feat(TPG>=6.14)!: add parameter field support into org policy (#163)

Co-authored-by: Andrew Peabody <[email protected]>
terraform-google-modules · Feb 4, 2025 · 974d1c0 · 974d1c0
1 parent 17308dd
commit 974d1c0
Show file tree

Hide file tree

Showing 9 changed files with 69 additions and 6 deletions.
diff --git a/examples/v2_boolean_org_enforce/README.md b/examples/v2_boolean_org_enforce/README.md
@@ -16,6 +16,7 @@ This boolean constraint, when set to true, enables OS Login on all newly created
 | Name | Description |
 |------|-------------|
 | constraint | Policy Constraint Identifier |
+| parameterized\_constraint | Policy with parameters for Managed Constraint Identifier |
 | policy\_root | Policy Root in the hierarchy for the given policy |
 | policy\_root\_id | Project Root ID at which the policy is applied |
 

diff --git a/examples/v2_boolean_org_enforce/main.tf b/examples/v2_boolean_org_enforce/main.tf
@@ -29,3 +29,17 @@ module "gcp_org_policy_v2" {
   constraint  = "compute.requireOsLogin"
   policy_type = "boolean"
 }
+
+module "parameterized_org_policy_v2" {
+  source  = "terraform-google-modules/org-policy/google//modules/org_policy_v2"
+  version = "~> 7.0"
+
+  policy_root    = "organization"
+  policy_root_id = var.org_id
+  rules = [{
+    enforcement = true
+    parameters  = jsonencode({"allowedDomains" : ["@abc.com"]})
+  }]
+  constraint  = "essentialcontacts.managed.allowedContactDomains"
+  policy_type = "boolean"
+}
diff --git a/examples/v2_boolean_org_enforce/outputs.tf b/examples/v2_boolean_org_enforce/outputs.tf
@@ -29,3 +29,7 @@ output "constraint" {
   value       = module.gcp_org_policy_v2.constraint
 }
 
+output "parameterized_constraint" {
+  description = "Policy with parameters for Managed Constraint Identifier"
+  value       = module.parameterized_org_policy_v2.constraint
+}
diff --git a/modules/org_policy_v2/README.md b/modules/org_policy_v2/README.md
@@ -42,6 +42,40 @@ module "gcp_org_policy_v2_bool" {
 }
 ```
 
+- Parameterized Bool organization policy
+
+```hcl
+module "parameterized_org_policy_v2_bool" {
+  source           = "terraform-google-modules/org-policy/google//modules/org_policy_v2"
+  version          = "~> 7.0"
+
+  policy_root      = "organization"    # either of organization, folder or project
+  policy_root_id   = "123456789"       # either of org id, folder id or project id
+  constraint       = "constraint name" # constraint identifier without constraints/ prefix. Example "compute.requireOsLogin"
+  policy_type      = "boolean"         # either of list or boolean
+  exclude_folders  = []
+  exclude_projects = []
+
+  rules = [
+    # Rule 1
+    {
+      enforcement = false
+    },
+    # Rule 2
+    {
+      enforcement = true
+      parameters  = jsonencode({"allowedDomains" : ["@abc.com"]})
+      conditions  = [{
+        description = "description of the condition"
+        expression  = "resource.matchTagId('tagKeys/123456789', 'tagValues/123456789') && resource.matchTag('123456789/1234', 'abcd')"
+        location    = "sample-location.log"
+        title       = "Title of the condition"
+      }]
+    },
+  ]
+}
+```
+
 - List organization policy
 
 ```hcl
@@ -81,6 +115,7 @@ To control module's behavior, change variables' values regarding the following:
 - `exclude_projects`: a list of project IDs to be excluded from this policy. They must be lower in the hierarchy than the policy root.
 - `rules`: Specify policy rules and conditions. Rules contain the following parameters:
   - `enforcement`: if `true` or `null`then policy will `deny_all`; if `false` then policy will `allow_all`. Applies for `boolean` based policies.
+  - `parameters`: Applies for `boolean` type policies for `managed` constraints, if constraint has parameters defined. Pass parameter values when policy enforcement is enabled. Ensure that parameter value types match those defined in the constraint definition. For example: `{"allowedLocations" : ["us-east1", "us-west1"], "allowAll" : true }`
   - `allow`: list of values to include in the policy with ALLOW behavior. Set `enforce` to `null` to use it.
   - `deny`: list of values to include in the policy with DENY behavior. Set `enforce` to `null` to use it.
   - `conditions`: [Organization tags](https://cloud.google.com/resource-manager/docs/organization-policy/tags-organization-policy) provides a way to conditionally allow or deny policies based on whether a resource has a specific tag. You can use tags and conditional enforcement of organization policies to provide centralized control of the resources in your hierarchy. Each condition has the following properties:
@@ -117,7 +152,7 @@ To control module's behavior, change variables' values regarding the following:
 | policy\_root | Resource hierarchy node to apply the policy to: can be one of `organization`, `folder`, or `project`. | `string` | `"organization"` | no |
 | policy\_root\_id | The policy root id, either of organization\_id, folder\_id or project\_id | `string` | `null` | no |
 | policy\_type | The constraint type to work with (either 'boolean' or 'list') | `string` | `"list"` | no |
-| rules | List of rules per policy. | <pre>list(object(<br>    {<br>      enforcement = bool<br>      allow       = optional(list(string), [])<br>      deny        = optional(list(string), [])<br>      conditions = optional(list(object(<br>        {<br>          description = string<br>          expression  = string<br>          title       = string<br>          location    = string<br>        }<br>      )), [])<br>    }<br>  ))</pre> | n/a | yes |
+| rules | List of rules per policy. | <pre>list(object(<br>    {<br>      enforcement = bool<br>      parameters  = optional(string, null)<br>      allow       = optional(list(string), [])<br>      deny        = optional(list(string), [])<br>      conditions = optional(list(object(<br>        {<br>          description = string<br>          expression  = string<br>          title       = string<br>          location    = string<br>        }<br>      )), [])<br>    }<br>  ))</pre> | n/a | yes |
 
