show file tree

Hide file tree

Showing 3 changed files with 43 additions and 0 deletions.
diff --git a/mmv1/products/orgpolicy/Policy.yaml b/mmv1/products/orgpolicy/Policy.yaml
@@ -54,6 +54,10 @@ examples:
   - name: 'org_policy_policy_dry_run_spec'
     primary_resource_id: 'primary'
     exclude_test: true
+  - name: 'org_policy_policy_parameters_enforce'
+    primary_resource_id: 'primary'
+    exclude_test: true
+    min_version: 'beta'
 parameters:
   - name: 'parent'
     type: String
@@ -121,6 +125,14 @@ properties:
               send_empty_value: true
               custom_flatten: 'templates/terraform/custom_flatten/enum_bool.go.tmpl'
               custom_expand: 'templates/terraform/custom_expand/enum_bool.go.tmpl'
+            - name: 'parameters'
+              description: 'Optional. Required for Managed Constraints if parameters defined in constraints. Pass parameter values when policy enforcement is enabled. Ensure that parameter value types match those defined in the constraint definition. For example: { \"allowedLocations\" : [\"us-east1\", \"us-west1\"], \"allowAll\" : true }'
+              min_version: beta
+              custom_flatten: 'templates/terraform/custom_flatten/json_schema.tmpl'
+              custom_expand: 'templates/terraform/custom_expand/json_schema.tmpl'
+              state_func: 'func(v interface{}) string { s, _ := structure.NormalizeJsonString(v); return s }'
+              validation:
+                function: 'validation.StringIsJSON'
             - name: 'condition'
               type: NestedObject
               description: 'A condition which determines whether this rule is used in the evaluation of the policy. When set, the `expression` field in the `Expr'' must include from 1 to 10 subexpressions, joined by the "||" or "&&" operators. Each subexpression must be of the form "resource.matchTag(''/tag_key_short_name, ''tag_value_short_name'')". or "resource.matchTagId(''tagKeys/key_id'', ''tagValues/value_id'')". where key_name and value_name are the resource names for Label Keys and Values. These names are available from the Tag Manager Service. An example expression is: "resource.matchTag(''123456789/environment, ''prod'')". or "resource.matchTagId(''tagKeys/123'', ''tagValues/456'')".'
@@ -197,6 +209,14 @@ properties:
               send_empty_value: true
               custom_flatten: 'templates/terraform/custom_flatten/enum_bool.go.tmpl'
               custom_expand: 'templates/terraform/custom_expand/enum_bool.go.tmpl'
+            - name: 'parameters'
+              description: 'Optional. Required for Managed Constraints if parameters defined in constraints. Pass parameter values when policy enforcement is enabled. Ensure that parameter value types match those defined in the constraint definition. For example: { \"allowedLocations\" : [\"us-east1\", \"us-west1\"], \"allowAll\" : true }'
+              min_version: beta
+              custom_flatten: 'templates/terraform/custom_flatten/json_schema.tmpl'
+              custom_expand: 'templates/terraform/custom_expand/json_schema.tmpl'
+              state_func: 'func(v interface{}) string { s, _ := structure.NormalizeJsonString(v); return s }'
+              validation:
+                function: 'validation.StringIsJSON'
             - name: 'condition'
               type: NestedObject
               description: 'A condition which determines whether this rule is used in the evaluation of the policy. When set, the `expression` field in the `Expr'' must include from 1 to 10 subexpressions, joined by the "||" or "&&" operators. Each subexpression must be of the form "resource.matchTag(''/tag_key_short_name, ''tag_value_short_name'')". or "resource.matchTagId(''tagKeys/key_id'', ''tagValues/value_id'')". where key_name and value_name are the resource names for Label Keys and Values. These names are available from the Tag Manager Service. An example expression is: "resource.matchTag(''123456789/environment, ''prod'')". or "resource.matchTagId(''tagKeys/123'', ''tagValues/456'')".'

diff --git a/mmv1/templates/terraform/examples/org_policy_policy_parameters_enforce.tf.tmpl b/mmv1/templates/terraform/examples/org_policy_policy_parameters_enforce.tf.tmpl
@@ -0,0 +1,22 @@
+resource "google_org_policy_policy" "primary" {
+  provider = google-beta
+  name     = "projects/${google_project.basic.name}/policies/iam.managed.disableServiceAccountKeyUpload"
+  parent   = "projects/${google_project.basic.name}"
+
+  spec {
+    rules {
+      enforce = "FALSE"
+      parameters {
+      	"allowAll" : true
+	"allowedLocations" : ["us-east1", "us-west1"]
+      }
+    }
+  }
+}
+
+resource "google_project" "basic" {
+  project_id = "id"
+  name       = "id"
+  org_id     = "123456789"
+  deletion_policy = "DELETE"
+}
diff --git a/mmv1/third_party/terraform/services/orgpolicy/resource_org_policy_policy_test.go b/mmv1/third_party/terraform/services/orgpolicy/resource_org_policy_policy_test.go
@@ -458,3 +458,4 @@ func testAccCheckOrgPolicyPolicyDestroyProducer(t *testing.T) func(s *terraform.
 		return nil
 	}
 }
+
Original file line number	Diff line number	Diff line change
Expand Up		@@ -458,3 +458,4 @@ func testAccCheckOrgPolicyPolicyDestroyProducer(t testing.T) func(s terraform.
		return nil
		}
		}