Merge remote-tracking branch 'origin/mc-parameterized' into mc-parameterized

nehalk-tf · nehalk-tf · commit 321989e77dcc · 2024-12-09T22:04:00.000Z
diff --git a/mmv1/products/orgpolicy/Policy.yaml b/mmv1/products/orgpolicy/Policy.yaml
@@ -57,7 +57,6 @@ examples:
   - name: 'org_policy_policy_parameters_enforce'
     primary_resource_id: 'primary'
     exclude_test: true
-    min_version: 'beta'
 parameters:
   - name: 'parent'
     type: String
@@ -127,7 +126,6 @@ properties:
               custom_expand: 'templates/terraform/custom_expand/enum_bool.go.tmpl'
             - name: 'parameters'
               description: 'Optional. Required for Managed Constraints if parameters defined in constraints. Pass parameter values when policy enforcement is enabled. Ensure that parameter value types match those defined in the constraint definition. For example: { \"allowedLocations\" : [\"us-east1\", \"us-west1\"], \"allowAll\" : true }'
-              min_version: beta
               custom_flatten: 'templates/terraform/custom_flatten/json_schema.tmpl'
               custom_expand: 'templates/terraform/custom_expand/json_schema.tmpl'
               state_func: 'func(v interface{}) string { s, _ := structure.NormalizeJsonString(v); return s }'
@@ -211,7 +209,6 @@ properties:
               custom_expand: 'templates/terraform/custom_expand/enum_bool.go.tmpl'
             - name: 'parameters'
               description: 'Optional. Required for Managed Constraints if parameters defined in constraints. Pass parameter values when policy enforcement is enabled. Ensure that parameter value types match those defined in the constraint definition. For example: { \"allowedLocations\" : [\"us-east1\", \"us-west1\"], \"allowAll\" : true }'
-              min_version: beta
               custom_flatten: 'templates/terraform/custom_flatten/json_schema.tmpl'
               custom_expand: 'templates/terraform/custom_expand/json_schema.tmpl'
               state_func: 'func(v interface{}) string { s, _ := structure.NormalizeJsonString(v); return s }'
diff --git a/mmv1/templates/terraform/examples/org_policy_policy_parameters_enforce.tf.tmpl b/mmv1/templates/terraform/examples/org_policy_policy_parameters_enforce.tf.tmpl
@@ -1,15 +1,11 @@
 resource "google_org_policy_policy" "primary" {
-  provider = google-beta
-  name     = "projects/${google_project.basic.name}/policies/iam.managed.disableServiceAccountKeyUpload"
+  name     = "projects/${google_project.basic.name}/policies/compute.managed.restrictDiskCreation"
   parent   = "projects/${google_project.basic.name}"
 
   spec {
     rules {
-      enforce = "FALSE"
-      parameters {
-      	"allowAll" : true
-	"allowedLocations" : ["us-east1", "us-west1"]
-      }
+      enforce = "TRUE"
+      parameters = jsonencode({"isSizeLimitCheck" : true, "allowedDiskTypes" : ["pd-ssd", "pd-standard"]})
     }
   }
 }
diff --git a/mmv1/third_party/terraform/services/orgpolicy/resource_org_policy_policy_test.go b/mmv1/third_party/terraform/services/orgpolicy/resource_org_policy_policy_test.go
@@ -458,20 +458,95 @@ func testAccCheckOrgPolicyPolicyDestroyProducer(t *testing.T) func(s *terraform.
 		return nil
 	}
 }
+func TestAccOrgPolicyPolicy_EnforceParameterizedMCPolicy(t *testing.T) {
+	// Skip this test as no constraints yet launched in production, verified functionality with manual testing.
+	t.Skip()
+	t.Parallel()
 
+	context := map[string]interface{}{
+		"org_id":        envvar.GetTestOrgFromEnv(t),
+		"random_suffix": acctest.RandString(t, 10),
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckOrgPolicyPolicyDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccOrgPolicyPolicy_EnforceParameterizedMCPolicy(context),
+			},
+			{
+				ResourceName:            "google_org_policy_policy.primary",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"name", "spec.0.rules.0.condition.0.expression"},
+			},
+		},
+	})
+}
 func testAccOrgPolicyPolicy_EnforceParameterizedMCPolicy(context map[string]interface{}) string {
-        return acctest.Nprintf(`
+	return acctest.Nprintf(`
 resource "google_org_policy_policy" "primary" {
-  name   = "projects/${google_project.basic.name}/policies/constraints/compute.managed.restrictDiskCreation"
+  name   = "projects/${google_project.basic.name}/policies/essentialcontacts.managed.allowedContactDomains"
   parent = "projects/${google_project.basic.name}"
 
   spec {
     rules {
       enforce = "TRUE"
-      parameters {
-	"isSizeLimitCheck" = True,
-        "allowedDiskTypes" = ["pd-ssd"]
-      }
+      parameters = "{\"allowedDomains\": [\"@google.com\"]}"
+    }
+  }
+}
+
+resource "google_project" "basic" {
+  project_id = "tf-test-id%{random_suffix}"
+  name       = "tf-test-id%{random_suffix}"
+  org_id     = "%{org_id}"
+  deletion_policy = "DELETE"
+}
+
+
+`, context)
+}
+
+func TestAccOrgPolicyPolicy_EnforceParameterizedMCDryRunPolicy(t *testing.T) {
+	// Skip this test as no constraints yet launched in production, verified functionality with manual testing.
+	t.Skip()
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"org_id":        envvar.GetTestOrgFromEnv(t),
+		"random_suffix": acctest.RandString(t, 10),
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckOrgPolicyPolicyDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccOrgPolicyPolicy_EnforceParameterizedMCDryRunPolicy(context),
+			},
+			{
+				ResourceName:            "google_org_policy_policy.primary",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"name", "spec.0.rules.0.condition.0.expression"},
+			},
+		},
+	})
+}
+func testAccOrgPolicyPolicy_EnforceParameterizedMCDryRunPolicy(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_org_policy_policy" "primary" {
+  name   = "projects/${google_project.basic.name}/policies/essentialcontacts.managed.allowedContactDomains"
+  parent = "projects/${google_project.basic.name}"
+
+  dry_run_spec {
+    rules {
+      enforce = "TRUE"
+      parameters = "{\"allowedDomains\": [\"@google.com\"]}"
     }
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -1,15 +1,11 @@`
`1`	`1`	`resource "google_org_policy_policy" "primary" {`
`2`		`- provider = google-beta`
`3`		`- name = "projects/${google_project.basic.name}/policies/iam.managed.disableServiceAccountKeyUpload"`
	`2`	`+ name = "projects/${google_project.basic.name}/policies/compute.managed.restrictDiskCreation"`
`4`	`3`	`parent = "projects/${google_project.basic.name}"`
`5`	`4`
`6`	`5`	`spec {`
`7`	`6`	`rules {`
`8`		`- enforce = "FALSE"`
`9`		`- parameters {`
`10`		`- "allowAll" : true`
`11`		`- "allowedLocations" : ["us-east1", "us-west1"]`
`12`		`- }`
	`7`	`+ enforce = "TRUE"`
	`8`	`+ parameters = jsonencode({"isSizeLimitCheck" : true, "allowedDiskTypes" : ["pd-ssd", "pd-standard"]})`
`13`	`9`	`}`
`14`	`10`	`}`
`15`	`11`	`}`