feat: added org_policy_v2 as a submodule supporting conditions (#58)

* feat: added org_policy_v2 initial draft

* chore: removed readme

* chore: applied tf fmt

* chore: lint

* chore: lint

* feat: added new test framework for org policy v2

* chore: path

* chore: linting

* feat: added go files

* chore: tests updated

* chore: tests updated

* chore: test updated

* feat: updated fixtures

* feat: updated fixtures

* feat: updated outputs

* ft: added string output

* feat: added list test

* chore: lint and integration tests

* feat: updated build steps

* feat: updated build steps

* feat: added org policy

* chore: commented

* chore: commented

* chore: trigger

* chore: trigger reverted

* chore: added variable

* chore: added variable

* chore: docs and comments

* chore: terraform fmt

* chore: lint and comments

* chore: build step fix

* chore: build step fix

* chore: removed build and trigger

* fix: updated outputs

* chore: trigger build

* chore: trigger

* fix: cleanup environment

* fix: cleanup environment

* feat: updated logic and previous comments

* chore: retrigger

* debug: added sleep

* chore: retrigger

* fix: updated org id variable

* chore: updated readme

* Update modules/org_policy_v2/versions.tf

Co-authored-by: Bharath KKB <bharathkrishnakb@gmail.com>

* Update test/integration/v2_boolean_org_enforce/v2_boolean_org_enforce_test.go

Co-authored-by: Bharath KKB <bharathkrishnakb@gmail.com>

* chore: retrigger

Co-authored-by: Bharath KKB <bharathkrishnakb@gmail.com>

Author: prabhu34

.gitignore

@@ -46,3 +46,4 @@ credentials.json
 
 # tf lock file
 .terraform.lock.hcl
+

build/int.cloudbuild.yaml

@@ -21,21 +21,56 @@ steps:
   - 'TF_VAR_org_id=$_ORG_ID'
   - 'TF_VAR_folder_id=$_FOLDER_ID'
   - 'TF_VAR_billing_account=$_BILLING_ACCOUNT'
+- id: sleep
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'sleep 30']
+  waitFor:
+  - prepare
+# Ruby Test Framework - org policy v1 APIs
 - id: create
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do create']
+  waitFor:
+  - sleep
 - id: converge
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge']
+  waitFor:
+  - create
 - id: verify
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify']
+  waitFor:
+  - converge
 - id: destroy
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy']
+  waitFor:
+  - verify
+ # Boolean Org Enforce Example Test
+- id: create all
+  waitFor:
+    - sleep
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestVersion2BooleanOrgEnforce --test-dir test/integration --stage init --verbose']
+- id: converge org-policy-v2
+  waitFor:
+    - create all
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestVersion2BooleanOrgEnforce --test-dir test/integration --stage apply --verbose']
+- id: verify org-policy-v2
+  waitFor:
+    - converge org-policy-v2
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestVersion2BooleanOrgEnforce --test-dir test/integration --stage verify --verbose']
+- id: destroy org-policy-v2
+  waitFor:
+    - verify org-policy-v2
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestVersion2BooleanOrgEnforce --test-dir test/integration --stage destroy --verbose']
 tags:
 - 'ci'
 - 'integration'
 substitutions:
   _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools'
-  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.0'
+  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.3'

build/lint.cloudbuild.yaml

@@ -21,4 +21,4 @@ tags:
 - 'lint'
 substitutions:
   _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools'
-  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.0'
+  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.3'

examples/v2_boolean_org_enforce/README.md

@@ -0,0 +1,22 @@
+# Boolean Constraint with option to add multiple rules and conditions
+
+This example shows how to set a boolean constraint on an org level, with option to add multiple rules and conditions supported by latest Organization Policy APIs.
+
+This boolean constraint, when set to true, enables OS Login on all newly created Projects. All VM instances created in new projects will have OS Login enabled. On new and existing projects, this constraint prevents metadata updates that disable OS Login at the project or instance level. By default, the OS Login feature is disabled on Compute Engine projects. GKE instances in private clusters running node pool versions 1.20.5-gke.2000 and later support OS Login. GKE instances in public clusters do not currently support OS Login. If this constraint is applied to a Project running public clusters, GKE instances running in that Project may not function properly.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| org\_id | The organization id for applying the policy | `string` | `null` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| constraint | Policy Constraint Identifier |
+| policy\_root | Policy Root in the hierarchy for the given policy |
+| policy\_root\_id | Project Root ID at which the policy is applied |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

