diff --git a/tests/modules/folder/fixture/test.orgpolicies-boolean.tfvars b/tests/modules/folder/fixture/test.orgpolicies-boolean.tfvars new file mode 100644 index 000000000..eceafe6d2 --- /dev/null +++ b/tests/modules/folder/fixture/test.orgpolicies-boolean.tfvars @@ -0,0 +1,19 @@ +org_policies = { + "iam.disableServiceAccountKeyCreation" = { + enforce = true + } + "iam.disableServiceAccountKeyUpload" = { + enforce = false + rules = [ + { + condition = { + expression = "resource.matchTagId(aa, bb)" + title = "condition" + description = "test condition" + location = "xxx" + } + enforce = true + } + ] + } +} diff --git a/tests/modules/folder/fixture/test.orgpolicies-list.tfvars b/tests/modules/folder/fixture/test.orgpolicies-list.tfvars new file mode 100644 index 000000000..738071733 --- /dev/null +++ b/tests/modules/folder/fixture/test.orgpolicies-list.tfvars @@ -0,0 +1,37 @@ +org_policies = { + "compute.vmExternalIpAccess" = { + deny = { all = true } + } + "iam.allowedPolicyMemberDomains" = { + allow = { + values = ["C0xxxxxxx", "C0yyyyyyy"] + } + } + "compute.restrictLoadBalancerCreationForTypes" = { + deny = { values = ["in:EXTERNAL"] } + rules = [ + { + condition = { + expression = "resource.matchTagId(aa, bb)" + title = "condition" + description = "test condition" + location = "xxx" + } + allow = { + values = ["EXTERNAL_1"] + } + }, + { + condition = { + expression = "resource.matchTagId(cc, dd)" + title = "condition2" + description = "test condition2" + location = "xxx" + } + allow = { + all = true + } + } + ] + } +} diff --git a/tests/modules/folder/test_plan_org_policies.py b/tests/modules/folder/test_plan_org_policies.py index 0a6b97290..d4e4559d0 100644 --- a/tests/modules/folder/test_plan_org_policies.py +++ b/tests/modules/folder/test_plan_org_policies.py @@ -12,244 +12,32 @@ # See the License for the specific language governing permissions and # limitations under the License. -import hcl2 -import yaml - -BOOLEAN_POLICIES = '''{ - "iam.disableServiceAccountKeyCreation" = { - enforce = true - } - "iam.disableServiceAccountKeyUpload" = { - enforce = false - rules = [ - { - condition = { - expression = "resource.matchTagId(aa, bb)" - title = "condition" - description = "test condition" - location = "xxx" - } - enforce = true - } - ] - } -}''' - -LIST_POLICIES = '''{ - "compute.vmExternalIpAccess" = { - deny = { all = true } - } - "iam.allowedPolicyMemberDomains" = { - allow = { - values = ["C0xxxxxxx", "C0yyyyyyy"] - } - } - "compute.restrictLoadBalancerCreationForTypes" = { - deny = { values = ["in:EXTERNAL"] } - rules = [ - { - condition = { - expression = "resource.matchTagId(aa, bb)" - title = "condition" - description = "test condition" - location = "xxx" - } - allow = { - values = ["EXTERNAL_1"] - } - }, - { - condition = { - expression = "resource.matchTagId(cc, dd)" - title = "condition2" - description = "test condition2" - location = "xxx" - } - allow = { - all = true - } - } - ] - } -}''' +from .validate_policies import validate_policy_boolean, validate_policy_list def test_policy_boolean(plan_runner): "Test boolean org policy." - _, resources = plan_runner(org_policies=BOOLEAN_POLICIES) - validate_policy_boolean_resources(resources) + tfvars = 'test.orgpolicies-boolean.tfvars' + _, resources = plan_runner(tf_var_file=tfvars) + validate_policy_boolean(resources) def test_policy_list(plan_runner): "Test