From fd1ebcb2c5b9122e3154bdc9463f20d45e74a90a Mon Sep 17 00:00:00 2001 From: Aleksandr Averbukh Date: Fri, 11 Oct 2019 16:57:41 +0200 Subject: [PATCH 1/5] Add 'policy_for' variable to address terraform-google-modules/terraform-google-org-policy#19 --- CHANGELOG.md | 8 ++-- README.md | 1 + build/lint.cloudbuild.yaml | 2 +- docs/upgrading_to_v3.0.md | 44 +++++++++++++++++++ examples/boolean_org_exclude/main.tf | 1 + examples/boolean_project_allow/main.tf | 1 + examples/list_folder_deny/main.tf | 1 + examples/list_org_exclude/main.tf | 1 + examples/list_restrict_domain/main.tf | 1 + main.tf | 6 +-- .../integration/boolean_constraints/launch.sh | 3 ++ test/integration/list_constraints/launch.sh | 5 +++ variables.tf | 4 ++ 13 files changed, 70 insertions(+), 8 deletions(-) create mode 100644 docs/upgrading_to_v3.0.md diff --git a/CHANGELOG.md b/CHANGELOG.md index eef158c..89b07f1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,13 +6,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] -## [2.0.1] - 2019-XX-YY +Please add new unreleased features here. +## [3.0.0] - 2019-XX-YY +v3.0.0 is a backwards-incompatible release. Please see the [upgrading guide](./docs/upgrading_to_v3.0.md). ### Changed -- Migrated to Cloud Build. [#18] - -Please add new unreleased features here. +- **Breaking**: Fixed combining with folders/projects creation [#19] by adding `policy_for` input variable. ## [2.0.0] - 2019-07-25 diff --git a/README.md b/README.md index 1a7f557..31be6ec 100644 --- a/README.md +++ b/README.md @@ -59,6 +59,7 @@ To control module's behavior, change variables' values regarding the following: | exclude\_projects | List of projects to exclude from the policy | list(string) | `` | no | | folder\_id | The folder id for putting the policy | string | `"null"` | no | | organization\_id | The organization id for putting the policy | string | `"null"` | no | +| policy\_for | Resource hierarchy node to apply the policy to: can be one of `organization`, `folder`, or `project`. | string | n/a | yes | | policy\_type | The constraint type to work with (either 'boolean' or 'list') | string | `"list"` | no | | project\_id | The project id for putting the policy | string | `"null"` | no | diff --git a/build/lint.cloudbuild.yaml b/build/lint.cloudbuild.yaml index efd9346..fe6ea27 100644 --- a/build/lint.cloudbuild.yaml +++ b/build/lint.cloudbuild.yaml @@ -13,7 +13,7 @@ # limitations under the License. steps: -- name: 'gcr.io/cloud-foundation-cicd/cft/developer-tools:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' +- name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' id: 'lint' args: ['/usr/local/bin/test_lint.sh'] tags: diff --git a/docs/upgrading_to_v3.0.md b/docs/upgrading_to_v3.0.md new file mode 100644 index 0000000..47f85a6 --- /dev/null +++ b/docs/upgrading_to_v3.0.md @@ -0,0 +1,44 @@ +# Upgrading to v3.0 + +The v3.0 release of *org-policy* is a backwards incompatible +release. + +## Migration Instructions + +In previous versions of this module the resource hirerarchy node was not defined explicitly which caused problems when the module is combined with project/folder creation. The `policy_for` variable was introdused to address that issue. + +### Update for project policies +```diff + module "project_policy" { + source = "terraform-google-modules/org-policy/google" +- version = "~> 2.0" ++ version = "~> 3.0" + ++ policy_for = "project" + # ... + } +``` + +### Update for folder policies +```diff + module "folder_policy" { + source = "terraform-google-modules/org-policy/google" +- version = "~> 2.0" ++ version = "~> 3.0" + ++ policy_for = "folder" + # ... + } +``` + +### Update for organization policies +```diff + module "org_policy" { + source = "terraform-google-modules/org-policy/google" +- version = "~> 2.0" ++ version = "~> 3.0" + ++ policy_for = "organization" + # ... + } +``` diff --git a/examples/boolean_org_exclude/main.tf b/examples/boolean_org_exclude/main.tf index 49f236a..f05deaf 100644 --- a/examples/boolean_org_exclude/main.tf +++ b/examples/boolean_org_exclude/main.tf @@ -27,6 +27,7 @@ provider "google" { *****************************************/ module "org-disable-serial-port-access-deny-all-with-excludes" { source = "../../" + policy_for = "organization" organization_id = var.organization_id constraint = "compute.disableSerialPortAccess" enforce = true diff --git a/examples/boolean_project_allow/main.tf b/examples/boolean_project_allow/main.tf index 1246669..024a1b3 100644 --- a/examples/boolean_project_allow/main.tf +++ b/examples/boolean_project_allow/main.tf @@ -27,6 +27,7 @@ provider "google" { *****************************************/ module "org-policy" { source = "../../" + policy_for = "project" project_id = var.project_id constraint = "compute.disableSerialPortAccess" policy_type = "boolean" diff --git a/examples/list_folder_deny/main.tf b/examples/list_folder_deny/main.tf index e80774d..652772a 100644 --- a/examples/list_folder_deny/main.tf +++ b/examples/list_folder_deny/main.tf @@ -27,6 +27,7 @@ provider "google" { *****************************************/ module "org-policy" { source = "../../" + policy_for = "folder" folder_id = var.folder_id constraint = "serviceuser.services" policy_type = "list" diff --git a/examples/list_org_exclude/main.tf b/examples/list_org_exclude/main.tf index 2c5ba8e..77d75f6 100644 --- a/examples/list_org_exclude/main.tf +++ b/examples/list_org_exclude/main.tf @@ -27,6 +27,7 @@ provider "google" { *****************************************/ module "org-policy" { source = "../../" + policy_for = "organization" organization_id = var.organization_id constraint = "compute.trustedImageProjects" policy_type = "list" diff --git a/examples/list_restrict_domain/main.tf b/examples/list_restrict_domain/main.tf index 88e8ce7..ba956e5 100644 --- a/examples/list_restrict_domain/main.tf +++ b/examples/list_restrict_domain/main.tf @@ -31,6 +31,7 @@ data "google_organization" "org" { module "org-policy" { source = "../../" + policy_for = "organization" organization_id = var.organization_id constraint = "constraints/iam.allowedPolicyMemberDomains" policy_type = "list" diff --git a/main.tf b/main.tf index 8a06739..5dfe8fd 100644 --- a/main.tf +++ b/main.tf @@ -18,9 +18,9 @@ Locals configuration for module logic *****************************************/ locals { - organization = var.organization_id != null - folder = var.folder_id != null - project = var.project_id != null + organization = var.policy_for == "organization" + folder = var.policy_for == "folder" + project = var.policy_for == "project" boolean_policy = var.policy_type == "boolean" list_policy = var.policy_type == "list" && ! local.invalid_config enforce = var.allow_list_length > 0 || var.deny_list_length > 0 ? null : var.enforce diff --git a/test/integration/boolean_constraints/launch.sh b/test/integration/boolean_constraints/launch.sh index e57235f..aea2213 100644 --- a/test/integration/boolean_constraints/launch.sh +++ b/test/integration/boolean_constraints/launch.sh @@ -69,6 +69,7 @@ provider "google" { module "org-policy-boolean-project" { source = "../../../" + policy_for = "project" constraint = "$PROJECT_CONSTRAINT" project_id = "$PROJECT_ID" enforce = "true" @@ -78,6 +79,7 @@ module "org-policy-boolean-project" { module "org-policy-boolean-folder" { source = "../../../" + policy_for = "folder" constraint = "$FOLDER_CONSTRAINT" folder_id = "$FOLDER_1_ID" enforce = "true" @@ -89,6 +91,7 @@ module "org-policy-boolean-folder" { module "org-policy-boolean-org" { source = "../../../" + policy_for = "organization" constraint = "$ORG_CONSTRAINT_BOOL" organization_id = "$ORGANIZATION_ID" enforce = "true" diff --git a/test/integration/list_constraints/launch.sh b/test/integration/list_constraints/launch.sh index ad51085..dfa9dc7 100644 --- a/test/integration/list_constraints/launch.sh +++ b/test/integration/list_constraints/launch.sh @@ -77,6 +77,7 @@ provider "google" { module "org-policy-restrict-domain" { source = "../../../" + policy_for = "organization" organization_id = "$ORGANIZATION_ID" constraint = "$ORG_RESTRICT_DOMAIN_CONSTRAINT" policy_type = "list" @@ -87,6 +88,7 @@ module "org-policy-restrict-domain" { module "org-policy-list-project" { source = "../../../" + policy_for = "project" constraint = "$PROJECT_CONSTRAINT_DENY_ALL" project_id = "$PROJECT_ID" enforce = "true" @@ -96,6 +98,7 @@ module "org-policy-list-project" { module "org-policy-list-folder" { source = "../../../" + policy_for = "folder" constraint = "$FOLDER_CONSTRAINT_ALLOW_ALL" folder_id = "$FOLDER_1_ID" enforce = "false" @@ -105,6 +108,7 @@ module "org-policy-list-folder" { module "org-policy-list-org" { source = "../../../" + policy_for = "organization" constraint = "$ORG_CONSTRAINT" organization_id = "$ORGANIZATION_ID" policy_type = "list" @@ -120,6 +124,7 @@ module "org-policy-list-org" { module "org-policy-list-folder-2" { source = "../../../" + policy_for = "folder" constraint = "$FOLDER_2_CONSTRAINT" folder_id = "$FOLDER_2_ID" policy_type = "list" diff --git a/variables.tf b/variables.tf index 88485c9..8fbc2dc 100644 --- a/variables.tf +++ b/variables.tf @@ -14,6 +14,10 @@ * limitations under the License. */ +variable "policy_for" { + description = "Resource hierarchy node to apply the policy to: can be one of `organization`, `folder`, or `project`." + type = string +} variable "organization_id" { description = "The organization id for putting the policy" type = string From 4da80bf37f860fb2455a557888fe63acd954f5eb Mon Sep 17 00:00:00 2001 From: Aleksandr Averbukh Date: Fri, 11 Oct 2019 17:36:34 +0200 Subject: [PATCH 2/5] Delete trailing whitespaces --- CHANGELOG.md | 2 +- docs/upgrading_to_v3.0.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 89b07f1..5e8ac6f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,7 +12,7 @@ Please add new unreleased features here. v3.0.0 is a backwards-incompatible release. Please see the [upgrading guide](./docs/upgrading_to_v3.0.md). ### Changed -- **Breaking**: Fixed combining with folders/projects creation [#19] by adding `policy_for` input variable. +- **Breaking**: Fixed combining with folders/projects creation [#19] by adding `policy_for` input variable. ## [2.0.0] - 2019-07-25 diff --git a/docs/upgrading_to_v3.0.md b/docs/upgrading_to_v3.0.md index 47f85a6..1cbf961 100644 --- a/docs/upgrading_to_v3.0.md +++ b/docs/upgrading_to_v3.0.md @@ -5,7 +5,7 @@ release. ## Migration Instructions -In previous versions of this module the resource hirerarchy node was not defined explicitly which caused problems when the module is combined with project/folder creation. The `policy_for` variable was introdused to address that issue. +In previous versions of this module the resource hirerarchy node was not defined explicitly which caused problems when the module is combined with project/folder creation. The `policy_for` variable was introdused to address that issue. ### Update for project policies ```diff From b22cf7c772584c0c84170d1da5bfd7ad0c491c3e Mon Sep 17 00:00:00 2001 From: Aleksandr Averbukh Date: Fri, 11 Oct 2019 17:46:15 +0200 Subject: [PATCH 3/5] Update changelog links --- CHANGELOG.