Merge pull request #930 from GoogleCloudPlatform/jccb/tf13-org-policies

Update project/folder/module to use new org policies API and tf1.3 optionals.

.github/workflows/linting.yml

@@ -53,12 +53,12 @@ jobs:
         run: |
           terraform fmt -recursive -check -diff $GITHUB_WORKSPACE
 
-      - name: Check documentation (fabric)
+      - name: Check documentation
         id: documentation-fabric
         run: |
-          python3 tools/check_documentation.py examples modules fast
+          python3 tools/check_documentation.py modules fast blueprints
 
-      - name: Check documentation links (fabric)
+      - name: Check documentation links
         id: documentation-links-fabric
         run: |
           python3 tools/check_links.py .

blueprints/cloud-operations/terraform-enterprise-wif/gcp-workload-identity-provider/README.md

@@ -12,22 +12,22 @@ The codebase provisions the following list of resources:
 | name | description | type | required | default |
 |---|---|:---:|:---:|:---:|
 | [billing_account](variables.tf#L16) | Billing account id used as default for new projects. | <code>string</code> | ✓ |  |
-| [project_id](variables.tf#L38) | Existing project id. | <code>string</code> | ✓ |  |
-| [tfe_organization_id](variables.tf#L43) |  | <code></code> | ✓ |  |
-| [tfe_workspace_id](variables.tf#L48) |  | <code></code> | ✓ |  |
-| [issuer_uri](variables.tf#L65) | Terraform Enterprise uri. Replace the uri if a self hosted instance is used. | <code>string</code> |  | <code>&#34;https:&#47;&#47;app.terraform.io&#47;&#34;</code> |
+| [project_id](variables.tf#L43) | Existing project id. | <code>string</code> | ✓ |  |
+| [tfe_organization_id](variables.tf#L48) | TFE organization id. | <code>string</code> | ✓ |  |
+| [tfe_workspace_id](variables.tf#L53) | TFE workspace id. | <code>string</code> | ✓ |  |
+| [issuer_uri](variables.tf#L21) | Terraform Enterprise uri. Replace the uri if a self hosted instance is used. | <code>string</code> |  | <code>&#34;https:&#47;&#47;app.terraform.io&#47;&#34;</code> |
 | [parent](variables.tf#L27) | Parent folder or organization in 'folders/folder_id' or 'organizations/org_id' format. | <code>string</code> |  | <code>null</code> |
-| [project_create](variables.tf#L21) | Create project instead of using an existing one. | <code>bool</code> |  | <code>true</code> |
-| [workload_identity_pool_id](variables.tf#L53) | Workload identity pool id. | <code>string</code> |  | <code>&#34;tfe-pool&#34;</code> |
-| [workload_identity_pool_provider_id](variables.tf#L59) | Workload identity pool provider id. | <code>string</code> |  | <code>&#34;tfe-provider&#34;</code> |
+| [project_create](variables.tf#L37) | Create project instead of using an existing one. | <code>bool</code> |  | <code>true</code> |
+| [workload_identity_pool_id](variables.tf#L58) | Workload identity pool id. | <code>string</code> |  | <code>&#34;tfe-pool&#34;</code> |
+| [workload_identity_pool_provider_id](variables.tf#L64) | Workload identity pool provider id. | <code>string</code> |  | <code>&#34;tfe-provider&#34;</code> |
 
 ## Outputs
 
 | name | description | sensitive |
 |---|---|:---:|
-| [impersonate_service_account_email](outputs.tf#L31) |  |  |
-| [project_id](outputs.tf#L16) |  |  |
-| [workload_identity_audience](outputs.tf#L26) |  |  |
-| [workload_identity_pool_provider_id](outputs.tf#L21) | GCP workload identity pool provider ID. |  |
+| [impersonate_service_account_email](outputs.tf#L16) | Service account to be impersonated by workload identity. |  |
+| [project_id](outputs.tf#L21) | GCP Project ID. |  |
+| [workload_identity_audience](outputs.tf#L26) | TFC Workload Identity Audience. |  |
+| [workload_identity_pool_provider_id](outputs.tf#L31) | GCP workload identity pool provider ID. |  |
 
 <!-- END TFDOC -->

blueprints/cloud-operations/terraform-enterprise-wif/gcp-workload-identity-provider/outputs.tf

@@ -13,22 +13,22 @@
 # limitations under the License.
 
