From dba733117559fa49d229114595b360037d6c1d15 Mon Sep 17 00:00:00 2001 From: Vincent Roseberry Date: Wed, 15 Nov 2017 14:11:59 -0800 Subject: [PATCH 1/4] Add new resource google_folder_organization_policy --- google/provider.go | 1 + ...ource_google_folder_organization_policy.go | 101 ++++++ ..._google_folder_organization_policy_test.go | 316 ++++++++++++++++++ google/resource_google_organization_policy.go | 199 +++++------ 4 files changed, 520 insertions(+), 97 deletions(-) create mode 100644 google/resource_google_folder_organization_policy.go create mode 100644 google/resource_google_folder_organization_policy_test.go diff --git a/google/provider.go b/google/provider.go index f9403f5a3ea..00037daa2d5 100644 --- a/google/provider.go +++ b/google/provider.go @@ -118,6 +118,7 @@ func Provider() terraform.ResourceProvider { "google_dns_record_set": resourceDnsRecordSet(), "google_folder": resourceGoogleFolder(), "google_folder_iam_policy": ResourceIamPolicy(IamFolderSchema, NewFolderIamUpdater), + "google_folder_organization_policy": resourceGoogleFolderOrganizationPolicy(), "google_logging_billing_account_sink": resourceLoggingBillingAccountSink(), "google_logging_folder_sink": resourceLoggingFolderSink(), "google_logging_project_sink": resourceLoggingProjectSink(), diff --git a/google/resource_google_folder_organization_policy.go b/google/resource_google_folder_organization_policy.go new file mode 100644 index 00000000000..500f017336f --- /dev/null +++ b/google/resource_google_folder_organization_policy.go @@ -0,0 +1,101 @@ +package google + +import ( + "fmt" + "github.com/hashicorp/terraform/helper/schema" + "google.golang.org/api/cloudresourcemanager/v1" +) + +func resourceGoogleFolderOrganizationPolicy() *schema.Resource { + return &schema.Resource{ + Create: resourceGoogleFolderOrganizationPolicyCreate, + Read: resourceGoogleFolderOrganizationPolicyRead, + Update: resourceGoogleFolderOrganizationPolicyUpdate, + Delete: resourceGoogleFolderOrganizationPolicyDelete, + + Schema: mergeSchemas( + schemaOrganizationPolicy, + map[string]*schema.Schema{ + "folder": { + Type: schema.TypeString, + Required: true, + ForceNew: true, + }, + }, + ), + } +} + +func resourceGoogleFolderOrganizationPolicyCreate(d *schema.ResourceData, meta interface{}) error { + if err := setFolderOrganizationPolicy(d, meta); err != nil { + return err + } + + d.SetId(fmt.Sprintf("%s:%s", d.Get("folder"), d.Get("constraint"))) + + return resourceGoogleFolderOrganizationPolicyRead(d, meta) +} + +func resourceGoogleFolderOrganizationPolicyRead(d *schema.ResourceData, meta interface{}) error { + config := meta.(*Config) + folder := d.Get("folder").(string) + + policy, err := config.clientResourceManager.Folders.GetOrgPolicy(folder, &cloudresourcemanager.GetOrgPolicyRequest{ + Constraint: canonicalOrgPolicyConstraint(d.Get("constraint").(string)), + }).Do() + + if err != nil { + return handleNotFoundError(err, d, fmt.Sprintf("Organization policy for %s", folder)) + } + + d.Set("constraint", policy.Constraint) + d.Set("boolean_policy", flattenBooleanOrganizationPolicy(policy.BooleanPolicy)) + d.Set("list_policy", flattenListOrganizationPolicy(policy.ListPolicy)) + d.Set("version", policy.Version) + d.Set("etag", policy.Etag) + d.Set("update_time", policy.UpdateTime) + + return nil +} + +func resourceGoogleFolderOrganizationPolicyUpdate(d *schema.ResourceData, meta interface{}) error { + if err := setFolderOrganizationPolicy(d, meta); err != nil { + return err + } + + return resourceGoogleFolderOrganizationPolicyRead(d, meta) +} + +func resourceGoogleFolderOrganizationPolicyDelete(d *schema.ResourceData, meta interface{}) error { + config := meta.(*Config) + + _, err := config.clientResourceManager.Folders.ClearOrgPolicy(d.Get("folder").(string), &cloudresourcemanager.ClearOrgPolicyRequest{ + Constraint: canonicalOrgPolicyConstraint(d.Get("constraint").(string)), + }).Do() + + if err != nil { + return err + } + + return nil +} + +func setFolderOrganizationPolicy(d *schema.ResourceData, meta interface{}) error { + config := meta.(*Config) + listPolicy, err := expandListOrganizationPolicy(d.Get("list_policy").([]interface{})) + if err != nil { + return err + } + + _, err = config.clientResourceManager.Folders.SetOrgPolicy(d.Get("folder").