examples/v2_boolean_org_enforce/main.tf

@@ -0,0 +1,33 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/********************************************************
+  Apply the sample constraint using the org_policy_v2 module
+ *******************************************************/
+module "gcp_org_policy_v2" {
+  source = "../../modules/org_policy_v2"
+
+  policy_root    = "organization"
+  policy_root_id = var.org_id
+  rules = [{
+    enforcement = true
+    allow       = []
+    deny        = []
+    conditions  = []
+  }]
+  constraint  = "compute.requireOsLogin"
+  policy_type = "boolean"
+}

examples/v2_boolean_org_enforce/outputs.tf

@@ -0,0 +1,31 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "policy_root" {
+  description = "Policy Root in the hierarchy for the given policy"
+  value       = module.gcp_org_policy_v2.policy_root
+}
+
+output "policy_root_id" {
+  description = "Project Root ID at which the policy is applied"
+  value       = module.gcp_org_policy_v2.policy_root_id
+}
+
+output "constraint" {
+  description = "Policy Constraint Identifier"
+  value       = module.gcp_org_policy_v2.constraint
+}
+

examples/v2_boolean_org_enforce/variables.tf

@@ -0,0 +1,23 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+# Organization ID for this example
+# It could be Folder or Project ID
+variable "org_id" {
+  description = "The organization id for applying the policy"
+  type        = string
+  default     = null
+}

examples/v2_boolean_org_enforce/versions.tf

@@ -0,0 +1,26 @@
+/**
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+  required_version = ">= 0.13"
+  required_providers {
+
+    google = {
+      source  = "hashicorp/google"
+      version = ">= 3.53, < 5.0"
+    }
+  }
+}