list org policy." - _, resources = plan_runner(org_policies=LIST_POLICIES) - validate_policy_list_resources(resources) + tfvars = 'test.orgpolicies-list.tfvars' + _, resources = plan_runner(tf_var_file=tfvars) + validate_policy_list(resources) -def test_policy_boolean_factory(plan_runner, tmp_path): - # convert hcl policies to yaml - hcl_policies = f'p = {BOOLEAN_POLICIES}' - yaml_policies = yaml.dump(hcl2.loads(hcl_policies)['p']) - - yaml_file = tmp_path / 'policies.yaml' - yaml_file.write_text(yaml_policies) - +def test_factory_policy_boolean(plan_runner, tfvars_to_yaml, tmp_path): + dest = tmp_path / 'policies.yaml' + tfvars_to_yaml('test.orgpolicies-boolean.tfvars', dest, 'org_policies') _, resources = plan_runner(org_policies_data_path=f'"{tmp_path}"') - validate_policy_boolean_resources(resources) + validate_policy_boolean(resources) -def test_policy_list_factory(plan_runner, tmp_path): - # convert hcl policies to yaml - hcl_policies = f'p = {LIST_POLICIES}' - yaml_policies = yaml.dump(hcl2.loads(hcl_policies)['p']) - - yaml_file = tmp_path / 'policies.yaml' - yaml_file.write_text(yaml_policies) - +def test_factory_policy_list(plan_runner, tfvars_to_yaml, tmp_path): + dest = tmp_path / 'policies.yaml' + tfvars_to_yaml('test.orgpolicies-list.tfvars', dest, 'org_policies') _, resources = plan_runner(org_policies_data_path=f'"{tmp_path}"') - validate_policy_list_resources(resources) - - -def validate_policy_boolean_resources(resources): - assert len(resources) == 3 - policies = [r for r in resources if r['type'] == 'google_org_policy_policy'] - assert len(policies) == 2 - - p1 = [ - r['values']['spec'][0] - for r in policies - if r['index'] == 'iam.disableServiceAccountKeyCreation' - ][0] - - assert p1['inherit_from_parent'] is None - assert p1['reset'] is None - assert p1['rules'] == [{ - 'allow_all': None, - 'condition': [], - 'deny_all': None, - 'enforce': 'TRUE', - 'values': [] - }] - - p2 = [ - r['values']['spec'][0] - for r in policies - if r['index'] == 'iam.disableServiceAccountKeyUpload' - ][0] - - assert p2['inherit_from_parent'] is None - assert p2['reset'] is None - assert len(p2['rules']) == 2 - assert p2['rules'][0] == { - 'allow_all': None, - 'condition': [], - 'deny_all': None, - 'enforce': 'FALSE', - 'values': [] - } - assert p2['rules'][1] == { - 'allow_all': None, - 'condition': [{ - 'description': 'test condition', - 'expression': 'resource.matchTagId(aa, bb)', - 'location': 'xxx', - 'title': 'condition' - }], - 'deny_all': None, - 'enforce': 'TRUE', - 'values': [] - } - - -def validate_policy_list_resources(resources): - assert len(resources) == 4 - - policies = [r for r in resources if r['type'] == 'google_org_policy_policy'] - assert len(policies) == 3 - - p1 = [ - r['values']['spec'][0] - for r in policies - if r['index'] == 'compute.vmExternalIpAccess' - ][0] - assert p1['inherit_from_parent'] is None - assert p1['reset'] is None - assert p1['rules'] == [{ - 'allow_all': None, - 'condition': [], - 'deny_all': 'TRUE', - 'enforce': None, - 'values': [] - }] - - p2 = [ - r['values']['spec'][0] - for r in policies - if r['index'] == 'iam.allowedPolicyMemberDomains' - ][0] - assert p2['inherit_from_parent'] is None - assert p2['reset'] is None - assert p2['rules'] == [{ - 'allow_all': - None, - 'condition': [], - 'deny_all': - None, - 'enforce': - None, - 'values': [{ - 'allowed_values': [ - 'C0xxxxxxx', - 'C0yyyyyyy', - ], - 'denied_values': None - }] - }] - - p3 = [ - r['values']['spec'][0] - for r in policies - if r['index'] == 'compute.restrictLoadBalancerCreationForTypes' - ][0] - assert p3['inherit_from_parent'] is None - assert p3['reset'] is None - assert len(p3['rules']) == 3 - assert p3['rules'][0] == { - 'allow_all': None, - 'condition': [], - 'deny_all': None, - 'enforce': None, - 'values': [{ - 'allowed_values': None, - 'denied_values': ['in:EXTERNAL'] - }] - } - - assert p3['rules'][1] == { - 'allow_all': None, - 'condition': [{ - 'description': 'test condition', - 'expression': 'resource.matchTagId(aa, bb)', - 'location': 'xxx', - 'title': 'condition' - }], - 'deny_all': None, - 'enforce': None, - 'values': [{ - 'allowed_values': ['EXTERNAL_1'], - 'denied_values': None - }] - } - - assert p3['rules'][2] == { - 'allow_all': 'TRUE', - 'condition': [{ - 'description': 'test condition2', - 'expression': 'resource.matchTagId(cc, dd)', - 'location': 'xxx', - 'title': 'condition2' - }], - 'deny_all': None, - 'enforce': None, - 'values': [] - } + validate_policy_list(resources) diff --git a/tests/modules/folder/validate_policies.py b/tests/modules/folder/validate_policies.py new file mode 100644 index 000000000..385898b17 --- /dev/null +++ b/tests/modules/folder/validate_policies.py @@ -0,0 +1,158 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +def validate_policy_boolean(resources): + assert len(resources) == 3 + policies = [r for r in resources if r['type'] == 'google_org_policy_policy'] + assert len(policies) == 2 + + p1 = [ + r['values']['spec'][0] + for r in policies + if r['index'] == 'iam.disableServiceAccountKeyCreation' + ][0] + + assert p1['inherit_from_parent'] is None + assert p1['reset'] is None + assert p1['rules'] == [{ + 'allow_all': None, + 'condition': [], + 'deny_all': None, + 'enforce': 'TRUE', + 'values': [] + }] + + p2 = [ + r['values']['spec'][0] + for r in policies + if r['index'] == 'iam.disableServiceAccountKeyUpload' + ][0] + + assert p2['inherit_from_parent'] is None + assert p2['reset'] is None + assert len(p2['rules']) == 2 + assert p2['rules'][0] == { + 'allow_all': None, + 'condition': [], + 'deny_all': None, + 'enforce': 'FALSE', + 'values': [] + } + assert p2['rules'][1] == { + 'allow_all': None, + 'condition': [{ + 'description': 'test condition', + 'expression': 'resource.matchTagId(aa, bb)', + 'location': 'xxx', + 'title': 'condition' + }], + 'deny_all': None, + 'enforce': 'TRUE', + 'values': [] + } + + +def validate_policy_list(resources): + assert len(resources) == 4 + + policies = [r for r in resources if r['type'] == 'google_org_policy_policy'] + assert len(policies) == 3 + + p1 = [ + r['values']['spec'][0] + for r in policies + if r['index'] == 'compute.vmExternalIpAccess' + ][0] + assert p1['inherit_from_parent'] is None + assert p1['reset'] is None + assert p1['rules'] == [{ + 'allow_all': None, + 'condition': [], + 'deny_all': 'TRUE', + 'enforce': None, + 'values': [] + }] + + p2 = [ + r['values']['spec'][0] + for r in policies + if r['index'] == 'iam.allowedPolicyMemberDomains' + ][0] + assert p2['inherit_from_parent'] is None + assert p2['reset'] is None + assert p2['rules'] == [{ + 'allow_all': + None, + 'condition': [], + 'deny_all': + None, + 'enforce': + None, + 'values': [{ + 'allowed_values': [ + 