kovagoadi/hunfabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update project/folder/module to use new org policies API and tf1.3 optionals.

Browse Source
This commit is contained in:
Julio Castillo
2022-10-28 12:55:16 +02:00
parent 9622635d15
commit b23d07b0c6
12 changed files with 393 additions and 295 deletions
Download Patch File Download Diff File Expand all files Collapse all files

124
modules/project/organization-policies.tf
View File

@@ -16,75 +16,79 @@
# tfdoc:file:description Project-level organization policies.
resource "google_project_organization_policy" "boolean" {
for_each = var.policy_boolean
project = local.project.project_id
constraint = each.key
dynamic "boolean_policy" {
for_each = each.value == null ? [] : [each.value]
iterator = policy
content {
enforced = policy.value
}
}
dynamic "restore_policy" {
for_each = each.value == null ? [""] : []
content {
default = true
}
locals {
org_policies = {
for k, v in var.org_policies :
k => merge(v, {
is_boolean_policy = v.allow == null && v.deny == null
has_values = (
length(coalesce(try(v.allow.values, []), [])) > 0 ||
length(coalesce(try(v.deny.values, []), [])) > 0
)
rules = [
for r in v.rules :
merge(r, {
has_values = (
length(coalesce(try(r.allow.values, []), [])) > 0 ||
length(coalesce(try(r.deny.values, []), [])) > 0
)
})
]
})
}
}
resource "google_project_organization_policy" "list" {
for_each = var.policy_list
project = local.project.project_id
constraint = each.key
resource "google_org_policy_policy" "default" {
for_each = local.org_policies
name = "projects/${local.project.project_id}/policies/${each.key}"
parent = "projects/${local.project.project_id}"
dynamic "list_policy" {
for_each = each.value.status == null ? [] : [each.value]
iterator = policy
content {
inherit_from_parent = policy.value.inherit_from_parent
suggested_value = policy.value.suggested_value
dynamic "allow" {
for_each = policy.value.status ? [""] : []
spec {
inherit_from_parent = each.value.inherit_from_parent
reset = each.value.reset
rules {
allow_all = try(each.value.allow.all, null) == true ? "TRUE" : null
deny_all = try(each.value.deny.all, null) == true ? "TRUE" : null
enforce = (
each.value.is_boolean_policy && each.value.enforce != null
? upper(tostring(each.value.enforce))
: null
)
dynamic "values" {
for_each = each.value.has_values ? [1] : []
content {
values = (
try(length(policy.value.values) > 0, false)
? policy.value.values
: null
)
all = (
try(length(policy.value.values) > 0, false)
? null
: true
)
allowed_values = try(each.value.allow.values, null)
denied_values = try(each.value.deny.values, null)
}
}
dynamic "deny" {
for_each = policy.value.status ? [] : [""]
content {
values = (
try(length(policy.value.values) > 0, false)
? policy.value.values
: null
)
all = (
try(length(policy.value.values) > 0, false)
? null
: true
)
}
dynamic "rules" {
for_each = each.value.rules
iterator = rule
content {
allow_all = try(rule.value.allow.all, false) == true ? "TRUE" : null
deny_all = try(rule.value.deny.all, false) == true ? "TRUE" : null
enforce = (
each.value.is_boolean_policy && rule.value.enforce != null
? upper(tostring(rule.value.enforce))
: null
)
condition {
description = rule.value.condition.description
expression = rule.value.condition.expression
location = rule.value.condition.location
title = rule.value.condition.title
}
dynamic "values" {
for_each = rule.value.has_values ? [1] : [0]
content {
allowed_values = try(rule.value.allow.values, null)
denied_values = try(rule.value.deny.values, null)
}
}
}
}
}
dynamic "restore_policy" {
for_each = each.value.status == null ? [true] : []
content {
default = true
}
}
}