modules/org_policy_v2/README.md

@@ -0,0 +1,138 @@
+# Google Cloud Organization Policy v2 Terraform Module
+
+This Terraform module makes it easier to manage [organization policies](https://cloud.google.com/resource-manager/docs/organization-policy/overview) for your Google Cloud environment, particularly when you want to have exclusion rules. This module will allow you to set a top-level org policy and then disable it on individual projects or folders easily. This module allows **_conditional policy enforcements based on the latest API version_** of the organization policies API.
+
+Organization Policies are of two types `boolean` and `list`.
+
+---
+
+## Usage
+Example usage is included in the [examples](./examples/org_policy_v2) folder, but simple usage is as follows:
+
+```hcl
+module "gcp_org_policy_v2" {
+  source           = "terraform-google-modules/org-policy/google//modules/org_policy_v2"
+  version          = "~> 5.2.0"
+
+  policy_root      = "organization"    # either of organization, folder or project
+  policy_root_id   = "123456789"       # either of org id, folder id or project id
+  constraint       = "constraint name"    # constraint identifier without constriants/ prefix. Example "compute.requireOsLogin"
+  policy_type      = "boolean"            # either of list or boolean
+  exclude_folders  = []
+  exclude_projects = []
+
+  rules = [
+    # Rule 1
+    {
+      enforcement = true
+      allow       = []
+      deny        = []
+      conditions  = []
+    },
+    # Rule 2
+    {
+      enforcement = true
+      allow       = []
+      deny        = []
+      conditions  = [{
+        description = "description of the condition"
+        expression  = "resource.matchTagId('tagKeys/123456789', 'tagValues/123456789') && resource.matchTag('123456789/1234', 'abcd')"
+        location    = "sample-location.log"
+        title       = "Title of the condition"
+      }]
+    },
+  ]
+}
+```
+
+### Variables
+To control module's behavior, change variables' values regarding the following:
+
+- `constraint`: set this variable with the [constraint value](https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints#available_constraints) in the form `{constraint identifier}`. For example, `serviceuser.services`
+- `policy_type`: Specify either `boolean` for boolean policies or `list` for list policies.
+- `policy_root`: set one of the following values to determine where the policy is applied. Values should be either one of the below.
+  - organization
+  - project
+  - folder
+- `policy_root_id`: set one of the following values to determine where the policy is applied. Based on `policy_root`, either one of the below IDs should be provided.
+  - organization_id
+  - project_id
+  - folder_id
+- `exclude_folders`: a list of folder IDs to be excluded from this policy. These folders must be lower in the hierarchy than the policy root.
+- `exclude_projects`: a list of project IDs to be excluded from this policy. They must be lower in the hierarchy than the policy root.
+- `rules`: Specify policy rules and conditions. Rules contain the following parameters:
+  - `enforcement`: if `true` or `null`then policy will `deny_all`; if `false` then policy will `allow_all`. Applies for `boolean` based policies.
+  - `allow`: list of values to include in the policy with ALLOW behavior. Set `enforce` to `null` to use it.
+  - `deny`: list of values to include in the policy with DENY behavior. Set `enforce` to `null` to use it.
+  - `conditions`: [Organization tags](https://cloud.google.com/resource-manager/docs/organization-policy/tags-organization-policy) provides a way to conditionally allow or deny policies based on whether a resource has a specific tag. You can use tags and conditional enforcement of organization policies to provide centralized control of the resources in your hierarchy. Each condition has the following properties:
+    - `description`: Description of the condition
+    - `expression`: Common Expression Language, or CEL, is the expression language used to specify conditional expressions. A conditional expression consists of one or more statements that are joined using logical operators (&&, ||, or !). For more information, see the [CEL spec](https://github.com/google/cel-spec) and its [language definition](https://github.com/google/cel-spec/blob/master/doc/langdef.md).
+    - `location`: Log location
+    - `title`: Title of the condition
+
+---
+
+### IMPORTANT
+- Boolean policies (with `type: "boolean"`) can set the following variables:
+  - `enforcement`: if `true` or `null` then the policy is enforced at the root; if `false` then policy is not enforced at the root.
+  - Following requirements apply, refer [Terraform Documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/org_policy_policy#rules):
+  	- There must be one and only one Policy Rule where condition is unset.
+  	- Boolean Policy Rules with conditions must set enforced to the opposite of the PolicyRule without a condition.
+  	- During policy evaluation, Policy Rules with conditions that are true for a target resource take precedence.
+
+- List policies (with `type: "list"`) can set `allow` and `deny` with a list of resources to allow or deny. For `enforcement` you can set it as follows:
+  - set `enforcement` = false for `allow all`
+  - set `enforcement` = true for `deny all`
+- Each policy can have [maximum of 10 rules](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/org_policy_policy#rules)
+
+---
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| constraint | The constraint to be applied | `string` | n/a | yes |
+| exclude\_folders | Set of folders to exclude from the policy | `set(string)` | `[]` | no |
+| exclude\_projects | Set of projects to exclude from the policy | `set(string)` | `[]` | no |
+| policy\_root | Resource hierarchy node to apply the policy to: can be one of `organization`, `folder`, or `project`. | `string` | `"organization"` | no |
+| policy\_root\_id | The policy root id, either of organization\_id, folder\_id or project\_id | `string` | `null` | no |
+| policy\_type | The constraint type to work with (either 'boolean' or 'list') | `string` | `"list"` | no |
+| rules | List of rules per policy. Upto 10. | `list(any)` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| constraint | Policy Constraint Identifier without constraints/ prefix |
+| policy\_root | Policy Root in the hierarchy for the given policy |
+| policy\_root\_id | Project Root ID at which the policy is applied |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+
+---
+
+## Compatibility
+This module is meant for use with Terraform 0.13+ and tested using Terraform 1.0+. If you find incompatibilities using Terraform >=0.13, please open an issue.
+ If you haven't
+[upgraded](https://www.terraform.io/upgrade-guides/0-13.html) and need a Terraform
+0.12.x-compatible version of this module, the last released version
+intended for Terraform 0.12.x is [v4.0.0](https://registry.terraform.io/modules/terraform-google-modules/-org-policy/google/v4.0.0).
+
+## Requirements
+### Terraform plugins
+- [Terraform](https://www.terraform.io/downloads.html) >= 0.13.0
+- [terraform-provider-google](https://github.com/terraform-providers/terraform-provider-google) >= v2.5.0
+
+### Permissions
+In order to execute this module, the Service Account you run as must have the **Organization Policy Administrator** (`roles/orgpolicy.PolicyAdmin`) role.
+
+## Install
+### Terraform
+Be sure you have the correct Terraform version (0.12.x), you can choose the binary here:
+- https://releases.hashicorp.com/terraform/
+
+### Terraform plugins
+
+- [terraform-provider-google](https://github.com/terraform-providers/terraform-provider-google) >= v2.5.0
+