Merge pull request #1509 from GoogleCloudPlatform/jccb/constraints-ou…

…tput Add output to org module with custom constraint details and depends_on
GoogleCloudPlatform · Jul 18, 2023 · d16b616 · d16b616
2 parents aa1a796 + 74c50f9
commit d16b616
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 14 deletions.
diff --git a/modules/organization/README.md b/modules/organization/README.md
@@ -162,6 +162,8 @@ module "org" {
 # tftest modules=1 resources=2 inventory=custom-constraints.yaml
 ```
 
+You can use the `id` or `custom_constraint_ids` outputs to prevent race conditions between the creation of a custom constraint and an organization policy using that constraint. Both of these outputs depend on the actual constraint, which would make any resource referring to them to wait for the creation of the constraint.
+
 ### Organization Policy Custom Constraints Factory
 
 Org policy custom constraints can be loaded from a directory containing YAML files where each file defines one or more custom constraints. The structure of the YAML files is exactly the same as the `org_policy_custom_constraints` variable.
@@ -569,16 +571,17 @@ module "org" {
 
 | name | description | sensitive |
 |---|---|:---:|
-| [custom_role_id](outputs.tf#L17) | Map of custom role IDs created in the organization. |  |
-| [custom_roles](outputs.tf#L30) | Map of custom roles resources created in the organization. |  |
-| [firewall_policies](outputs.tf#L35) | Map of firewall policy resources created in the organization. |  |
-| [firewall_policy_id](outputs.tf#L40) | Map of firewall policy ids created in the organization. |  |
-| [id](outputs.tf#L45) | Fully qualified organization id. |  |
-| [network_tag_keys](outputs.tf#L61) | Tag key resources. |  |
-| [network_tag_values](outputs.tf#L70) | Tag value resources. |  |
-| [organization_id](outputs.tf#L80) | Organization id dependent on module resources. |  |
-| [sink_writer_identities](outputs.tf#L96) | Writer identities created for each sink. |  |
-| [tag_keys](outputs.tf#L104) | Tag key resources. |  |
-| [tag_values](outputs.tf#L113) | Tag value resources. |  |
+| [custom_constraint_ids](outputs.tf#L17) | Map of CUSTOM_CONSTRAINTS => ID in the organization. |  |
+| [custom_role_id](outputs.tf#L22) | Map of custom role IDs created in the organization. |  |
+| [custom_roles](outputs.tf#L35) | Map of custom roles resources created in the organization. |  |
+| [firewall_policies](outputs.tf#L40) | Map of firewall policy resources created in the organization. |  |
+| [firewall_policy_id](outputs.tf#L45) | Map of firewall policy ids created in the organization. |  |
+| [id](outputs.tf#L50) | Fully qualified organization id. |  |
+| [network_tag_keys](outputs.tf#L67) | Tag key resources. |  |
+| [network_tag_values](outputs.tf#L76) | Tag value resources. |  |
+| [organization_id](outputs.tf#L86) | Organization id dependent on module resources. |  |
+| [sink_writer_identities](outputs.tf#L103) | Writer identities created for each sink. |  |
+| [tag_keys](outputs.tf#L111) | Tag key resources. |  |
+| [tag_values](outputs.tf#L120) | Tag value resources. |  |
 
 <!-- END TFDOC -->
diff --git a/modules/organization/outputs.tf b/modules/organization/outputs.tf
@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -14,6 +14,11 @@
  * limitations under the License.
  */
 
+output "custom_constraint_ids" {
+  description = "Map of CUSTOM_CONSTRAINTS => ID in the organization."
+  value       = { for k, v in google_org_policy_custom_constraint.constraint : k => v.id }
+}
+
 output "custom_role_id" {
   description = "Map of custom role IDs created in the organization."
   value = {
@@ -46,11 +51,12 @@ output "id" {
   description = "Fully qualified organization id."
   value       = var.organization_id
   depends_on = [
+    google_org_policy_custom_constraint.constraint,
+    google_org_policy_policy.default,
     google_organization_iam_binding.authoritative,
     google_organization_iam_custom_role.roles,
     google_organization_iam_member.additive,
     google_organization_iam_policy.authoritative,
-    google_org_policy_policy.default,
     google_tags_tag_key.default,
     google_tags_tag_key_iam_binding.default,
     google_tags_tag_value.default,
@@ -81,11 +87,12 @@ output "organization_id" {
   description = "Organization id dependent on module resources."
   value       = var.organization_id
   depends_on = [
+    google_org_policy_custom_constraint.constraint,
+    google_org_policy_policy.default,
     google_organization_iam_binding.authoritative,
     google_organization_iam_custom_role.roles,
     google_organization_iam_member.additive,
     google_organization_iam_policy.authoritative,
-    google_org_policy_policy.default,
     google_tags_tag_key.default,
     google_tags_tag_key_iam_binding.default,
     google_tags_tag_value.default,