Add context to organization policiy factories (#2876)
This commit is contained in:
Julio Castillo
@@ -125,7 +125,7 @@ module "folder" {
|
||||
"iam.allowedPolicyMemberDomains" = {
|
||||
rules = [{
|
||||
allow = {
|
||||
values = ["C0xxxxxxx", "C0yyyyyyy"]
|
||||
values = ["C0xxxxxxx", "C0yyyyyyy", "C0zzzzzzz"]
|
||||
}
|
||||
}]
|
||||
}
|
||||
@@ -144,7 +144,7 @@ module "folder" {
|
||||
{
|
||||
enforce = true
|
||||
parameters = jsonencode({
|
||||
allowedDomains = ["@example.com"]
|
||||
allowedDomains = ["@example.com", "@secondary.example.com"]
|
||||
})
|
||||
}
|
||||
]
|
||||
@@ -169,6 +169,19 @@ module "folder" {
|
||||
name = "Folder name"
|
||||
factories_config = {
|
||||
org_policies = "configs/org-policies/"
|
||||
context = {
|
||||
org_policies = {
|
||||
tags = {
|
||||
my_conditional_tag = "tagKeys/1234"
|
||||
}
|
||||
domains = {
|
||||
secondary = "@secondary.example.com"
|
||||
}
|
||||
customer_ids = {
|
||||
extra = "C0zzzzzzz"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=9 files=boolean,list inventory=org-policies.yaml e2e
|
||||
@@ -188,7 +201,7 @@ iam.disableServiceAccountKeyUpload:
|
||||
rules:
|
||||
- condition:
|
||||
description: test condition
|
||||
expression: resource.matchTagId('tagKeys/1234', 'tagValues/1234')
|
||||
expression: resource.matchTagId('${tags.my_conditional_tag}', 'tagValues/1234')
|
||||
location: somewhere
|
||||
title: condition
|
||||
enforce: true
|
||||
@@ -197,7 +210,7 @@ essentialcontacts.managed.allowedContactDomains:
|
||||
rules:
|
||||
- enforce: true
|
||||
parameters: |
|
||||
{"allowedDomains": ["@example.com"]}
|
||||
{"allowedDomains": ["@example.com", "${domains.secondary}"]}
|
||||
|
||||
# tftest-file id=boolean path=configs/org-policies/boolean.yaml schema=org-policies.schema.json
|
||||
```
|
||||
@@ -218,6 +231,7 @@ iam.allowedPolicyMemberDomains:
|
||||
values:
|
||||
- C0xxxxxxx
|
||||
- C0yyyyyyy
|
||||
- ${customer_ids.extra}
|
||||
|
||||
# tftest-file id=list path=configs/org-policies/list.yaml schema=org-policies.schema.json
|
||||
```
|
||||
@@ -413,23 +427,23 @@ module "folder" {
|
||||
| [assured_workload_config](variables.tf#L17) | Create AssuredWorkloads folder instead of regular folder when value is provided. Incompatible with folder_create=false. | <code title="object({ compliance_regime = string display_name = string location = string organization = string enable_sovereign_controls = optional(bool) labels = optional(map(string), {}) partner = optional(string) partner_permissions = optional(object({ assured_workloads_monitoring = optional(bool) data_logs_viewer = optional(bool) service_access_approver = optional(bool) })) violation_notifications_enabled = optional(bool) })">object({…})</code> | | <code>null</code> |
|
||||
| [contacts](variables.tf#L70) | List of essential contacts for this resource. Must be in the form EMAIL -> [NOTIFICATION_TYPES]. Valid notification types are ALL, SUSPENSION, SECURITY, TECHNICAL, BILLING, LEGAL, PRODUCT_UPDATES. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [deletion_protection](variables.tf#L77) | Deletion protection setting for this folder. | <code>bool</code> | | <code>false</code> |
|
||||
| [factories_config](variables.tf#L83) | Paths to data files and folders that enable factory functionality. | <code title="object({ org_policies = optional(string) })">object({…})</code> | | <code>{}</code> |
|
||||
| [firewall_policy](variables.tf#L92) | Hierarchical firewall policy to associate to this folder. | <code title="object({ name = string policy = string })">object({…})</code> | | <code>null</code> |
|
||||
| [folder_create](variables.tf#L101) | Create folder. When set to false, uses id to reference an existing folder. | <code>bool</code> | | <code>true</code> |
|
||||
| [factories_config](variables.tf#L83) | Paths to data files and folders that enable factory functionality. | <code title="object({ org_policies = optional(string) context = optional(object({ org_policies = optional(map(map(string)), {}) }), {}) })">object({…})</code> | | <code>{}</code> |
|
||||
| [firewall_policy](variables.tf#L95) | Hierarchical firewall policy to associate to this folder. | <code title="object({ name = string policy = string })">object({…})</code> | | <code>null</code> |
|
||||
| [folder_create](variables.tf#L104) | Create folder. When set to false, uses id to reference an existing folder. | <code>bool</code> | | <code>true</code> |