'C0xxxxxxx', + 'C0yyyyyyy', + ], + 'denied_values': None + }] + }] + + p3 = [ + r['values']['spec'][0] + for r in policies + if r['index'] == 'compute.restrictLoadBalancerCreationForTypes' + ][0] + assert p3['inherit_from_parent'] is None + assert p3['reset'] is None + assert len(p3['rules']) == 3 + assert p3['rules'][0] == { + 'allow_all': None, + 'condition': [], + 'deny_all': None, + 'enforce': None, + 'values': [{ + 'allowed_values': None, + 'denied_values': ['in:EXTERNAL'] + }] + } + + assert p3['rules'][1] == { + 'allow_all': None, + 'condition': [{ + 'description': 'test condition', + 'expression': 'resource.matchTagId(aa, bb)', + 'location': 'xxx', + 'title': 'condition' + }], + 'deny_all': None, + 'enforce': None, + 'values': [{ + 'allowed_values': ['EXTERNAL_1'], + 'denied_values': None + }] + } + + assert p3['rules'][2] == { + 'allow_all': 'TRUE', + 'condition': [{ + 'description': 'test condition2', + 'expression': 'resource.matchTagId(cc, dd)', + 'location': 'xxx', + 'title': 'condition2' + }], + 'deny_all': None, + 'enforce': None, + 'values': [] + } diff --git a/tests/modules/organization/test_plan_org_policies_modules.py b/tests/modules/organization/test_plan_org_policies_modules.py index d2a5e097e..8bc3a390b 100644 --- a/tests/modules/organization/test_plan_org_policies_modules.py +++ b/tests/modules/organization/test_plan_org_policies_modules.py @@ -72,7 +72,8 @@ def test_policy_implementation(): '- name = "${local.folder.name}/policies/${k}"\n', '- parent = local.folder.name\n', '+ name = "${var.organization_id}/policies/${k}"\n', - '+ parent = var.organization_id\n', ' \n', + '+ parent = var.organization_id\n', + ' \n', ' is_boolean_policy = v.allow == null && v.deny == null\n', ' has_values = (\n', '@@ -143,4 +143,13 @@\n', @@ -88,5 +89,5 @@ def test_policy_implementation(): '+ google_organization_iam_policy.authoritative,\n', '+ google_org_policy_custom_constraint.constraint,\n', '+ ]\n', - ' }\n' + ' }\n', ] diff --git a/tests/modules/project/fixture/test.orgpolicies-boolean.tfvars b/tests/modules/project/fixture/test.orgpolicies-boolean.tfvars new file mode 100644 index 000000000..eceafe6d2 --- /dev/null +++ b/tests/modules/project/fixture/test.orgpolicies-boolean.tfvars @@ -0,0 +1,19 @@ +org_policies = { + "iam.disableServiceAccountKeyCreation" = { + enforce = true + } + "iam.disableServiceAccountKeyUpload" = { + enforce = false + rules = [ + { + condition = { + expression = "resource.matchTagId(aa, bb)" + title = "condition" + description = "test condition" + location = "xxx" + } + enforce = true + } + ] + } +} diff --git a/tests/modules/project/fixture/test.orgpolicies-list.tfvars b/tests/modules/project/fixture/test.orgpolicies-list.tfvars new file mode 100644 index 000000000..738071733 --- /dev/null +++ b/tests/modules/project/fixture/test.orgpolicies-list.tfvars @@ -0,0 +1,37 @@ +org_policies = { + "compute.vmExternalIpAccess" = { + deny = { all = true } + } + "iam.allowedPolicyMemberDomains" = { + allow = { + values = ["C0xxxxxxx", "C0yyyyyyy"] + } + } + "compute.restrictLoadBalancerCreationForTypes" = { + deny = { values = ["in:EXTERNAL"] } + rules = [ + { + condition = { + expression = "resource.matchTagId(aa, bb)" + title = "condition" + description = "test condition" + location = "xxx" + } + allow = { + values = ["EXTERNAL_1"] + } + }, + { + condition = { + expression = "resource.matchTagId(cc, dd)" + title = "condition2" + description = "test condition2" + location = "xxx" + } + allow = { + all = true + } + } + ] + } +} diff --git a/tests/modules/project/test_plan_org_policies.py b/tests/modules/project/test_plan_org_policies.py index 284944676..d4e4559d0 100644 --- a/tests/modules/project/test_plan_org_policies.py +++ b/tests/modules/project/test_plan_org_policies.py @@ -12,246 +12,32 @@ # See the License for the specific language governing permissions and # limitations under the License. -import hcl2 -import yaml - -BOOLEAN_POLICIES = '''{ - "iam.disableServiceAccountKeyCreation" = { - enforce = true - } - "iam.disableServiceAccountKeyUpload" = { - enforce = false - rules = [ - { - condition = { - expression = "resource.matchTagId(aa, bb)" - title = "condition" - description = "test condition" - location = "xxx" - } - enforce = true - } - ] - } -}''' - -LIST_POLICIES = '''{ - "compute.vmExternalIpAccess" = { - deny = { all = true } - } - "iam.allowedPolicyMemberDomains" = { - allow = { - values = ["C0xxxxxxx", "C0yyyyyyy"] - } - } - "compute.restrictLoadBalancerCreationForTypes" = { - deny = { values = ["in:EXTERNAL"] } - rules = [ - { - condition = { - expression = "resource.matchTagId(aa, bb)" - title = "condition" - description = "test condition" - location = "xxx" - } - allow = { - values = ["EXTERNAL_1"] - } - }, - { - condition = { - expression = "resource.matchTagId(cc, dd)" - title = "condition2" - description = "test condition2" - location = "xxx" - } - allow = { - all = true - } - } - ] - } -}''' +from .validate_policies import validate_policy_boolean, validate_policy_list def test_policy_boolean(plan_runner): "Test boolean org policy." - _, resources = plan_runner(org_policies=BOOLEAN_POLICIES) - validate_policy_boolean_resources(resources) + tfvars = 'test.orgpolicies-boolean.tfvars' + _, resources = plan_runner(tf_var_file=tfvars) + validate_policy_boolean(resources) def test_policy_list(plan_runner): "Test list org policy." - _, resources = plan_runner(org_policies=LIST_POLICIES) - validate_policy_list_resources(resources) + tfvars = 'test.orgpolicies-list.tfvars' + _, resources = plan_runner(tf_var_file=tfvars) + validate_policy_list(resources) -def test_policy_boolean_factory(plan_runner, tmp_path): - # convert hcl policies to yaml - hcl_policies = f'p = {BOOLEAN_POLICIES}' - yaml_policies = yaml.dump(hcl2.loads(hcl_policies)['p']) - - yaml_file = tmp_path / 'policies.yaml' - yaml_file.write_text(yaml_policies) - +def test_factory_policy_boolean(plan_runner, tfvars_to_yaml, tmp_path): + dest = tmp_path / 'policies.yaml' + tfvars_to_yaml('test.orgpolicies-boolean.tfvars', dest, 'org_policies') _, resources = plan_runner(org_policies_data_path=f'"{tmp_path}"') - validate_policy_boolean_resources(resources) + validate_policy_boolean(resources) -def test_policy_list_factory(plan_runner, tmp_path): - # convert hcl policies to yaml - hcl_policies = f'p = {LIST_POLICIES}' - yaml_policies = yaml.dump(hcl2.loads(hcl_policies)['p']) - - yaml_file = tmp_path / 'policies.yaml' - yaml_file.write_text(yaml_policies) - +def test_factory_policy_list(plan_runner, tfvars_to_yaml, tmp_path): + dest = tmp_path / 'policies.yaml' + tfvars_to_yaml('test.orgpolicies-list.tfvars', dest, 'org_policies') _, resources = plan_runner(org_policies_data_path=f'"{tmp_path}"') - validate_policy_list_resources(resources) - - -def