Simplify org policies data model in resman modules.

tests/modules/folder/examples/org-policies.yaml

@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -91,7 +91,7 @@ values:
       - allow_all: null
         condition:
         - description: test condition
-          expression: resource.matchTagId("tagKeys/1234", "tagValues/1234")
+          expression: resource.matchTagId('tagKeys/1234', 'tagValues/1234')
           location: somewhere
           title: condition
         deny_all: null

tests/modules/folder/org_policies_boolean.tfvars

@@ -1,9 +1,8 @@
 org_policies = {
   "iam.disableServiceAccountKeyCreation" = {
-    enforce = true
+    rules = [{ enforce = true }]
   }
   "iam.disableServiceAccountKeyUpload" = {
-    enforce = false
     rules = [
       {
         condition = {
@@ -13,6 +12,9 @@ org_policies = {
           location    = "xxx"
         }
         enforce = true
+      },
+      {
+        enforce = false
       }
     ]
   }

tests/modules/folder/org_policies_list.tfvars

@@ -1,14 +1,15 @@
 org_policies = {
   "compute.vmExternalIpAccess" = {
-    deny = { all = true }
+    rules = [{ deny = { all = true } }]
   }
   "iam.allowedPolicyMemberDomains" = {
-    allow = {
-      values = ["C0xxxxxxx", "C0yyyyyyy"]
-    }
+    rules = [{
+      allow = {
+        values = ["C0xxxxxxx", "C0yyyyyyy"]
+      }
+    }]
   }
   "compute.restrictLoadBalancerCreationForTypes" = {
-    deny = { values = ["in:EXTERNAL"] }
     rules = [
       {
         condition = {
@@ -31,6 +32,9 @@ org_policies = {
         allow = {
           all = true
         }
+      },
+      {
+        deny = { values = ["in:EXTERNAL"] }
       }
     ]
   }

tests/modules/organization/examples/basic.yaml

@@ -71,8 +71,23 @@ values:
     - inherit_from_parent: null
       reset: null
       rules:
+      - allow_all: 'TRUE'
+        condition:
+        - description: Allow external identities when resource has the `allowexternal`
+            tag set to true.
+          expression: resource.matchTag('1234567890/allowexternal', 'true')
+          location: null
+          title: Allow external identities
+        deny_all: null
+        enforce: null
+        values: []
       - allow_all: null
-        condition: []
+        condition:
+        - description: For any resource without allowexternal=true, only allow identities
+            from restricted domains.
+          expression: '!resource.matchTag(''1234567890/allowexternal'', ''true'')'
+          location: null
+          title: ''
         deny_all: null
         enforce: null
         values:
@@ -102,7 +117,7 @@ values:
       - allow_all: null
         condition:
         - description: test condition
-          expression: resource.matchTagId("tagKeys/1234", "tagValues/1234")
+          expression: resource.matchTagId('tagKeys/1234', 'tagValues/1234')
           location: somewhere
           title: condition
         deny_all: null
@@ -141,6 +156,20 @@ values:
     member: user:compute@example.org
     org_id: '1234567890'
     role: roles/container.viewer
+  module.org.google_tags_tag_key.default["allowexternal"]:
+    description: Allow external identities.
+    parent: organizations/1234567890
+    purpose: null
+    purpose_data: null
+    short_name: allowexternal
+  module.org.google_tags_tag_value.default["allowexternal/false"]:
+    short_name: 'false'
+  module.org.google_tags_tag_value.default["allowexternal/true"]:
+    short_name: 'true'
+
 counts:
   google_org_policy_policy: 8
   google_organization_iam_binding: 3
+  google_organization_iam_member: 2
+  google_tags_tag_key: 1
+  google_tags_tag_value: 2

tests/modules/organization/org_policies_boolean.tfvars

@@ -1,9 +1,9 @@
 org_policies = {
   "iam.disableServiceAccountKeyCreation" = {
-    enforce = true
+    rules = [{ enforce = true }]
   }
   "iam.disableServiceAccountKeyUpload" = {
-    enforce = false
+
     rules = [
       {
         condition = {
@@ -13,6 +13,9 @@ org_policies = {
           location    = "xxx"
         }
         enforce = true
+      },
+      {
+        enforce = false
       }
     ]
   }

tests/modules/organization/org_policies_list.tfvars

@@ -1,15 +1,17 @@
 org_policies = {
   "compute.vmExternalIpAccess" = {
-    deny = { all = true }
+    rules = [{ deny = { all = true } }]
   }
   "iam.allowedPolicyMemberDomains" = {
     inherit_from_parent = true
-    allow = {
-      values = ["C0xxxxxxx", "C0yyyyyyy"]
-    }
+    rules = [{
+      allow = {
+        values = ["C0xxxxxxx", "C0yyyyyyy"]
+      }
+    }]
+
   }
   "compute.restrictLoadBalancerCreationForTypes" = {
-    deny = { values = ["in:EXTERNAL"] }
     rules = [
       {
         condition = {
@@ -32,6 +34,9 @@ org_policies = {
         allow = {
           all = true
         }
+      },
+      {
+        deny = { values = ["in:EXTERNAL"] }
       }
     ]
   }

tests/modules/organization/test_plan_org_policies_modules.py

@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -26,61 +26,35 @@ def test_policy_implementation():
     path = modules_path / module / 'organization-policies.tf'
     lines[module] = path.open().readlines()
 