|
||||
| [iam](variables-iam.tf#L17) | IAM bindings in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [iam_bindings](variables-iam.tf#L24) | Authoritative IAM bindings in {KEY => {role = ROLE, members = [], condition = {}}}. Keys are arbitrary. | <code title="map(object({ members = list(string) role = string condition = optional(object({ expression = string title = string description = optional(string) })) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [iam_bindings_additive](variables-iam.tf#L39) | Individual additive IAM bindings. Keys are arbitrary. | <code title="map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [iam_by_principals](variables-iam.tf#L61) | Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid errors. Merged internally with the `iam` variable. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [iam_by_principals_additive](variables-iam.tf#L54) | Additive IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid errors. Merged internally with the `iam_bindings_additive` variable. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [id](variables.tf#L107) | Folder ID in case you use folder_create=false. | <code>string</code> | | <code>null</code> |
|
||||
| [id](variables.tf#L110) | Folder ID in case you use folder_create=false. | <code>string</code> | | <code>null</code> |
|
||||
| [logging_data_access](variables-logging.tf#L17) | Control activation of data access logs. The special 'allServices' key denotes configuration for all services. | <code title="map(object({ ADMIN_READ = optional(object({ exempted_members = optional(list(string)) })), DATA_READ = optional(object({ exempted_members = optional(list(string)) })), DATA_WRITE = optional(object({ exempted_members = optional(list(string)) })) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [logging_exclusions](variables-logging.tf#L28) | Logging exclusions for this folder in the form {NAME -> FILTER}. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [logging_settings](variables-logging.tf#L35) | Default settings for logging resources. | <code title="object({ disable_default_sink = optional(bool) storage_location = optional(string) })">object({…})</code> | | <code>null</code> |
|
||||
| [logging_sinks](variables-logging.tf#L45) | Logging sinks to create for the folder. | <code title="map(object({ bq_partitioned_table = optional(bool, false) description = optional(string) destination = string disabled = optional(bool, false) exclusions = optional(map(string), {}) filter = optional(string) iam = optional(bool, true) include_children = optional(bool, true) intercept_children = optional(bool, false) type = string }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [name](variables.tf#L113) | Folder name. | <code>string</code> | | <code>null</code> |
|
||||
| [org_policies](variables.tf#L119) | Organization policies applied to this folder keyed by policy name. | <code title="map(object({ inherit_from_parent = optional(bool) # for list policies only. reset = optional(bool) rules = optional(list(object({ allow = optional(object({ all = optional(bool) values = optional(list(string)) })) deny = optional(object({ all = optional(bool) values = optional(list(string)) })) enforce = optional(bool) # for boolean policies only. condition = optional(object({ description = optional(string) expression = optional(string) location = optional(string) title = optional(string) }), {}) parameters = optional(string) })), []) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [parent](variables.tf#L147) | Parent in folders/folder_id or organizations/org_id format. | <code>string</code> | | <code>null</code> |
|
||||
| [tag_bindings](variables.tf#L157) | Tag bindings for this folder, in key => tag value id format. | <code>map(string)</code> | | <code>null</code> |
|
||||
| [name](variables.tf#L116) | Folder name. | <code>string</code> | | <code>null</code> |
|
||||
| [org_policies](variables.tf#L122) | Organization policies applied to this folder keyed by policy name. | <code title="map(object({ inherit_from_parent = optional(bool) # for list policies only. reset = optional(bool) rules = optional(list(object({ allow = optional(object({ all = optional(bool) values = optional(list(string)) })) deny = optional(object({ all = optional(bool) values = optional(list(string)) })) enforce = optional(bool) # for boolean policies only. condition = optional(object({ description = optional(string) expression = optional(string) location = optional(string) title = optional(string) }), {}) parameters = optional(string) })), []) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [parent](variables.tf#L150) | Parent in folders/folder_id or organizations/org_id format. | <code>string</code> | | <code>null</code> |
