diff --git a/CHANGELOG.md b/CHANGELOG.md index eef158c..1c54d45 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,13 +6,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] -## [2.0.1] - 2019-XX-YY +Please add new unreleased features here. +## [3.0.0] - 2019-XX-YY +v3.0.0 is a backwards-incompatible release. Please see the [upgrading guide](./docs/upgrading_to_v3.0.md). ### Changed -- Migrated to Cloud Build. [#18] - -Please add new unreleased features here. +- **Breaking**: Fixed combining with folders/projects creation by adding `policy_for` input variable. [#19] ## [2.0.0] - 2019-07-25 @@ -24,10 +24,11 @@ Please add new unreleased features here. This is the initial release of the module, with full support for org policy management. -[Unreleased]: https://github.com/terraform-google-modules/terraform-google-org-policy/compare/v2.0.1...HEAD -[2.0.0]: https://github.com/terraform-google-modules/terraform-google-org-policy/compare/v2.0.0...v2.0.1 +[Unreleased]: https://github.com/terraform-google-modules/terraform-google-org-policy/compare/v3.0.0...HEAD +[3.0.0]: https://github.com/terraform-google-modules/terraform-google-org-policy/compare/v2.0.0...v3.0.0 [2.0.0]: https://github.com/terraform-google-modules/terraform-google-org-policy/compare/v1.0.0...v2.0.0 [1.0.0]: https://github.com/terraform-google-modules/terraform-google-org-policy/releases/tag/v1.0.0 [#11]: https://github.com/terraform-google-modules/terraform-google-org-policy/pull/11 [#18]: https://github.com/terraform-google-modules/terraform-google-org-policy/pull/18 +[#19]: https://github.com/terraform-google-modules/terraform-google-org-policy/pull/19 diff --git a/README.md b/README.md index 1a7f557..31be6ec 100644 --- a/README.md +++ b/README.md @@ -59,6 +59,7 @@ To control module's behavior, change variables' values regarding the following: | exclude\_projects | List of projects to exclude from the policy | list(string) | `` | no | | folder\_id | The folder id for putting the policy | string | `"null"` | no | | organization\_id | The organization id for putting the policy | string | `"null"` | no | +| policy\_for | Resource hierarchy node to apply the policy to: can be one of `organization`, `folder`, or `project`. | string | n/a | yes | | policy\_type | The constraint type to work with (either 'boolean' or 'list') | string | `"list"` | no | | project\_id | The project id for putting the policy | string | `"null"` | no | diff --git a/build/lint.cloudbuild.yaml b/build/lint.cloudbuild.yaml index efd9346..fe6ea27 100644 --- a/build/lint.cloudbuild.yaml +++ b/build/lint.cloudbuild.yaml @@ -13,7 +13,7 @@ # limitations under the License. steps: -- name: 'gcr.io/cloud-foundation-cicd/cft/developer-tools:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' +- name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' id: 'lint' args: ['/usr/local/bin/test_lint.sh'] tags: diff --git a/docs/upgrading_to_v3.0.md b/docs/upgrading_to_v3.0.md new file mode 100644 index 0000000..80d8c22 --- /dev/null +++ b/docs/upgrading_to_v3.0.md @@ -0,0 +1,44 @@ +# Upgrading to v3.0 + +The v3.0 release of *org-policy* is a backwards incompatible +release. + +## Migration Instructions + +In previous versions of this module the resource hirerarchy node was not defined explicitly which caused problems when the module is combined with project/folder creation. The `policy_for` variable was introduced to address that issue. + +### Update for project policies +```diff + module "project_policy" { + source = "terraform-google-modules/org-policy/google" +- version = "~> 2.0" ++ version = "~> 3.0" + ++ policy_for = "project" + # ... + } +``` + +### Update for folder policies +```diff + module "folder_policy" { + source = "terraform-google-modules/org-policy/google" +- version = "~> 2.0" ++ version = "~> 3.0" + ++ policy_for = "folder" + # ... + } +``` + +### Update for organization policies +```diff + module "org_policy" { + source = "terraform-google-modules/org-policy/google" +- version = "~> 2.0" ++ version = "~> 3.0" + ++ policy_for = "organization" + # ... + } +``` diff --git a/examples/boolean_org_exclude/main.tf b/examples/boolean_org_exclude/main.tf index 49f236a..f05deaf 100644 --- a/examples/boolean_org_exclude/main.tf +++ b/examples/boolean_org_exclude/main.tf @@ -27,6 +27,7 @@ provider "google" { *****************************************/ module "org-disable-serial-port-access-deny-all-with-excludes" { source = "../../" + policy_for = "organization" organization_id = var.organization_id constraint = "compute.disableSerialPortAccess" enforce = true diff --git a/examples/boolean_project_allow/main.tf b/examples/boolean_project_allow/main.tf index 1246669..024a1b3 100644 --- a/examples/boolean_project_allow/main.tf +++ b/examples/boolean_project_allow/main.tf @@ -27,6 +27,7 @@ provider "google" { *****************************************/ module "org-policy" { source = "../../" + policy_for = "project" project_id = var.project_id constraint = "compute.disableSerialPortAccess" policy_type = "boolean" diff --git a/examples/list_folder_deny/main.tf b/examples/list_folder_deny/main.tf index e80774d..652772a 100644 --- a/examples/list_folder_deny/main.tf +++ b/examples/list_folder_deny/main.tf @@ -27,6 +27,7 @@ provider "google" { *****************************************/ module "org-policy" { source = "../../" + policy_for = "folder" folder_id = var.folder_id constraint = "serviceuser.services" policy_type = "list" diff --git a/examples/list_org_exclude/main.tf b/examples/list_org_exclude/main.tf index 2c5ba8e..77d75f6 100644 --- a/examples/list_org_exclude/main.tf +++ b/examples/list_org_exclude/main.tf @@ -27,6 +27,7 @@ provider "google" { *****************************************/ module "org-policy" { source = "../../" + policy_for = "organization" organization_id = var.organization_id constraint = "compute.trustedImageProjects" policy_type = "list" diff --git a/examples/list_restrict_domain/main.tf b/examples/list_restrict_domain/main.tf index 88e8ce7..ba956e5 100644 --- a/examples/list_restrict_domain/main.tf +++ b/examples/list_restrict_domain/main.tf @@ -31,6 +31,7 @@ data "google_organization" "org" { module "org-policy" { source = "../../" + policy_for = "organization" organization_id = var.organization_id constraint = "constraints/iam.allowedPolicyMemberDomains" policy_type = "list" diff --git a/main.tf b/main.tf index 8a06739..5dfe8fd 100644 --- a/main.tf +++ b/main.tf @@ -18,9 +18,9 @@ Locals configuration for module logic *****************************************/ locals { - organization = var.organization_id != null - folder = var.folder_id != null - project = var.project_id != null + organization = var.policy_for == "organization" + folder = var.policy_for == "folder" + project = var.policy_for == "project" boolean_policy = var.policy_type == "boolean" list_policy = var.policy_type == "list" && ! local.invalid_config enforce = var.allow_list_length > 0 || var.deny_list_length > 0 ? null : var.enforce diff --git a/test/integration/boolean_constraints/launch.sh b/test/integration/boolean_constraints/launch.sh index 875a134..dd78efe 100644 --- a/test/integration/boolean_constraints/launch.sh +++ b/test/integration/boolean_constraints/launch.sh @@ -50,43 +50,35 @@ function create_main_tf_file() { echo "Creating main.tf file" touch main.tf cat < main.tf - provider "google" { version = "~> 2.5.0" } - module "org-policy-boolean-project" { source = "../../../" - + policy_for = "project" constraint = "$PROJECT_CONSTRAINT" project_id = "$PROJECT_ID" enforce = "true" policy_type = "boolean" } - module "org-policy-boolean-folder" { source = "../../../" - + policy_for = "folder" constraint = "$FOLDER_CONSTRAINT" folder_id = "$FOLDER_1_ID" enforce = "true" policy_type = "boolean" - exclude_projects = ["$PROJECT_EXCLUDE"] } - - module "org-policy-boolean-org" { source = "../../../" - + policy_for = "organization" constraint = "$ORG_CONSTRAINT_BOOL" organization_id = "$ORGANIZATION_ID" enforce = "true" policy_type = "boolean" - exclude_folders = ["$FOLDER_EXCLUDE"] } - EOF } diff --git a/test/integration/list_constraints/launch.sh b/test/integration/list_constraints/launch.sh index 0f31aad..c88f5e7 100644 --- a/test/integration/list_constraints/launch.sh +++ b/test/integration/list_constraints/launch.sh @@ -54,55 +54,45 @@ function create_main_tf_file() { echo "Creating main.tf file" touch main.tf cat < main.tf - provider "google" { version = "~> 2.5.0" } - module "org-policy-list-project" { source = "../../../" - + policy_for = "project" constraint = "$PROJECT_CONSTRAINT_DENY_ALL" project_id = "$PROJECT_ID" enforce = "true" policy_type = "list" } - module "org-policy-list-folder" { source = "../../../" - + policy_for = "folder" constraint = "$FOLDER_CONSTRAINT_ALLOW_ALL" folder_id = "$FOLDER_1_ID" enforce = "false" policy_type = "list" } - module "org-policy-list-org" { source = "../../../" - + policy_for = "organization" constraint = "$ORG_CONSTRAINT" organization_id = "$ORGANIZATION_ID" policy_type = "list" - exclude_folders = ["$FOLDER_EXCLUDE"] exclude_projects = ["$PROJECT_EXCLUDE"] - deny = ["$ORG_CONSTRAINT_VALUE_1", "$ORG_CONSTRAINT_VALUE_2"] deny_list_length = "2" - } - module "org-policy-list-folder-2" { source = "../../../" - - constraint = "$FOLDER_2_CONSTRAINT" - folder_id = "$FOLDER_2_ID" - policy_type = "list" - + policy_for = "folder" + constraint = "$FOLDER_2_CONSTRAINT" + folder_id = "$FOLDER_2_ID" + policy_type = "list" allow = ["$FOLDER_2_CONSTRAINT_VALUE_1"] allow_list_length = "1" } - EOF } diff --git a/variables.tf b/variables.tf index 88485c9..8fbc2dc 100644 --- a/variables.tf +++ b/variables.tf @@ -14,6 +14,10 @@ * limitations under the License. */ +variable "policy_for" { + description = "Resource hierarchy node to apply the policy to: can be one of `organization`, `folder`, or `project`." + type = string +} variable "organization_id" { description = "The organization id for putting the policy" type = string