(string), &cloudresourcemanager.SetOrgPolicyRequest{ + Policy: &cloudresourcemanager.OrgPolicy{ + Constraint: canonicalOrgPolicyConstraint(d.Get("constraint").(string)), + BooleanPolicy: expandBooleanOrganizationPolicy(d.Get("boolean_policy").([]interface{})), + ListPolicy: listPolicy, + Version: int64(d.Get("version").(int)), + Etag: d.Get("etag").(string), + }, + }).Do() + + return err +} diff --git a/google/resource_google_folder_organization_policy_test.go b/google/resource_google_folder_organization_policy_test.go new file mode 100644 index 00000000000..345222eaf48 --- /dev/null +++ b/google/resource_google_folder_organization_policy_test.go @@ -0,0 +1,316 @@ +package google + +import ( + "fmt" + "github.com/hashicorp/terraform/helper/acctest" + "github.com/hashicorp/terraform/helper/resource" + "github.com/hashicorp/terraform/terraform" + "google.golang.org/api/cloudresourcemanager/v1" + "reflect" + "testing" +) + +func TestAccGoogleFolderOrganizationPolicy_boolean(t *testing.T) { + t.Parallel() + + skipIfEnvNotSet(t, "GOOGLE_ORG") + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckGoogleFolderOrganizationPolicyDestroy, + Steps: []resource.TestStep{ + { + // Test creation of an enforced boolean policy + Config: testAccGoogleFolderOrganizationPolicy_boolean(org, true), + Check: testAccCheckGoogleFolderOrganizationBooleanPolicy("bool", true), + }, + { + // Test update from enforced to not + Config: testAccGoogleFolderOrganizationPolicy_boolean(org, false), + Check: testAccCheckGoogleFolderOrganizationBooleanPolicy("bool", false), + }, + { + Config: " ", + Destroy: true, + }, + { + // Test creation of a not enforced boolean policy + Config: testAccGoogleFolderOrganizationPolicy_boolean(org, false), + Check: testAccCheckGoogleFolderOrganizationBooleanPolicy("bool", false), + }, + { + // Test update from not enforced to enforced + Config: testAccGoogleFolderOrganizationPolicy_boolean(org, true), + Check: testAccCheckGoogleFolderOrganizationBooleanPolicy("bool", true), + }, + }, + }) +} + +func TestAccGoogleFolderOrganizationPolicy_list_allowAll(t *testing.T) { + t.Parallel() + + skipIfEnvNotSet(t, "GOOGLE_ORG") + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckGoogleFolderOrganizationPolicyDestroy, + Steps: []resource.TestStep{ + { + Config: testAccGoogleFolderOrganizationPolicy_list_allowAll(org), + Check: testAccCheckGoogleFolderOrganizationListPolicyAll("list", "ALLOW"), + }, + }, + }) +} + +func TestAccGoogleFolderOrganizationPolicy_list_allowSome(t *testing.T) { + t.Parallel() + + skipIfEnvNotSet(t, "GOOGLE_ORG") + project := getTestProjectFromEnv() + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckGoogleFolderOrganizationPolicyDestroy, + Steps: []resource.TestStep{ + { + Config: testAccGoogleFolderOrganizationPolicy_list_allowSome(org, project), + Check: testAccCheckGoogleFolderOrganizationListPolicyAllowedValues("list", []string{project}), + }, + }, + }) +} + +func TestAccGoogleFolderOrganizationPolicy_list_denySome(t *testing.T) { + t.Parallel() + + skipIfEnvNotSet(t, "GOOGLE_ORG") + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckGoogleFolderOrganizationPolicyDestroy, + Steps: []resource.TestStep{ + { + Config: testAccGoogleFolderOrganizationPolicy_list_denySome(org), + Check: testAccCheckGoogleFolderOrganizationListPolicyDeniedValues("list", DENIED_ORG_POLICIES), + }, + }, + }) +} + +func TestAccGoogleFolderOrganizationPolicy_list_update(t *testing.T) { + t.Parallel() + + skipIfEnvNotSet(t, "GOOGLE_ORG") + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckGoogleFolderOrganizationPolicyDestroy, + Steps: []resource.TestStep{ + { + Config: testAccGoogleFolderOrganizationPolicy_list_allowAll(org), + Check: testAccCheckGoogleFolderOrganizationListPolicyAll("list", "ALLOW"), + }, + { + Config: testAccGoogleFolderOrganizationPolicy_list_denySome(org), + Check: testAccCheckGoogleFolderOrganizationListPolicyDeniedValues("list", DENIED_ORG_POLICIES), + }, + }, + }) +} + +func testAccCheckGoogleFolderOrganizationPolicyDestroy(s *terraform.State) error { + config := testAccProvider.Meta().