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5e8ac6f..6e031e5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -24,8 +24,8 @@ v3.0.0 is a backwards-incompatible release. Please see the [upgrading guide](./d This is the initial release of the module, with full support for org policy management. -[Unreleased]: https://github.com/terraform-google-modules/terraform-google-org-policy/compare/v2.0.1...HEAD -[2.0.0]: https://github.com/terraform-google-modules/terraform-google-org-policy/compare/v2.0.0...v2.0.1 +[Unreleased]: https://github.com/terraform-google-modules/terraform-google-org-policy/compare/v3.0.0...HEAD +[3.0.0]: https://github.com/teHEADrraform-google-modules/terraform-google-org-policy/compare/v2.0.0...v3.0.0 [2.0.0]: https://github.com/terraform-google-modules/terraform-google-org-policy/compare/v1.0.0...v2.0.0 [1.0.0]: https://github.com/terraform-google-modules/terraform-google-org-policy/releases/tag/v1.0.0 From 9f3d6655036176f5eebca7f9fb11cfb0489b6402 Mon Sep 17 00:00:00 2001 From: Aleksandr Averbukh Date: Sat, 12 Oct 2019 12:56:18 +0200 Subject: [PATCH 4/5] Fix typo s/introdused/introduced/ --- docs/upgrading_to_v3.0.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/upgrading_to_v3.0.md b/docs/upgrading_to_v3.0.md index 1cbf961..80d8c22 100644 --- a/docs/upgrading_to_v3.0.md +++ b/docs/upgrading_to_v3.0.md @@ -5,7 +5,7 @@ release. ## Migration Instructions -In previous versions of this module the resource hirerarchy node was not defined explicitly which caused problems when the module is combined with project/folder creation. The `policy_for` variable was introdused to address that issue. +In previous versions of this module the resource hirerarchy node was not defined explicitly which caused problems when the module is combined with project/folder creation. The `policy_for` variable was introduced to address that issue. ### Update for project policies ```diff From 763bed2b54e30ada5d0c53a1148a1ff82b400a8b Mon Sep 17 00:00:00 2001 From: Aleksandr Averbukh Date: Thu, 17 Oct 2019 15:41:54 +0200 Subject: [PATCH 5/5] Fix typo (probably introduced during a rebase) --- CHANGELOG.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6e031e5..1c54d45 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,7 +12,7 @@ Please add new unreleased features here. v3.0.0 is a backwards-incompatible release. Please see the [upgrading guide](./docs/upgrading_to_v3.0.md). ### Changed -- **Breaking**: Fixed combining with folders/projects creation [#19] by adding `policy_for` input variable. +- **Breaking**: Fixed combining with folders/projects creation by adding `policy_for` input variable. [#19] ## [2.0.0] - 2019-07-25 @@ -25,9 +25,10 @@ v3.0.0 is a backwards-incompatible release. Please see the [upgrading guide](./d This is the initial release of the module, with full support for org policy management. [Unreleased]: https://github.com/terraform-google-modules/terraform-google-org-policy/compare/v3.0.0...HEAD -[3.0.0]: https://github.com/teHEADrraform-google-modules/terraform-google-org-policy/compare/v2.0.0...v3.0.0 +[3.0.0]: https://github.com/terraform-google-modules/terraform-google-org-policy/compare/v2.0.0...v3.0.0 [2.0.0]: https://github.com/terraform-google-modules/terraform-google-org-policy/compare/v1.0.0...v2.0.0 [1.0.0]: https://github.com/terraform-google-modules/terraform-google-org-policy/releases/tag/v1.0.0 [#11]: https://github.com/terraform-google-modules/terraform-google-org-policy/pull/11 [#18]: https://github.com/terraform-google-modules/terraform-google-org-policy/pull/18 +[#19]: https://github.com/terraform-google-modules/terraform-google-org-policy/pull/19