|
||||
| [tag_bindings](variables.tf#L160) | Tag bindings for this folder, in key => tag value id format. | <code>map(string)</code> | | <code>null</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
||||
@@ -31,21 +31,49 @@ locals {
|
||||
rules = [
|
||||
for r in try(v.rules, []) : {
|
||||
allow = can(r.allow) ? {
|
||||
all = try(r.allow.all, null)
|
||||
values = try(r.allow.values, null)
|
||||
all = try(r.allow.all, null)
|
||||
values = (
|
||||
can(r.allow.values)
|
||||
? [for x in r.allow.values : templatestring(x, var.factories_config.context.org_policies)]
|
||||
: null
|
||||
)
|
||||
} : null
|
||||
deny = can(r.deny) ? {
|
||||
all = try(r.deny.all, null)
|
||||
values = try(r.deny.values, null)
|
||||
all = try(r.deny.all, null)
|
||||
values = (
|
||||
can(r.deny.values)
|
||||
? [for x in r.deny.values : templatestring(x, var.factories_config.context.org_policies)]
|
||||
: null
|
||||
)
|
||||
} : null
|
||||
enforce = try(r.enforce, null)
|
||||
condition = {
|
||||
description = try(r.condition.description, null)
|
||||
expression = try(r.condition.expression, null)
|
||||
location = try(r.condition.location, null)
|
||||
title = try(r.condition.title, null)
|
||||
description = (
|
||||
can(r.condition.description)
|
||||
? templatestring(r.condition.description, var.factories_config.context.org_policies)
|
||||
: null
|
||||
)
|
||||
expression = (
|
||||
can(r.condition.expression)
|
||||
? templatestring(r.condition.expression, var.factories_config.context.org_policies)
|
||||
: null
|
||||
)
|
||||
location = (
|
||||
can(r.condition.location)
|
||||
? templatestring(r.condition.location, var.factories_config.context.org_policies)
|
||||
: null
|
||||
)
|
||||
title = (
|
||||
can(r.condition.title)
|
||||
? templatestring(r.condition.title, var.factories_config.context.org_policies)
|
||||
: null
|
||||
)
|
||||
}
|
||||
parameters = try(r.parameters, null)
|
||||
parameters = (
|
||||
can(r.parameters)
|
||||
? templatestring(r.parameters, var.factories_config.context.org_policies)
|
||||
: null
|
||||
)
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
@@ -84,6 +84,9 @@ variable "factories_config" {
|
||||
description = "Paths to data files and folders that enable factory functionality."
|
||||
type = object({
|
||||
org_policies = optional(string)
|
||||
context = optional(object({
|
||||
org_policies = optional(map(map(string)), {})
|
||||
}), {})
|
||||
})
|
||||
nullable = false
|
||||
default = {}
|
||||
|
||||
@@ -535,11 +535,11 @@ module "org" {
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| [organization_id](variables.tf#L93) | Organization id in organizations/nnnnnn format. | <code>string</code> | ✓ | |
|
||||
| [organization_id](variables.tf#L96) | Organization id in organizations/nnnnnn format. | <code>string</code> | ✓ | |
|
||||
| [contacts](variables.tf#L17) | List of essential contacts for this resource. Must be in the form EMAIL -> [NOTIFICATION_TYPES]. Valid notification types are ALL, SUSPENSION, SECURITY, TECHNICAL, BILLING, LEGAL, PRODUCT_UPDATES. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [custom_roles](variables.tf#L24) | Map of role name => list of permissions to create in this project. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [factories_config](variables.tf#L31) | Paths to data files and folders that enable factory functionality. | <code title="object({ custom_roles = optional(string) org_policies = optional(string) org_policy_custom_constraints = optional(string) })">object({…})</code> | | <code>{}</code> |
|
||||
| [firewall_policy](variables.tf#L42) | Hierarchical firewall policies to associate to the organization. | <code title="object({ name = string policy = string })">object({…})</code> | | <code>null</code> |
|
||||