-  diff1 = difflib.unified_diff(lines['project'], lines['folder'])
+  diff1 = difflib.unified_diff(lines['project'], lines['folder'], 'project',
+                               'folder', n=0)
   assert list(diff1) == [
-      '--- \n',
-      '+++ \n',
-      '@@ -14,7 +14,7 @@\n',
-      '  * limitations under the License.\n',
-      '  */\n',
-      ' \n',
+      '--- project\n',
+      '+++ folder\n',
+      '@@ -17 +17 @@\n',
       '-# tfdoc:file:description Project-level organization policies.\n',
       '+# tfdoc:file:description Folder-level organization policies.\n',
-      ' \n',
-      ' locals {\n',
-      '   _factory_data_raw = merge([\n',
-      '@@ -65,8 +65,8 @@\n',
-      '   org_policies = {\n',
-      '     for k, v in local._org_policies :\n',
-      '     k => merge(v, {\n',
+      '@@ -58,2 +58,2 @@\n',
       '-      name   = "projects/${local.project.project_id}/policies/${k}"\n',
       '-      parent = "projects/${local.project.project_id}"\n',
       '+      name   = "${local.folder.name}/policies/${k}"\n',
       '+      parent = local.folder.name\n',
-      ' \n',
-      '       is_boolean_policy = v.allow == null && v.deny == null\n',
-      '       has_values = (\n',
   ]
 
-  diff2 = difflib.unified_diff(lines['folder'], lines['organization'])
+  diff2 = difflib.unified_diff(lines['folder'], lines['organization'], 'folder',
+                               'organization', n=0)
   assert list(diff2) == [
-      '--- \n',
-      '+++ \n',
-      '@@ -14,7 +14,7 @@\n',
-      '  * limitations under the License.\n',
-      '  */\n',
-      ' \n',
+      '--- folder\n',
+      '+++ organization\n',
+      '@@ -17 +17 @@\n',
       '-# tfdoc:file:description Folder-level organization policies.\n',
       '+# tfdoc:file:description Organization-level organization policies.\n',
-      ' \n',
-      ' locals {\n',
-      '   _factory_data_raw = merge([\n',
-      '@@ -65,8 +65,8 @@\n',
-      '   org_policies = {\n',
-      '     for k, v in local._org_policies :\n',
-      '     k => merge(v, {\n',
+      '@@ -58,2 +58,2 @@\n',
       '-      name   = "${local.folder.name}/policies/${k}"\n',
       '-      parent = local.folder.name\n',
       '+      name   = "${var.organization_id}/policies/${k}"\n',
       '+      parent = var.organization_id\n',
-      ' \n',
-      '       is_boolean_policy = v.allow == null && v.deny == null\n',
-      '       has_values = (\n',
-      '@@ -139,4 +139,13 @@\n',
-      '       }\n',
-      '     }\n',
-      '   }\n',
-      '+\n',
+      '@@ -116,0 +117,8 @@\n',
       '+  depends_on = [\n',
       '+    google_organization_iam_audit_config.config,\n',
       '+    google_organization_iam_binding.authoritative,\n',
@@ -89,5 +63,4 @@ def test_policy_implementation():
       '+    google_organization_iam_policy.authoritative,\n',
       '+    google_org_policy_custom_constraint.constraint,\n',
       '+  ]\n',
-      ' }\n',
   ]

tests/modules/project/examples/org-policies.yaml

@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -102,7 +102,7 @@ values:
       - allow_all: null
         condition:
         - description: test condition
-          expression: resource.matchTagId("tagKeys/1234", "tagValues/1234")
+          expression: resource.matchTagId('tagKeys/1234', 'tagValues/1234')
           location: somewhere
           title: condition
         deny_all: null

tests/modules/project/org_policies_boolean.tfvars

@@ -1,9 +1,8 @@
 org_policies = {
   "iam.disableServiceAccountKeyCreation" = {
-    enforce = true
+    rules = [{ enforce = true }]
   }
   "iam.disableServiceAccountKeyUpload" = {
-    enforce = false
     rules = [
       {
         condition = {
@@ -13,6 +12,9 @@ org_policies = {
           location    = "xxx"
         }
         enforce = true
+      },
+      {
+        enforce = false
       }
     ]
   }

tests/modules/project/org_policies_list.tfvars

@@ -1,15 +1,17 @@
 org_policies = {
   "compute.vmExternalIpAccess" = {
-    deny = { all = true }
+    rules = [{ deny = { all = true } }]
   }
   "iam.allowedPolicyMemberDomains" = {
     inherit_from_parent = true
-    allow = {
-      values = ["C0xxxxxxx", "C0yyyyyyy"]
-    }
+    rules = [{
+      allow = {
+        values = ["C0xxxxxxx", "C0yyyyyyy"]
+      }
+    }]
   }
   "compute.restrictLoadBalancerCreationForTypes" = {
-    deny = { values = ["in:EXTERNAL"] }
+
     rules = [
       {
         condition = {
@@ -32,6 +34,9 @@ org_policies = {
         allow = {
           all = true
         }
+      },
+      {
+        deny = { values = ["in:EXTERNAL"] }
       }
     ]
   }