kovagoadi/hunfabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix org policy service to be enabled before organization policies applied (#3547)

Browse Source 
* Fix org policy service to be enabled before organization policies applied
This commit is contained in:
Vannick Trinquier
2025-11-21 14:22:17 +07:00
committed by GitHub
parent b412fafd6c
commit b686a6f730
5 changed files with 36 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
modules/project/main.tf
View File

@@ -89,10 +89,20 @@ locals {
) )
universe_prefix = var.universe == null ? "" : "${var.universe.prefix}:" universe_prefix = var.universe == null ? "" : "${var.universe.prefix}:"
# available services are those declared, minus any unsupported by universe # available services are those declared, minus any unsupported by universe
available_services = tolist(setsubtract( _available_services = setsubtract(
var.services, var.services,
try(var.universe.unavailable_services, []) try(var.universe.unavailable_services, [])
)
available_services = tolist(setsubtract(
local._available_services,
["orgpolicy.googleapis.com"]
)) ))
enable_orgpolicy_service = contains(local._available_services, "orgpolicy.googleapis.com")
}
moved {
from = google_project_service.project_services["orgpolicy.googleapis.com"]
to = google_project_service.org_policy_service[0]
} }
data "google_project" "project" { data "google_project" "project" {
@@ -132,6 +142,14 @@ resource "google_project_service" "project_services" {
depends_on = [google_org_policy_policy.default] depends_on = [google_org_policy_policy.default]
} }
resource "google_project_service" "org_policy_service" {
count = local.enable_orgpolicy_service ? 1 : 0
project = local.project.project_id
service = "orgpolicy.googleapis.com"
disable_on_destroy = var.service_config.disable_on_destroy
disable_dependent_services = var.service_config.disable_dependent_services
}
resource "google_compute_project_metadata_item" "default" { resource "google_compute_project_metadata_item" "default" {
for_each = ( for_each = (
contains(local.available_services, "compute.googleapis.com") ? var.compute_metadata : {} contains(local.available_services, "compute.googleapis.com") ? var.compute_metadata : {}

2
modules/project/organization-policies.tf
View File

@@ -193,4 +193,6 @@ resource "google_org_policy_policy" "default" {
} }
} }
} }
depends_on = [google_project_service.org_policy_service]
} }

12
tests/fast/stages/s0_org_setup/hardened.yaml
View File

@@ -2096,12 +2096,6 @@ values:
project: ft0-prod-iac-core-0 project: ft0-prod-iac-core-0
service: networksecurity.googleapis.com service: networksecurity.googleapis.com
timeouts: null timeouts: null
module.factory.module.projects["iac-0"].google_project_service.project_services["orgpolicy.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
project: ft0-prod-iac-core-0
service: orgpolicy.googleapis.com
timeouts: null
module.factory.module.projects["iac-0"].google_project_service.project_services["pubsub.googleapis.com"]: module.factory.module.projects["iac-0"].google_project_service.project_services["pubsub.googleapis.com"]:
disable_dependent_services: false disable_dependent_services: false
disable_on_destroy: false disable_on_destroy: false
@@ -2120,6 +2114,12 @@ values:
project: ft0-prod-iac-core-0 project: ft0-prod-iac-core-0
service: servicenetworking.googleapis.com service: servicenetworking.googleapis.com
timeouts: null timeouts: null
module.factory.module.projects["iac-0"].google_project_service.org_policy_service[0]:
disable_dependent_services: false
disable_on_destroy: false
project: ft0-prod-iac-core-0
service: orgpolicy.googleapis.com
timeouts: null
module.factory.module.projects["iac-0"].google_project_service.project_services["serviceusage.googleapis.com"]: module.factory.module.projects["iac-0"].google_project_service.project_services["serviceusage.googleapis.com"]:
disable_dependent_services: false disable_dependent_services: false
disable_on_destroy: false disable_on_destroy: false

12
tests/fast/stages/s0_org_setup/simple.yaml
View File

@@ -1325,12 +1325,6 @@ values:
project: ft0-prod-iac-core-0 project: ft0-prod-iac-core-0
service: networksecurity.googleapis.com service: networksecurity.googleapis.com
timeouts: null timeouts: null
module.factory.module.projects["iac-0"].google_project_service.project_services["orgpolicy.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
project: ft0-prod-iac-core-0
service: orgpolicy.googleapis.com
timeouts: null
module.factory.module.projects["iac-0"].google_project_service.project_services["pubsub.googleapis.com"]: module.factory.module.projects["iac-0"].google_project_service.project_services["pubsub.googleapis.com"]:
disable_dependent_services: false disable_dependent_services: false
disable_on_destroy: false disable_on_destroy: false
@@ -1343,6 +1337,12 @@ values:
project: ft0-prod-iac-core-0 project: ft0-prod-iac-core-0
service: servicenetworking.googleapis.com service: servicenetworking.googleapis.com
timeouts: null timeouts: null
module.factory.module.projects["iac-0"].google_project_service.org_policy_service[0]:
disable_dependent_services: false
disable_on_destroy: false
project: ft0-prod-iac-core-0
service: orgpolicy.googleapis.com
timeouts: null
module.factory.module.projects["iac-0"].google_project_service.project_services["serviceusage.googleapis.com"]: module.factory.module.projects["iac-0"].google_project_service.project_services["serviceusage.googleapis.com"]:
disable_dependent_services: false disable_dependent_services: false
disable_on_destroy: false disable_on_destroy: false

3
tests/modules/organization/test_plan_org_policies_modules.py
View File

@@ -39,6 +39,9 @@ def test_policy_implementation():
'- parent = "projects/${local.project.project_id}"\n', '- parent = "projects/${local.project.project_id}"\n',
'+ name = "${local.folder_id}/policies/${each.value}"\n', '+ name = "${local.folder_id}/policies/${each.value}"\n',
'+ parent = local.folder_id\n', '+ parent = local.folder_id\n',
'@@ -196,2 +195,0 @@\n',
'-\n',
'- depends_on = [google_project_service.org_policy_service]\n',
] ]
diff2 = difflib.unified_diff(lines['folder'], lines['organization'], 'folder', diff2 = difflib.unified_diff(lines['folder'], lines['organization'], 'folder',