Update project/folder/module to use new org policies API and tf1.3 optionals.

2022-10-28 12:55:16 +02:00
parent 9622635d15
commit b23d07b0c6
12 changed files with 393 additions and 295 deletions
--- a/modules/folder/organization-policies.tf
+++ b/modules/folder/organization-policies.tf
@@ -16,75 +16,97 @@

 # tfdoc:file:description Folder-level organization policies.

-resource "google_folder_organization_policy" "boolean" {
-  for_each   = var.policy_boolean
-  folder     = local.folder.name
-  constraint = each.key
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */

-  dynamic "boolean_policy" {
-    for_each = each.value == null ? [] : [each.value]
-    iterator = policy
-    content {
-      enforced = policy.value
-    }
-  }
+# tfdoc:file:description Project-level organization policies.

-  dynamic "restore_policy" {
-    for_each = each.value == null ? [""] : []
-    content {
-      default = true
-    }
+locals {
+  org_policies = {
+    for k, v in var.org_policies :
+    k => merge(v, {
+      is_boolean_policy = v.allow == null && v.deny == null
+      has_values = (
+        length(coalesce(try(v.allow.values, []), [])) > 0 ||
+        length(coalesce(try(v.deny.values, []), [])) > 0
+      )
+      rules = [
+        for r in v.rules :
+        merge(r, {
+          has_values = (
+            length(coalesce(try(r.allow.values, []), [])) > 0 ||
+            length(coalesce(try(r.deny.values, []), [])) > 0
+          )
+        })
+      ]
+    })
  }
 }

-resource "google_folder_organization_policy" "list" {
-  for_each   = var.policy_list
-  folder     = local.folder.name
-  constraint = each.key
+resource "google_org_policy_policy" "default" {
+  for_each = local.org_policies
+  name     = "${local.folder.name}/policies/${each.key}"
+  parent   = local.folder.name

-  dynamic "list_policy" {
-    for_each = each.value.status == null ? [] : [each.value]
-    iterator = policy
-    content {
-      inherit_from_parent = policy.value.inherit_from_parent
-      suggested_value     = policy.value.suggested_value
-      dynamic "allow" {
-        for_each = policy.value.status ? [""] : []
+  spec {
+    inherit_from_parent = each.value.inherit_from_parent
+    reset               = each.value.reset
+
+    rules {
+      allow_all = try(each.value.allow.all, null) == true ? "TRUE" : null
+      deny_all  = try(each.value.deny.all, null) == true ? "TRUE" : null
+      enforce = (
+        each.value.is_boolean_policy && each.value.enforce != null
+        ? upper(tostring(each.value.enforce))
+        : null
+      )
+      dynamic "values" {
+        for_each = each.value.has_values ? [1] : []
        content {
-          values = (
-            try(length(policy.value.values) > 0, false)
-            ? policy.value.values
-            : null
-          )
-          all = (
-            try(length(policy.value.values) > 0, false)
-            ? null
-            : true
-          )
+          allowed_values = try(each.value.allow.values, null)
+          denied_values  = try(each.value.deny.values, null)
        }
      }
-      dynamic "deny" {
-        for_each = policy.value.status ? [] : [""]
-        content {
-          values = (
-            try(length(policy.value.values) > 0, false)
-            ? policy.value.values
-            : null
-          )
-          all = (
-            try(length(policy.value.values) > 0, false)
-            ? null
-            : true
-          )
+    }
+
+    dynamic "rules" {
+      for_each = each.value.rules
+      iterator = rule
+      content {
+        allow_all = try(rule.value.allow.all, false) == true ? "TRUE" : null
+        deny_all  = try(rule.value.deny.all, false) == true ? "TRUE" : null
+        enforce = (
+          each.value.is_boolean_policy && rule.value.enforce != null
+          ? upper(tostring(rule.value.enforce))
+          : null
+        )
+        condition {
+          description = rule.value.condition.description
+          expression  = rule.value.condition.expression
+          location    = rule.value.condition.location
+          title       = rule.value.condition.title
+        }
+        dynamic "values" {
+          for_each = rule.value.has_values ? [1] : [0]
+          content {
+            allowed_values = try(rule.value.allow.values, null)
+            denied_values  = try(rule.value.deny.values, null)
+          }
        }
      }
    }
  }
-
-  dynamic "restore_policy" {
-    for_each = each.value.status == null ? [true] : []
-    content {
-      default = true
-    }
-  }
 }