 ## Outputs
 

diff --git a/modules/org_policy_v2/boolean_constraints.tf b/modules/org_policy_v2/boolean_constraints.tf
@@ -27,7 +27,8 @@ resource "google_org_policy_policy" "org_policy_boolean" {
     dynamic "rules" {
       for_each = local.rules
       content {
-        enforce = rules.value.enforcement != false ? "TRUE" : "FALSE"
+        enforce    = rules.value.enforcement != false ? "TRUE" : "FALSE"
+        parameters = rules.value.parameters
         dynamic "condition" {
           for_each = { for k, v in rules.value.conditions : k => v if length(rules.value.conditions) > 0 }
           content {
@@ -55,7 +56,8 @@ resource "google_org_policy_policy" "folder_policy_boolean" {
     dynamic "rules" {
       for_each = local.rules
       content {
-        enforce = rules.value.enforcement != false ? "TRUE" : "FALSE"
+        enforce    = rules.value.enforcement != false ? "TRUE" : "FALSE"
+        parameters = rules.value.parameters
         dynamic "condition" {
           for_each = { for k, v in rules.value.conditions : k => v if length(rules.value.conditions) > 0 }
           content {
@@ -83,7 +85,8 @@ resource "google_org_policy_policy" "project_policy_boolean" {
     dynamic "rules" {
       for_each = local.rules
       content {
-        enforce = rules.value.enforcement != false ? "TRUE" : "FALSE"
+        enforce    = rules.value.enforcement != false ? "TRUE" : "FALSE"
+        parameters = rules.value.parameters
         dynamic "condition" {
           for_each = { for k, v in rules.value.conditions : k => v if length(rules.value.conditions) > 0 }
           content {

diff --git a/modules/org_policy_v2/metadata.yaml b/modules/org_policy_v2/metadata.yaml
@@ -79,6 +79,7 @@ spec:
           list(object(
               {
                 enforcement = bool
+                parameters  = optional(string, null)
                 allow       = optional(list(string), [])
                 deny        = optional(list(string), [])
                 conditions = optional(list(object(
@@ -114,4 +115,4 @@ spec:
       - orgpolicy.googleapis.com
     providerVersions:
       - source: hashicorp/google
-        version: ">= 3.53, < 7"
+        version: ">= 6.14, < 7"
diff --git a/modules/org_policy_v2/variables.tf b/modules/org_policy_v2/variables.tf
@@ -64,6 +64,7 @@ variable "rules" {
   type = list(object(
     {
       enforcement = bool
+      parameters  = optional(string, null)
       allow       = optional(list(string), [])
       deny        = optional(list(string), [])
       conditions = optional(list(object(

diff --git a/modules/org_policy_v2/versions.tf b/modules/org_policy_v2/versions.tf
@@ -20,7 +20,7 @@ terraform {
 
     google = {
       source  = "hashicorp/google"
-      version = ">= 3.53, < 7"
+      version = ">= 6.14, < 7"
     }
   }
 

diff --git a/test/integration/v2_boolean_org_enforce/v2_boolean_org_enforce_test.go b/test/integration/v2_boolean_org_enforce/v2_boolean_org_enforce_test.go
@@ -38,6 +38,10 @@ func TestVersion2BooleanOrgEnforce(t *testing.T) {
 
             constraintImplemented := utils.GetFirstMatchResult(t, op, "constraint", constraintName).Get("constraint").String()
             assert.Equal(constraintImplemented, constraintName, "Org policy is created and exists")
+
+	    parameterizedConstraintName := "constraints/" + orgPolicyv2T.GetStringOutput("parameterized_constraint")
+	    parameterizedConstraintImplemented := utils.GetFirstMatchResult(t, op, "constraint", parameterizedConstraintName).Get("constraint").String()
+	    assert.Equal(parameterizedConstraintImplemented, parameterizedConstraintName, "Org policy is created and exists")
         })
     orgPolicyv2T.Test()
 }