validate_policy_boolean_resources(resources): - assert len(resources) == 6 - policies = [r for r in resources if r['type'] == 'google_org_policy_policy'] - assert len(policies) == 2 - assert all(x['values']['parent'] == 'projects/my-project' for x in policies) - - p1 = [ - r['values']['spec'][0] - for r in policies - if r['index'] == 'iam.disableServiceAccountKeyCreation' - ][0] - - assert p1['inherit_from_parent'] is None - assert p1['reset'] is None - assert p1['rules'] == [{ - 'allow_all': None, - 'condition': [], - 'deny_all': None, - 'enforce': 'TRUE', - 'values': [] - }] - - p2 = [ - r['values']['spec'][0] - for r in policies - if r['index'] == 'iam.disableServiceAccountKeyUpload' - ][0] - - assert p2['inherit_from_parent'] is None - assert p2['reset'] is None - assert len(p2['rules']) == 2 - assert p2['rules'][0] == { - 'allow_all': None, - 'condition': [], - 'deny_all': None, - 'enforce': 'FALSE', - 'values': [] - } - assert p2['rules'][1] == { - 'allow_all': None, - 'condition': [{ - 'description': 'test condition', - 'expression': 'resource.matchTagId(aa, bb)', - 'location': 'xxx', - 'title': 'condition' - }], - 'deny_all': None, - 'enforce': 'TRUE', - 'values': [] - } - - -def validate_policy_list_resources(resources): - assert len(resources) == 7 - - policies = [r for r in resources if r['type'] == 'google_org_policy_policy'] - assert len(policies) == 3 - assert all(x['values']['parent'] == 'projects/my-project' for x in policies) - - p1 = [ - r['values']['spec'][0] - for r in policies - if r['index'] == 'compute.vmExternalIpAccess' - ][0] - assert p1['inherit_from_parent'] is None - assert p1['reset'] is None - assert p1['rules'] == [{ - 'allow_all': None, - 'condition': [], - 'deny_all': 'TRUE', - 'enforce': None, - 'values': [] - }] - - p2 = [ - r['values']['spec'][0] - for r in policies - if r['index'] == 'iam.allowedPolicyMemberDomains' - ][0] - assert p2['inherit_from_parent'] is None - assert p2['reset'] is None - assert p2['rules'] == [{ - 'allow_all': - None, - 'condition': [], - 'deny_all': - None, - 'enforce': - None, - 'values': [{ - 'allowed_values': [ - 'C0xxxxxxx', - 'C0yyyyyyy', - ], - 'denied_values': None - }] - }] - - p3 = [ - r['values']['spec'][0] - for r in policies - if r['index'] == 'compute.restrictLoadBalancerCreationForTypes' - ][0] - assert p3['inherit_from_parent'] is None - assert p3['reset'] is None - assert len(p3['rules']) == 3 - assert p3['rules'][0] == { - 'allow_all': None, - 'condition': [], - 'deny_all': None, - 'enforce': None, - 'values': [{ - 'allowed_values': None, - 'denied_values': ['in:EXTERNAL'] - }] - } - - assert p3['rules'][1] == { - 'allow_all': None, - 'condition': [{ - 'description': 'test condition', - 'expression': 'resource.matchTagId(aa, bb)', - 'location': 'xxx', - 'title': 'condition' - }], - 'deny_all': None, - 'enforce': None, - 'values': [{ - 'allowed_values': ['EXTERNAL_1'], - 'denied_values': None - }] - } - - assert p3['rules'][2] == { - 'allow_all': 'TRUE', - 'condition': [{ - 'description': 'test condition2', - 'expression': 'resource.matchTagId(cc, dd)', - 'location': 'xxx', - 'title': 'condition2' - }], - 'deny_all': None, - 'enforce': None, - 'values': [] - } + validate_policy_list(resources) diff --git a/tests/modules/project/validate_policies.py b/tests/modules/project/validate_policies.py