| [factories_config](variables.tf#L31) | Paths to data files and folders that enable factory functionality. | <code title="object({ custom_roles = optional(string) org_policies = optional(string) org_policy_custom_constraints = optional(string) context = optional(object({ org_policies = optional(map(map(string)), {}) }), {}) })">object({…})</code> | | <code>{}</code> |
|
||||
| [firewall_policy](variables.tf#L45) | Hierarchical firewall policies to associate to the organization. | <code title="object({ name = string policy = string })">object({…})</code> | | <code>null</code> |
|
||||
| [iam](variables-iam.tf#L17) | IAM bindings, in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [iam_bindings](variables-iam.tf#L24) | Authoritative IAM bindings in {KEY => {role = ROLE, members = [], condition = {}}}. Keys are arbitrary. | <code title="map(object({ members = list(string) role = string condition = optional(object({ expression = string title = string description = optional(string) })) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [iam_bindings_additive](variables-iam.tf#L39) | Individual additive IAM bindings. Keys are arbitrary. | <code title="map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
@@ -550,8 +550,8 @@ module "org" {
|
||||
| [logging_settings](variables-logging.tf#L35) | Default settings for logging resources. | <code title="object({ disable_default_sink = optional(bool) storage_location = optional(string) })">object({…})</code> | | <code>null</code> |
|
||||
| [logging_sinks](variables-logging.tf#L45) | Logging sinks to create for the organization. | <code title="map(object({ bq_partitioned_table = optional(bool, false) description = optional(string) destination = string disabled = optional(bool, false) exclusions = optional(map(string), {}) filter = optional(string) iam = optional(bool, true) include_children = optional(bool, true) intercept_children = optional(bool, false) type = string }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [network_tags](variables-tags.tf#L17) | Network tags by key name. If `id` is provided, key creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | <code title="map(object({ description = optional(string, "Managed by the Terraform organization module.") iam = optional(map(list(string)), {}) iam_bindings = optional(map(object({ members = list(string) role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) iam_bindings_additive = optional(map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) id = optional(string) network = string # project_id/vpc_name values = optional(map(object({ description = optional(string, "Managed by the Terraform organization module.") iam = optional(map(list(string)), {}) iam_bindings = optional(map(object({ members = list(string) role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) iam_bindings_additive = optional(map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) })), {}) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [org_policies](variables.tf#L51) | Organization policies applied to this organization keyed by policy name. | <code title="map(object({ inherit_from_parent = optional(bool) # for list policies only. reset = optional(bool) rules = optional(list(object({ allow = optional(object({ all = optional(bool) values = optional(list(string)) })) deny = optional(object({ all = optional(bool) values = optional(list(string)) })) enforce = optional(bool) # for boolean policies only. condition = optional(object({ description = optional(string) expression = optional(string) location = optional(string) title = optional(string) }), {}) parameters = optional(string) })), []) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [org_policy_custom_constraints](variables.tf#L79) | Organization policy custom constraints keyed by constraint name. | <code title="map(object({ display_name = optional(string) description = optional(string) action_type = string condition = string method_types = list(string) resource_types = list(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [org_policies](variables.tf#L54) | Organization policies applied to this organization keyed by policy name. | <code title="map(object({ inherit_from_parent = optional(bool) # for list policies only. reset = optional(bool) rules = optional(list(object({ allow = optional(object({ all = optional(bool) values = optional(list(string)) })) deny = optional(object({ all = optional(bool) values = optional(list(string)) })) enforce = optional(bool) # for boolean policies only. condition = optional(object({ description = optional(string) expression = optional(string) location = optional(string) title = optional(string) }), {}) parameters = optional(string) })), []) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [org_policy_custom_constraints](variables.tf#L82) | Organization policy custom constraints keyed by constraint name. | <code title="map(object({ display_name = optional(string) description = optional(string) action_type = string condition = string method_types = list(string) resource_types = list(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [tag_bindings](variables-tags.tf#L81) | Tag bindings for this organization, in key => tag value id format. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [tags](variables-tags.tf#L88) | Tags by key name. If `id` is provided, key or value creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | <code title="map(object({ description = optional(string, "Managed by the Terraform organization module.") iam = optional(map(list(string)), {}) iam_bindings = optional(map(object({ members = list(string) role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) iam_bindings_additive = optional(map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) id = optional(string) values = optional(map(object({ description = optional(string, "Managed by the Terraform organization module.") iam = optional(map(list(string)), {}) iam_bindings = optional(map(object({ members = list(string) role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) iam_bindings_additive = optional(map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) id = optional(string) })), {}) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
|
||||
|
||||
@@ -31,21 +31,49 @@ locals {
|
||||
rules = [
|
||||
for r in try(v.rules, []) : {
|
||||
allow = can(r.allow) ? {
|
||||
all = try(r.allow.all, null)
|
||||
values = try(r.allow.values, null)
|
||||
all = try(r.allow.all, null)
|
||||
values = (
|
||||
can(r.allow.values)
|
||||
? [for x in r.allow.values : templatestring(x, var.factories_config.context.org_policies)]
|
||||
: null
|
||||
)
|
||||
} : null
|
||||
deny = can(r.deny) ? {
|
||||
all = try(r.deny.all, null)
|
||||
values = try(r.deny.values, null)
|
||||
all = try(r.deny.all, null)
|
||||
values = (
|
||||
can(r.deny.values)
|
||||
? [for x in r.deny.values : templatestring(x, var.factories_config.context.org_policies)]
|
||||
: null
|
||||
)
|
||||
} : null
|
||||
enforce = try(r.enforce, null)
|
||||
condition = {
|
||||
description = try(r.condition.description, null)
|
||||
expression = try(r.condition.expression, null)
|
||||
location = try(r.condition.location, null)
|
||||
title = try(r.condition.title, null)
|
||||
description = (
|
||||
can(r.condition.description)
|
||||
? templatestring(r.condition.description, var.factories_config.context.org_policies)
|
||||
: null
|
||||
)
|
||||
expression = (
|
||||
can(r.condition.expression)
|
||||
? templatestring(r.condition.expression, var.factories_config.context.org_policies)
|
||||
: null
|
||||
)
|
||||
location = (
|
||||
can(r.condition.location)
|
||||
? templatestring(r.condition.location, var.factories_config.context.org_policies)
|
||||
: null
|
||||
)
|
||||
title = (
|
||||
can(r.condition.title)
|
||||
? templatestring(r.condition.title, var.factories_config.context.org_policies)
|
||||
: null
|
||||
)
|
||||
}
|
||||
parameters = try(r.parameters, null)
|
||||
parameters = (
|
||||
can(r.parameters)
|
||||
? templatestring(r.parameters, var.factories_config.context.org_policies)
|
||||
: null
|
||||
)
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
@@ -34,6 +34,9 @@ variable "factories_config" {
|
||||
custom_roles = optional(string)
|
||||
org_policies = optional(string)
|
||||
org_policy_custom_constraints = optional(string)
|
||||
context = optional(object({
|
||||
org_policies = optional(map(map(string)), {})
|
||||
}), {})
|
||||
})
|
||||
nullable = false
|
||||
default = {}
|
||||
|
||||
File diff suppressed because one or more lines are too long
@@ -31,21 +31,49 @@ locals {
|
||||
rules = [
|
||||
for r in try(v.rules, []) : {
|
||||
allow = can(r.allow) ? {
|
||||
all = try(r.allow.all, null)
|
||||
values = try(r.allow.values, null)
|
||||
all = try(r.allow.all, null)
|
||||
values = (
|
||||
can(r.allow.values)
|
||||
? [for x in r.allow.values : templatestring(x, var.factories_config.context.org_policies)]