(*Config) + + for _, rs := range s.RootModule().Resources { + if rs.Type != "google_folder_organization_policy" { + continue + } + + folder := rs.Primary.Attributes["folder"] + constraint := canonicalOrgPolicyConstraint(rs.Primary.Attributes["constraint"]) + policy, err := config.clientResourceManager.Folders.GetOrgPolicy(folder, &cloudresourcemanager.GetOrgPolicyRequest{ + Constraint: constraint, + }).Do() + + if err != nil { + return err + } + + if policy.ListPolicy != nil || policy.BooleanPolicy != nil { + return fmt.Errorf("Org policy with constraint '%s' hasn't been cleared", constraint) + } + } + return nil +} + +func testAccCheckGoogleFolderOrganizationBooleanPolicy(n string, enforced bool) resource.TestCheckFunc { + return func(s *terraform.State) error { + policy, err := getGoogleFolderOrganizationPolicyTestResource(s, n) + if err != nil { + return err + } + + if policy.BooleanPolicy.Enforced != enforced { + return fmt.Errorf("Expected boolean policy enforcement to be '%t', got '%t'", enforced, policy.BooleanPolicy.Enforced) + } + + return nil + } +} + +func testAccCheckGoogleFolderOrganizationListPolicyAll(n, policyType string) resource.TestCheckFunc { + return func(s *terraform.State) error { + policy, err := getGoogleFolderOrganizationPolicyTestResource(s, n) + if err != nil { + return err + } + + if len(policy.ListPolicy.AllowedValues) > 0 || len(policy.ListPolicy.DeniedValues) > 0 { + return fmt.Errorf("The `values` field shouldn't be set") + } + + if policy.ListPolicy.AllValues != policyType { + return fmt.Errorf("Expected the list policy to '%s' all values, got '%s'", policyType, policy.ListPolicy.AllValues) + } + + return nil + } +} + +func testAccCheckGoogleFolderOrganizationListPolicyAllowedValues(n string, values []string) resource.TestCheckFunc { + return func(s *terraform.State) error { + policy, err := getGoogleFolderOrganizationPolicyTestResource(s, n) + if err != nil { + return err + } + + if !reflect.DeepEqual(policy.ListPolicy.AllowedValues, values) { + return fmt.Errorf("Expected the list policy to allow '%s', instead allowed '%s'", values, policy.ListPolicy.AllowedValues) + } + + return nil + } +} + +func testAccCheckGoogleFolderOrganizationListPolicyDeniedValues(n string, values []string) resource.TestCheckFunc { + return func(s *terraform.State) error { + policy, err := getGoogleFolderOrganizationPolicyTestResource(s, n) + if err != nil { + return err + } + + if !reflect.DeepEqual(policy.ListPolicy.DeniedValues, values) { + return fmt.Errorf("Expected the list policy to deny '%s', instead denied '%s'", values, policy.ListPolicy.DeniedValues) + } + + return nil + } +} + +func getGoogleFolderOrganizationPolicyTestResource(s *terraform.State, n string) (*cloudresourcemanager.OrgPolicy, error) { + rn := "google_folder_organization_policy." + n + rs, ok := s.RootModule().Resources[rn] + if !ok { + return nil, fmt.Errorf("Not found: %s", rn) + } + + if rs.Primary.ID == "" { + return nil, fmt.Errorf("No ID is set") + } + + config := testAccProvider.Meta().(*Config) + + return config.clientResourceManager.Folders.GetOrgPolicy(rs.Primary.Attributes["folder"], &cloudresourcemanager.GetOrgPolicyRequest{ + Constraint: rs.Primary.Attributes["constraint"], + }).Do() +} + +func testAccGoogleFolderOrganizationPolicy_boolean(org string, enforced bool) string { + return fmt.Sprintf(` +resource "google_folder" "orgpolicy" { + display_name = "%s" + parent = "%s" +} + +resource "google_folder_organization_policy" "bool" { + folder = "${google_folder.orgpolicy.name}" + constraint = "constraints/compute.disableSerialPortAccess" + + boolean_policy { + enforced = %t + } +} +`, acctest.RandomWithPrefix("tf-test"), "organizations/"+org, enforced) +} + +func testAccGoogleFolderOrganizationPolicy_list_allowAll(org string) string { + return fmt.Sprintf(` +resource "google_folder" "orgpolicy" { + display_name = "%s" + parent = "%s" +} + +resource "google_folder_organization_policy" "list" { + folder = "${google_folder.orgpolicy.name}" + constraint = "constraints/serviceuser.services" + + list_policy { + allow { + all = true + } + } +} +`, acctest.RandomWithPrefix("tf-test"), "organizations/"+org) +} + +func testAccGoogleFolderOrganizationPolicy_list_allowSome(org, project string) string { + return fmt.Sprintf(` +resource "google_folder" "orgpolicy" { + display_name = "%s" + parent = "%s" +} + +resource "google_folder_organization_policy" "list" { + folder = "${google_folder.orgpolicy.name}" + constraint = "constraints/compute.trustedImageProjects" + + list_policy { + allow { + values = [ + "%s", + ] + } + } +} +`, acctest.RandomWithPrefix("tf-test"), "organizations/"+org, project) +} + +func testAccGoogleFolderOrganizationPolicy_list_denySome(org string) string { + return fmt.Sprintf(` +resource "google_folder" "orgpolicy" { + display_name = "%s" + parent = "%s" +} + +resource "google_folder_organization_policy" "list" { + folder = "${google_folder.orgpolicy.name}" + constraint = "serviceuser.services" + + list_policy { + deny { + values = [ + "maps-ios-backend.googleapis.com", + "placesios.googleapis.com", + ] + } + } +} +`, acctest.RandomWithPrefix("tf-test"), "organizations/"+org) +} diff --git a/google/resource_google_organization_policy.go b/google/resource_google_organization_policy.go index f046203eebc..fdb34f659fe 100644 --- a/google/resource_google_organization_policy.go +++ b/google/resource_google_organization_policy.go @@ -7,6 +7,100 @@ import ( "strings" ) +var schemaOrganizationPolicy = map[string]*schema.Schema{ + "constraint": { + Type: schema.TypeString, + Required: true, + ForceNew: true, + DiffSuppressFunc: linkDiffSuppress, + }, + "boolean_policy": { + Type: schema.TypeList, + Optional: true, + MaxItems: 1, + ConflictsWith: []string{"list_policy"}, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "enforced": { + Type: schema.TypeBool, + Required: true, + }, + }, + }, + }, + "list_policy": { + Type: schema.TypeList, + Optional: true, + MaxItems: 1, + ConflictsWith: []string{"boolean_policy"}, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "allow": { + Type: schema.TypeList, + Optional: true, + MaxItems: 1, + ConflictsWith: []string{"list_policy.0.deny"}, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "all": { + Type: schema.TypeBool, + Optional: true, + Default: false, + ConflictsWith: []string{"list_policy.0.allow.0.values"}, + }, + "values": { + Type: schema.TypeSet, + Optional: true, + Elem: &schema.Schema{Type: schema.TypeString}, + Set: schema.HashString, + }, + }, + }, + }, + "deny": { + Type: schema.TypeList, + Optional: true, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "all": { + Type: schema.TypeBool, + Optional: true, + Default: false, + ConflictsWith: []string{"list_policy.0.deny.0.values"}, + }, + "values": { + Type: schema.TypeSet, + Optional: true, + Elem: &schema.Schema{Type: schema.TypeString}, + Set: schema.HashString, + }, + }, + }, + }, + "suggested_value": { + Type: schema.TypeString, + Optional: true, + Computed: true, + }, + }, + }, + }, + "version": { + Type: schema.TypeInt, + Optional: true, + Computed: true, + }, + "etag": { + Type: schema.TypeString, + Computed: true, + }, + "update_time": { + Type: schema.TypeString, + Computed: true, + }, +} + func resourceGoogleOrganizationPolicy() *schema.Resource { return &schema.Resource{ Create: resourceGoogleOrganizationPolicyCreate, @@ -18,104 +112,15 @@ func resourceGoogleOrganizationPolicy() *schema.Resource { State: resourceGoogleOrganizationPolicyImportState, }, - Schema: map[string]*schema.Schema{ - "org_id": { - Type: schema.TypeString, - Required: true, - ForceNew: true, - }, - "constraint": { - Type: schema.TypeString, - Required: true, - ForceNew: true, - DiffSuppressFunc: linkDiffSuppress, - }, - "boolean_policy": { - Type: schema.TypeList, - Optional: true, - MaxItems: 1, - ConflictsWith: []string{"list_policy"}, - Elem: &schema.Resource{ - Schema: map[string]*schema.Schema{ - "enforced": { - Type: schema.TypeBool, - Required: true, - }, - }, + Schema: mergeSchemas( + schemaOrganizationPolicy, + map[string]*schema.Schema{ + "org_id": { + Type: schema.TypeString, + Required: true, + ForceNew: true, }, - }, - "list_policy": { - Type: schema.TypeList, - Optional: true, - MaxItems: 1, - ConflictsWith: []string{"boolean_policy"}, - Elem: &schema.Resource{ - Schema: map[string]*schema.Schema{ - "allow": { - Type: schema.TypeList, - Optional: true, - MaxItems: 1, - ConflictsWith: []string{"list_policy.0.deny"}, - Elem: &schema.Resource{ - Schema: map[string]*schema.Schema{ - "all": { - Type: schema.TypeBool, - Optional: true, - Default: false, - ConflictsWith: []string{"list_policy.0.allow.0.values"}, - }, - "values": { - Type: schema.TypeSet, - Optional: true, - Elem: &schema.Schema{Type: schema.TypeString}, - Set: schema.HashString, - }, - }, - }, - }, - "deny": { - Type: schema.TypeList, - Optional: true, - MaxItems: 1, - Elem: &schema.Resource{ - Schema: map[string]*schema.Schema{ - "all": { - Type: schema.TypeBool, - Optional: true, - Default: false, - ConflictsWith: []string{"list_policy.0.deny.0.values"}, - }, - "values": { - Type: schema.TypeSet, - Optional: true, - Elem: &schema.Schema{Type: schema.TypeString}, - Set: schema.HashString, - }, - }, - }, - }, - "suggested_value": { - Type: schema.TypeString, - Optional: true, - Computed: true, - }, - }, - }, - }, - "version": { - Type: schema.TypeInt, - Optional: true, - Computed: true, - }, - "etag": { - Type: schema.TypeString, - Computed: true, - }, - "update_time": { - Type: schema.TypeString, - Computed: true, - }, - }, + }), } } From 1bc566bba1a3bb364700209a1a9ebb64778a94df Mon Sep 17 00:00:00 2001 From: Vincent Roseberry Date: Wed, 15 Nov 2017 15:46:22 -0800 Subject: [PATCH 2/4] Add documentation --- ...e_folder_organization_policy.html.markdown | 106 ++++++++++++++++++ website/google.erb | 3 + 2 files changed, 109 insertions(+) create mode 100644 website/docs/r/google_folder_organization_policy.html.markdown diff --git a/website/docs/r/google_folder_organization_policy.html.markdown b/website/docs/r/google_folder_organization_policy.html.markdown new file mode 100644 index 00000000000..be350e86f87 --- /dev/null +++ b/website/docs/r/google_folder_organization_policy.html.markdown @@ -0,0 +1,106 @@ +--- +layout: "google" +page_title: "Google: google_folder_organization_policy" +sidebar_current: "docs-google-folder-organization-policy" +description: |- + Allows management of Organization policies for a Google Folder. +--- + +# google\_folder\_organization\_policy + +Allows management of Organization policies for a Google Folder. For more information see +[the official +documentation](https://cloud.google.com/resource-manager/docs/organization-policy/overview) and +[API](https://cloud.google.com/resource-manager/reference/rest/v1/folders/setOrgPolicy). + +## Example Usage + +To set policy with a [boolean constraint](https://cloud.google.com/resource-manager/docs/organization-policy/quickstart-boolean-constraints): + +```hcl +resource "google_folder_organization_policy" "serial_port_policy" { + org_id = "123456789" + constraint = "compute.disableSerialPortAccess" + + boolean_policy { + enforced = true + } +} +``` + + +To set a policy with a [list contraint](https://cloud.google.com/resource-manager/docs/organization-policy/quickstart-list-constraints): + +```hcl +resource "google_folder_organization_policy" "services_policy" { + org_id = "123456789" + constraint = "serviceuser.services" + + list_policy { + allow { + all = true + } + } +} +``` + + +Or to deny some services, use the following instead: + +```hcl +resource "google_folder_organization_policy" "services_policy" { + org_id = "123456789" + constraint = "serviceuser.services" + + list_policy { + suggested_values = "compute.googleapis.com" + + deny { + values = ["cloudresourcemanager.googleapis.com"] + } + } +} +``` + +## Argument Reference + +The following arguments are supported: + +* `folder` - (Required) The numeric ID of the organization to set the policy for. + +* `constraint` - (Required) The name of the Constraint the Policy is configuring, for example, `serviceuser.services`. Check out the [complete list of available constraints](https://cloud.google.com/resource-manager/docs/organization-policy/understanding-constraints#available_constraints). + +- - - + +* `version` - (Optional) Version of the Policy. Default version is 0. + +* `boolean_policy` - (Optional) A boolean policy is a constraint that is either enforced or not. Structure is documented below. + +* `list_policy` - (Optional) A policy that can define specific values that are allowed or denied for the given constraint. It can also be used to allow or deny all values. Structure is documented below. + +- - - + +The `boolean_policy` block