Add support for org policies to folder and project modules (#58)

* modules/folders: add support for org policies

* update README

* update cloud config modules READMEs

* modules/project: add org policies

tests/modules/folders/fixture/main.tf

@@ -15,9 +15,11 @@
  */
 
 module "test" {
-  source      = "../../../../modules/folders"
-  parent      = "organizations/12345678"
-  names       = ["folder-a", "folder-b"]
-  iam_members = var.iam_members
-  iam_roles   = var.iam_roles
+  source         = "../../../../modules/folders"
+  parent         = "organizations/12345678"
+  names          = ["folder-a", "folder-b"]
+  iam_members    = var.iam_members
+  iam_roles      = var.iam_roles
+  policy_boolean = var.policy_boolean
+  policy_list    = var.policy_list
 }

tests/modules/folders/fixture/variables.tf

@@ -23,3 +23,18 @@ variable "iam_roles" {
   type    = map(list(string))
   default = null
 }
+
+variable "policy_boolean" {
+  type    = map(bool)
+  default = {}
+}
+
+variable "policy_list" {
+  type = map(object({
+    inherit_from_parent = bool
+    suggested_value     = string
+    status              = bool
+    values              = list(string)
+  }))
+  default = {}
+}

tests/modules/folders/test_plan_org_policies.py

@@ -0,0 +1,86 @@
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+import os
+import pytest
+
+
+FIXTURES_DIR = os.path.join(os.path.dirname(__file__), 'fixture')
+
+
+def test_policy_boolean(plan_runner):
+  "Test boolean folder policy."
+  policy_boolean = '{policy-a = true, policy-b = false, policy-c = null}'
+  _, resources = plan_runner(FIXTURES_DIR, policy_boolean=policy_boolean)
+  assert len(resources) == 8
+  resources = [r for r in resources if r['type']
+               == 'google_folder_organization_policy']
+  assert sorted([r['index'] for r in resources]) == [
+      'folder-a-policy-a',
+      'folder-a-policy-b',
+      'folder-a-policy-c',
+      'folder-b-policy-a',
+      'folder-b-policy-b',
+      'folder-b-policy-c'
+  ]
+  policy_values = []
+  for resource in resources:
+    for policy in ('boolean_policy', 'restore_policy'):
+      value = resource['values'][policy]
+      if value:
+        policy_values.append((resource['index'], policy,) + value[0].popitem())
+  assert sorted(policy_values) == [
+      ('folder-a-policy-a', 'boolean_policy', 'enforced', True),
+      ('folder-a-policy-b', 'boolean_policy', 'enforced', False),
+      ('folder-a-policy-c', 'restore_policy', 'default', True),
+      ('folder-b-policy-a', 'boolean_policy', 'enforced', True),
+      ('folder-b-policy-b', 'boolean_policy', 'enforced', False),
+      ('folder-b-policy-c', 'restore_policy', 'default', True)
+  ]
+
+
+def test_policy_list(plan_runner):
+  "Test list org policy."
+  policy_list = (
+      '{'
+      'policy-a = {inherit_from_parent = true, suggested_value = null, status = true, values = []}, '
+      'policy-b = {inherit_from_parent = null, suggested_value = "foo", status = false, values = ["bar"]}, '
+      'policy-c = {inherit_from_parent = null, suggested_value = true, status = null, values = null}'
+      '}'
+  )
+  _, resources = plan_runner(FIXTURES_DIR, policy_list=policy_list)
+  assert len(resources) == 8
+  resources = [r for r in resources if r['type']
+               == 'google_folder_organization_policy']
+  assert sorted([r['index'] for r in resources]) == [
+      'folder-a-policy-a',
+      'folder-a-policy-b',
+      'folder-a-policy-c',
+      'folder-b-policy-a',
+      'folder-b-policy-b',
+      'folder-b-policy-c'
+  ]
+  values = [r['values'] for r in resources]
+  assert [r['constraint'] for r in values] == [
+      'policy-a', 'policy-b', 'policy-c', 'policy-a', 'policy-b', 'policy-c'
+  ]
+  for i in (0, 3):
+    assert values[i]['list_policy'][0]['allow'] == [
+        {'all': True, 'values': None}]
+  for i in (1, 4):
+    assert values[i]['list_policy'][0]['deny'] == [
+        {'all': False, 'values': ["bar"]}]
+  for i in (2, 5):
+    assert values[i]['restore_policy'] == [{'default': True}]

tests/modules/project/fixture/main.tf

@@ -30,6 +30,8 @@ module "test" {
   oslogin_admins       = var.oslogin_admins
   oslogin_users        = var.oslogin_users
   parent               = var.parent
+  policy_boolean       = var.policy_boolean
+  policy_list          = var.policy_list
   prefix               = var.prefix
   services             = var.services
 }

tests/modules/project/fixture/variables.tf

@@ -74,6 +74,21 @@ variable "parent" {
   default = "folders/12345678"
 }
 
+variable "policy_boolean" {
+  type    = map(bool)
+  default = {}
+}
+
+variable "policy_list" {
+  type = map(object({
+    inherit_from_parent = bool
+    suggested_value     = string
+    status              = bool
+    values              = list(string)
+  }))
+  default = {}
+}
+
 variable "prefix" {
   type    = string
   default = null

tests/modules/project/test_plan_org_policies.py

@@ -0,0 +1,66 @@
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+import os
+import pytest
+
+
+FIXTURES_DIR = os.path.join(os.path.dirname(__file__), 'fixture')
+
+
+def test_policy_boolean(plan_runner):
+  "Test boolean org policy."
+  policy_boolean = '{policy-a = true, policy-b = false, policy-c = null}'
+  _, resources = plan_runner(FIXTURES_DIR, policy_boolean=policy_boolean)
+  assert len(resources) == 4
+  resources = [r for r in resources if r['type']
+               == 'google_project_organization_policy']
+  assert sorted([r['index'] for r in resources]) == [
+      'policy-a', 'policy-b', 'policy-c'
+  ]
+  policy_values = []
+  for resource in resources:
+    for policy in ('boolean_policy', 'restore_policy'):
+      value = resource['values'][policy]
+      if value:
+        policy_values.append((policy,) + value[0].popitem())
+  assert sorted(policy_values) == [
+      ('boolean_policy', 'enforced', False),
+      ('boolean_policy', 'enforced', True),
+      ('restore_policy', 'default', True)
+  ]
+
+
+def test_policy_list(plan_runner):
+  "Test list org policy."
+  policy_list = (
+      '{'
+      'policy-a = {inherit_from_parent = true, suggested_value = null, status = true, values = []}, '
+      'policy-b = {inherit_from_parent = null, suggested_value = "foo", status = false, values = ["bar"]}, '
+      'policy-c = {inherit_from_parent = null, suggested_value = true, status = null, values = null}'
+      '}'
+  )
+  _, resources = plan_runner(FIXTURES_DIR, policy_list=policy_list)
+  assert len(resources) == 4
+  values = [r['values'] for r in resources if r['type']
+            == 'google_project_organization_policy']
+  assert [r['constraint'] for r in values] == [
+      'policy-a', 'policy-b', 'policy-c'
+  ]
+  assert values[0]['list_policy'][0]['allow'] == [
+      {'all': True, 'values': None}]
+  assert values[1]['list_policy'][0]['deny'] == [
+      {'all': False, 'values': ["bar"]}]
+  assert values[2]['restore_policy'] == [{'default': True}]