new file mode 100644 index 000000000..0fd038371 --- /dev/null +++ b/tests/modules/project/validate_policies.py @@ -0,0 +1,160 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +def validate_policy_boolean(resources): + assert len(resources) == 6 + policies = [r for r in resources if r['type'] == 'google_org_policy_policy'] + assert len(policies) == 2 + assert all(x['values']['parent'] == 'projects/my-project' for x in policies) + + p1 = [ + r['values']['spec'][0] + for r in policies + if r['index'] == 'iam.disableServiceAccountKeyCreation' + ][0] + + assert p1['inherit_from_parent'] is None + assert p1['reset'] is None + assert p1['rules'] == [{ + 'allow_all': None, + 'condition': [], + 'deny_all': None, + 'enforce': 'TRUE', + 'values': [] + }] + + p2 = [ + r['values']['spec'][0] + for r in policies + if r['index'] == 'iam.disableServiceAccountKeyUpload' + ][0] + + assert p2['inherit_from_parent'] is None + assert p2['reset'] is None + assert len(p2['rules']) == 2 + assert p2['rules'][0] == { + 'allow_all': None, + 'condition': [], + 'deny_all': None, + 'enforce': 'FALSE', + 'values': [] + } + assert p2['rules'][1] == { + 'allow_all': None, + 'condition': [{ + 'description': 'test condition', + 'expression': 'resource.matchTagId(aa, bb)', + 'location': 'xxx', + 'title': 'condition' + }], + 'deny_all': None, + 'enforce': 'TRUE', + 'values': [] + } + + +def validate_policy_list(resources): + assert len(resources) == 7 + + policies = [r for r in resources if r['type'] == 'google_org_policy_policy'] + assert len(policies) == 3 + assert all(x['values']['parent'] == 'projects/my-project' for x in policies) + + p1 = [ + r['values']['spec'][0] + for r in policies + if r['index'] == 'compute.vmExternalIpAccess' + ][0] + assert p1['inherit_from_parent'] is None + assert p1['reset'] is None + assert p1['rules'] == [{ + 'allow_all': None, + 'condition': [], + 'deny_all': 'TRUE', + 'enforce': None, + 'values': [] + }] + + p2 = [ + r['values']['spec'][0] + for r in policies + if r['index'] == 'iam.allowedPolicyMemberDomains' + ][0] + assert p2['inherit_from_parent'] is None + assert p2['reset'] is None + assert p2['rules'] == [{ + 'allow_all': + None, + 'condition': [], + 'deny_all': + None, + 'enforce': + None, + 'values': [{ + 'allowed_values': [ + 'C0xxxxxxx', + 'C0yyyyyyy', + ], + 'denied_values': None + }] + }] + + p3 = [ + r['values']['spec'][0] + for r in policies + if r['index'] == 'compute.restrictLoadBalancerCreationForTypes' + ][0] + assert p3['inherit_from_parent'] is None + assert p3['reset'] is None + assert len(p3['rules']) == 3 + assert p3['rules'][0] == { + 'allow_all': None, + 'condition': [], + 'deny_all': None, + 'enforce': None, + 'values': [{ + 'allowed_values': None, + 'denied_values': ['in:EXTERNAL'] + }] + } + + assert p3['rules'][1] == { + 'allow_all': None, + 'condition': [{ + 'description': 'test condition', + 'expression': 'resource.matchTagId(aa, bb)', + 'location': 'xxx', + 'title': 'condition' + }], + 'deny_all': None, + 'enforce': None, + 'values': [{ + 'allowed_values': ['EXTERNAL_1'], + 'denied_values': None + }] + } + + assert p3['rules'][2] == { + 'allow_all': 'TRUE', + 'condition': [{ + 'description': 'test condition2', + 'expression': 'resource.matchTagId(cc, dd)', + 'location': 'xxx', + 'title': 'condition2' + }], + 'deny_all': None, + 'enforce': None, + 'values': [] + }