supports: + +* `enforced` - (Required) If true, then the Policy is enforced. If false, then any configuration is acceptable. + +The `list_policy` block supports: + +* `allow` or `deny` - (Optional) One or the other must be set. + +* `suggested_values` - (Optional) The Google Cloud Console will try to default to a configuration that matches the value specified in this field. + +The `allow` or `deny` blocks support: + +* `all` - (Optional) The policy allows or denies all values. + +* `values` - (Optional) The policy can define specific values that are allowed or denied. + +## Attributes Reference + +In addition to the arguments listed above, the following computed attributes are +exported: + +* `etag` - (Computed) The etag of the organization policy. `etag` is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other. + +* `update_time` - (Computed) The timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds, representing when the variable was last updated. Example: "2016-10-09T12:33:37.578138407Z". \ No newline at end of file diff --git a/website/google.erb b/website/google.erb index efce47b12a5..62d55b47504 100644 --- a/website/google.erb +++ b/website/google.erb @@ -86,6 +86,9 @@ > google_folder_iam_policy + > + google_organization_iam_policy + > google_kms_key_ring From ff7d965fde5843542d591753e5cd52267ee6c83f Mon Sep 17 00:00:00 2001 From: Vincent Roseberry Date: Tue, 21 Nov 2017 13:17:28 -0800 Subject: [PATCH 3/4] Use new way of getting org id in test --- ...urce_google_folder_organization_policy_test.go | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/google/resource_google_folder_organization_policy_test.go b/google/resource_google_folder_organization_policy_test.go index 345222eaf48..771c98eaf96 100644 --- a/google/resource_google_folder_organization_policy_test.go +++ b/google/resource_google_folder_organization_policy_test.go @@ -13,8 +13,7 @@ import ( func TestAccGoogleFolderOrganizationPolicy_boolean(t *testing.T) { t.Parallel() - skipIfEnvNotSet(t, "GOOGLE_ORG") - + org := getTestOrgFromEnv(t) resource.Test(t, resource.TestCase{ PreCheck: func() { testAccPreCheck(t) }, Providers: testAccProviders, @@ -51,8 +50,7 @@ func TestAccGoogleFolderOrganizationPolicy_boolean(t *testing.T) { func TestAccGoogleFolderOrganizationPolicy_list_allowAll(t *testing.T) { t.Parallel() - skipIfEnvNotSet(t, "GOOGLE_ORG") - + org := getTestOrgFromEnv(t) resource.Test(t, resource.TestCase{ PreCheck: func() { testAccPreCheck(t) }, Providers: testAccProviders, @@ -69,9 +67,8 @@ func TestAccGoogleFolderOrganizationPolicy_list_allowAll(t *testing.T) { func TestAccGoogleFolderOrganizationPolicy_list_allowSome(t *testing.T) { t.Parallel() - skipIfEnvNotSet(t, "GOOGLE_ORG") + org := getTestOrgFromEnv(t) project := getTestProjectFromEnv() - resource.Test(t, resource.TestCase{ PreCheck: func() { testAccPreCheck(t) }, Providers: testAccProviders, @@ -88,8 +85,7 @@ func TestAccGoogleFolderOrganizationPolicy_list_allowSome(t *testing.T) { func TestAccGoogleFolderOrganizationPolicy_list_denySome(t *testing.T) { t.Parallel() - skipIfEnvNotSet(t, "GOOGLE_ORG") - + org := getTestOrgFromEnv(t) resource.Test(t, resource.TestCase{ PreCheck: func() { testAccPreCheck(t) }, Providers: testAccProviders, @@ -106,8 +102,7 @@ func TestAccGoogleFolderOrganizationPolicy_list_denySome(t *testing.T) { func TestAccGoogleFolderOrganizationPolicy_list_update(t *testing.T) { t.Parallel() - skipIfEnvNotSet(t, "GOOGLE_ORG") - + org := getTestOrgFromEnv(t) resource.Test(t, resource.TestCase{ PreCheck: func() { testAccPreCheck(t) }, Providers: testAccProviders, From e2c5e67e518880358f353e0a72187f19c4fb310e Mon Sep 17 00:00:00 2001 From: Vincent Roseberry Date: Mon, 27 Nov 2017 14:00:35 -0800 Subject: [PATCH 4/4] Improve tests --- ..._google_folder_organization_policy_test.go | 105 +++++++++--------- 1 file changed, 55 insertions(+), 50 deletions(-) diff --git a/google/resource_google_folder_organization_policy_test.go b/google/resource_google_folder_organization_policy_test.go index 771c98eaf96..b14c34ac83c 100644 --- a/google/resource_google_folder_organization_policy_test.go +++ b/google/resource_google_folder_organization_policy_test.go @@ -13,6 +13,8 @@ import ( func