|
||||
: null
|
||||
)
|
||||
} : null
|
||||
deny = can(r.deny) ? {
|
||||
all = try(r.deny.all, null)
|
||||
values = try(r.deny.values, null)
|
||||
all = try(r.deny.all, null)
|
||||
values = (
|
||||
can(r.deny.values)
|
||||
? [for x in r.deny.values : templatestring(x, var.factories_config.context.org_policies)]
|
||||
: null
|
||||
)
|
||||
} : null
|
||||
enforce = try(r.enforce, null)
|
||||
condition = {
|
||||
description = try(r.condition.description, null)
|
||||
expression = try(r.condition.expression, null)
|
||||
location = try(r.condition.location, null)
|
||||
title = try(r.condition.title, null)
|
||||
description = (
|
||||
can(r.condition.description)
|
||||
? templatestring(r.condition.description, var.factories_config.context.org_policies)
|
||||
: null
|
||||
)
|
||||
expression = (
|
||||
can(r.condition.expression)
|
||||
? templatestring(r.condition.expression, var.factories_config.context.org_policies)
|
||||
: null
|
||||
)
|
||||
location = (
|
||||
can(r.condition.location)
|
||||
? templatestring(r.condition.location, var.factories_config.context.org_policies)
|
||||
: null
|
||||
)
|
||||
title = (
|
||||
can(r.condition.title)
|
||||
? templatestring(r.condition.title, var.factories_config.context.org_policies)
|
||||
: null
|
||||
)
|
||||
}
|
||||
parameters = try(r.parameters, null)
|
||||
parameters = (
|
||||
can(r.parameters)
|
||||
? templatestring(r.parameters, var.factories_config.context.org_policies)
|
||||
: null
|
||||
)
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
@@ -87,6 +87,7 @@ variable "factories_config" {
|
||||
quotas = optional(string)
|
||||
context = optional(object({
|
||||
notification_channels = optional(map(string), {})
|
||||
org_policies = optional(map(map(string)), {})
|
||||
}), {})
|
||||
})
|
||||
nullable = false
|
||||
|
||||
@@ -84,7 +84,7 @@ values:
|
||||
condition: []
|
||||
deny_all: null
|
||||
enforce: 'TRUE'
|
||||
parameters: '{"allowedDomains":["@example.com"]}'
|
||||
parameters: '{"allowedDomains":["@example.com","@secondary.example.com"]}'
|
||||
values: []
|
||||
timeouts: null
|
||||
module.folder.google_org_policy_policy.default["iam.allowedPolicyMemberDomains"]:
|
||||
@@ -102,6 +102,7 @@ values:
|
||||
- allowed_values:
|
||||
- C0xxxxxxx
|
||||
- C0yyyyyyy
|
||||
- C0zzzzzzz
|
||||
denied_values: null
|
||||
timeouts: null
|
||||
module.folder.google_org_policy_policy.default["iam.disableServiceAccountKeyCreation"]:
|
||||
|
||||
@@ -34,7 +34,7 @@ def test_policy_implementation():
|
||||
'@@ -17 +17 @@\n',
|
||||
'-# tfdoc:file:description Project-level organization policies.\n',
|
||||
'+# tfdoc:file:description Folder-level organization policies.\n',
|
||||
'@@ -81,2 +81,2 @@\n',
|
||||
'@@ -109,2 +109,2 @@\n',
|
||||
'- name = "projects/${local.project.project_id}/policies/${each.value}"\n',
|
||||
'- parent = "projects/${local.project.project_id}"\n',
|
||||
'+ name = "${local.folder_id}/policies/${each.value}"\n',
|
||||
@@ -49,12 +49,12 @@ def test_policy_implementation():
|
||||
'@@ -17 +17 @@\n',
|
||||
'-# tfdoc:file:description Folder-level organization policies.\n',
|
||||
'+# tfdoc:file:description Organization-level organization policies.\n',
|
||||
'@@ -81,2 +81,2 @@\n',
|
||||
'@@ -109,2 +109,2 @@\n',
|
||||
'- name = "${local.folder_id}/policies/${each.value}"\n',
|
||||
'- parent = local.folder_id\n',
|
||||
'+ name = "${var.organization_id}/policies/${each.value}"\n',
|
||||
'+ parent = var.organization_id\n',
|
||||
'@@ -159,0 +160,9 @@\n',
|
||||
'@@ -187,0 +188,9 @@\n',
|
||||
'+ depends_on = [\n',
|
||||
'+ google_organization_iam_binding.authoritative,\n',
|
||||
'+ google_organization_iam_binding.bindings,\n',
|
||||
|
||||
@@ -88,7 +88,7 @@ values:
|
||||
condition: []
|
||||
deny_all: null
|
||||
enforce: 'TRUE'
|
||||
parameters: '{"allowedDomains":["@example.com"]}'
|
||||
parameters: '{"allowedDomains":["@example.com","@secondary.example.com"]}'
|
||||
values: []
|
||||
timeouts: null
|
||||
module.project.google_org_policy_policy.default["iam.allowedPolicyMemberDomains"]:
|
||||
@@ -108,6 +108,7 @@ values:
|
||||
- allowed_values:
|
||||
- C0xxxxxxx
|
||||
- C0yyyyyyy
|
||||
- C0zzzzzzz
|
||||
denied_values: null
|
||||
timeouts: null
|
||||
module.project.google_org_policy_policy.default["iam.disableServiceAccountKeyCreation"]:
|
||||
|
||||
Reference in New Issue
Block a user