TestAccGoogleFolderOrganizationPolicy_boolean(t *testing.T) { t.Parallel() + folder := acctest.RandomWithPrefix("tf-test") + org := getTestOrgFromEnv(t) resource.Test(t, resource.TestCase{ PreCheck: func() { testAccPreCheck(t) }, @@ -21,12 +23,12 @@ func TestAccGoogleFolderOrganizationPolicy_boolean(t *testing.T) { Steps: []resource.TestStep{ { // Test creation of an enforced boolean policy - Config: testAccGoogleFolderOrganizationPolicy_boolean(org, true), + Config: testAccGoogleFolderOrganizationPolicy_boolean(org, folder, true), Check: testAccCheckGoogleFolderOrganizationBooleanPolicy("bool", true), }, { // Test update from enforced to not - Config: testAccGoogleFolderOrganizationPolicy_boolean(org, false), + Config: testAccGoogleFolderOrganizationPolicy_boolean(org, folder, false), Check: testAccCheckGoogleFolderOrganizationBooleanPolicy("bool", false), }, { @@ -35,12 +37,12 @@ func TestAccGoogleFolderOrganizationPolicy_boolean(t *testing.T) { }, { // Test creation of a not enforced boolean policy - Config: testAccGoogleFolderOrganizationPolicy_boolean(org, false), + Config: testAccGoogleFolderOrganizationPolicy_boolean(org, folder, false), Check: testAccCheckGoogleFolderOrganizationBooleanPolicy("bool", false), }, { // Test update from not enforced to enforced - Config: testAccGoogleFolderOrganizationPolicy_boolean(org, true), + Config: testAccGoogleFolderOrganizationPolicy_boolean(org, folder, true), Check: testAccCheckGoogleFolderOrganizationBooleanPolicy("bool", true), }, }, @@ -50,6 +52,8 @@ func TestAccGoogleFolderOrganizationPolicy_boolean(t *testing.T) { func TestAccGoogleFolderOrganizationPolicy_list_allowAll(t *testing.T) { t.Parallel() + folder := acctest.RandomWithPrefix("tf-test") + org := getTestOrgFromEnv(t) resource.Test(t, resource.TestCase{ PreCheck: func() { testAccPreCheck(t) }, @@ -57,7 +61,7 @@ func TestAccGoogleFolderOrganizationPolicy_list_allowAll(t *testing.T) { CheckDestroy: testAccCheckGoogleFolderOrganizationPolicyDestroy, Steps: []resource.TestStep{ { - Config: testAccGoogleFolderOrganizationPolicy_list_allowAll(org), + Config: testAccGoogleFolderOrganizationPolicy_list_allowAll(org, folder), Check: testAccCheckGoogleFolderOrganizationListPolicyAll("list", "ALLOW"), }, }, @@ -67,6 +71,7 @@ func TestAccGoogleFolderOrganizationPolicy_list_allowAll(t *testing.T) { func TestAccGoogleFolderOrganizationPolicy_list_allowSome(t *testing.T) { t.Parallel() + folder := acctest.RandomWithPrefix("tf-test") org := getTestOrgFromEnv(t) project := getTestProjectFromEnv() resource.Test(t, resource.TestCase{ @@ -75,7 +80,7 @@ func TestAccGoogleFolderOrganizationPolicy_list_allowSome(t *testing.T) { CheckDestroy: testAccCheckGoogleFolderOrganizationPolicyDestroy, Steps: []resource.TestStep{ { - Config: testAccGoogleFolderOrganizationPolicy_list_allowSome(org, project), + Config: testAccGoogleFolderOrganizationPolicy_list_allowSome(org, folder, project), Check: testAccCheckGoogleFolderOrganizationListPolicyAllowedValues("list", []string{project}), }, }, @@ -85,6 +90,7 @@ func TestAccGoogleFolderOrganizationPolicy_list_allowSome(t *testing.T) { func TestAccGoogleFolderOrganizationPolicy_list_denySome(t *testing.T) { t.Parallel() + folder := acctest.RandomWithPrefix("tf-test") org := getTestOrgFromEnv(t) resource.Test(t, resource.TestCase{ PreCheck: func() { testAccPreCheck(t) }, @@ -92,7 +98,7 @@ func TestAccGoogleFolderOrganizationPolicy_list_denySome(t *testing.T) { CheckDestroy: testAccCheckGoogleFolderOrganizationPolicyDestroy, Steps: []resource.TestStep{ { - Config: testAccGoogleFolderOrganizationPolicy_list_denySome(org), + Config: testAccGoogleFolderOrganizationPolicy_list_denySome(org, folder), Check: testAccCheckGoogleFolderOrganizationListPolicyDeniedValues("list", DENIED_ORG_POLICIES), }, }, @@ -102,6 +108,7 @@ func TestAccGoogleFolderOrganizationPolicy_list_denySome(t *testing.T) { func TestAccGoogleFolderOrganizationPolicy_list_update(t *testing.T) { t.Parallel() + folder := acctest.RandomWithPrefix("tf-test") org := getTestOrgFromEnv(t) resource.Test(t, resource.TestCase{ PreCheck: func() { testAccPreCheck(t) }, @@ -109,11 +116,11 @@ func TestAccGoogleFolderOrganizationPolicy_list_update(t *testing.T) { CheckDestroy: testAccCheckGoogleFolderOrganizationPolicyDestroy, Steps: []resource.TestStep{ { - Config: testAccGoogleFolderOrganizationPolicy_list_allowAll(org), + Config: testAccGoogleFolderOrganizationPolicy_list_allowAll(org, folder), Check: testAccCheckGoogleFolderOrganizationListPolicyAll("list", "ALLOW"), }, { - Config: testAccGoogleFolderOrganizationPolicy_list_denySome(org), + Config: testAccGoogleFolderOrganizationPolicy_list_denySome(org, folder), Check: testAccCheckGoogleFolderOrganizationListPolicyDeniedValues("list", DENIED_ORG_POLICIES), }, }, @@ -172,7 +179,7 @@ func testAccCheckGoogleFolderOrganizationListPolicyAll(n, policyType string) res } if policy.ListPolicy.AllValues != policyType { - return fmt.Errorf("Expected the list policy to '%s' all values, got '%s'", policyType, policy.ListPolicy.AllValues) + return fmt.Errorf("The list policy should %s all values", policyType) } return nil @@ -227,7 +234,7 @@ func getGoogleFolderOrganizationPolicyTestResource(s *terraform.State, n string) }).Do() } -func testAccGoogleFolderOrganizationPolicy_boolean(org string, enforced bool) string { +func testAccGoogleFolderOrganizationPolicy_boolean(org, folder string, enforced bool) string { return fmt.Sprintf(` resource "google_folder" "orgpolicy" { display_name = "%s" @@ -235,17 +242,17 @@ resource "google_folder" "orgpolicy" { } resource "google_folder_organization_policy" "bool" { - folder = "${google_folder.orgpolicy.name}" - constraint = "constraints/compute.disableSerialPortAccess" + folder = "${google_folder.orgpolicy.name}" + constraint = "constraints/compute.disableSerialPortAccess" - boolean_policy { - enforced = %t - } + boolean_policy { + enforced = %t + } } -`, acctest.RandomWithPrefix("tf-test"), "organizations/"+org, enforced) +`, folder, "organizations/"+org, enforced) } -func testAccGoogleFolderOrganizationPolicy_list_allowAll(org string) string { +func testAccGoogleFolderOrganizationPolicy_list_allowAll(org, folder string) string { return fmt.Sprintf(` resource "google_folder" "orgpolicy" { display_name = "%s" @@ -253,19 +260,19 @@ resource "google_folder" "orgpolicy" { } resource "google_folder_organization_policy" "list" { - folder = "${google_folder.orgpolicy.name}" - constraint = "constraints/serviceuser.services" + folder = "${google_folder.orgpolicy.name}" + constraint = "constraints/serviceuser.services" - list_policy { - allow { - all = true - } - } + list_policy { + allow { + all = true + } + } } -`, acctest.RandomWithPrefix("tf-test"), "organizations/"+org) +`, folder, "organizations/"+org) } -func testAccGoogleFolderOrganizationPolicy_list_allowSome(org, project string) string { +func testAccGoogleFolderOrganizationPolicy_list_allowSome(org, folder, project string) string { return fmt.Sprintf(` resource "google_folder" "orgpolicy" { display_name = "%s" @@ -273,21 +280,19 @@ resource "google_folder" "orgpolicy" { } resource "google_folder_organization_policy" "list" { - folder = "${google_folder.orgpolicy.name}" - constraint = "constraints/compute.trustedImageProjects" - - list_policy { - allow { - values = [ - "%s", - ] - } + folder = "${google_folder.orgpolicy.name}" + constraint = "constraints/compute.trustedImageProjects" + + list_policy { + allow { + values = ["%s"] + } } } -`, acctest.RandomWithPrefix("tf-test"), "organizations/"+org, project) +`, folder, "organizations/"+org, project) } -func testAccGoogleFolderOrganizationPolicy_list_denySome(org string) string { +func testAccGoogleFolderOrganizationPolicy_list_denySome(org, folder string) string { return fmt.Sprintf(` resource "google_folder" "orgpolicy" { display_name = "%s" @@ -295,17 +300,17 @@ resource "google_folder" "orgpolicy" { } resource "google_folder_organization_policy" "list" { - folder = "${google_folder.orgpolicy.name}" - constraint = "serviceuser.services" - - list_policy { - deny { - values = [ - "maps-ios-backend.googleapis.com", - "placesios.googleapis.com", - ] - } - } + folder = "${google_folder.orgpolicy.name}" + constraint = "serviceuser.services" + + list_policy { + deny { + values = [ + "maps-ios-backend.googleapis.com", + "placesios.googleapis.com", + ] + } + } } -`, acctest.RandomWithPrefix("tf-test"), "organizations/"+org) +`, folder, "organizations/"+org) }