 
+output "impersonate_service_account_email" {
+  description = "Service account to be impersonated by workload identity."
+  value       = module.sa-tfe.email
+}
+
 output "project_id" {
   description = "GCP Project ID."
   value       = module.project.project_id
 }
 
-output "workload_identity_pool_provider_id" {
-  description = "GCP workload identity pool provider ID."
-  value       = google_iam_workload_identity_pool_provider.tfe-pool-provider.name
-}
-
 output "workload_identity_audience" {
   description = "TFC Workload Identity Audience."
   value       = "//iam.googleapis.com/${google_iam_workload_identity_pool_provider.tfe-pool-provider.name}"
 }
 
-output "impersonate_service_account_email" {
-  description = "Service account to be impersonated by workload identity."
-  value       = module.sa-tfe.email
+output "workload_identity_pool_provider_id" {
+  description = "GCP workload identity pool provider ID."
+  value       = google_iam_workload_identity_pool_provider.tfe-pool-provider.name
 }

blueprints/cloud-operations/terraform-enterprise-wif/gcp-workload-identity-provider/variables.tf

@@ -18,10 +18,10 @@ variable "billing_account" {
   type        = string
 }
 
-variable "project_create" {
-  description = "Create project instead of using an existing one."
-  type        = bool
-  default     = true
+variable "issuer_uri" {
+  description = "Terraform Enterprise uri. Replace the uri if a self hosted instance is used."
+  type        = string
+  default     = "https://app.terraform.io/"
 }
 
 variable "parent" {
@@ -34,6 +34,11 @@ variable "parent" {
   }
 }
 
+variable "project_create" {
+  description = "Create project instead of using an existing one."
+  type        = bool
+  default     = true
+}
 
 variable "project_id" {
   description = "Existing project id."
@@ -61,9 +66,3 @@ variable "workload_identity_pool_provider_id" {
   type        = string
   default     = "tfe-provider"
 }
-
-variable "issuer_uri" {
-  description = "Terraform Enterprise uri. Replace the uri if a self hosted instance is used."
-  type        = string
-  default     = "https://app.terraform.io/"
-}

blueprints/cloud-operations/terraform-enterprise-wif/tfc-workflow-using-wif/README.md

@@ -5,15 +5,14 @@ This terraform code is a part of [GCP Workload Identity Federation for Terraform
 The codebase provisions the following list of resources:
 
 - GCS Bucket
-
 <!-- BEGIN TFDOC -->
 
 ## Variables
 
 | name | description | type | required | default |
 |---|---|:---:|:---:|:---:|
-| [impersonate_service_account_email](variables.tf#L26) |  | <code></code> | ✓ |  |
-| [project_id](variables.tf#L16) |  | <code></code> | ✓ |  |
-| [workload_identity_pool_provider_id](variables.tf#L21) | GCP workload identity pool provider ID. | <code>string</code> | ✓ |  |
+| [impersonate_service_account_email](variables.tf#L21) | Service account to be impersonated by workload identity. | <code>string</code> | ✓ |  |
+| [project_id](variables.tf#L16) | GCP project ID. | <code>string</code> | ✓ |  |
+| [workload_identity_pool_provider_id](variables.tf#L26) | GCP workload identity pool provider ID. | <code>string</code> | ✓ |  |
 
 <!-- END TFDOC -->

blueprints/cloud-operations/terraform-enterprise-wif/tfc-workflow-using-wif/variables.tf

@@ -18,12 +18,12 @@ variable "project_id" {
   type        = string
 }
 
-variable "workload_identity_pool_provider_id" {
-  description = "GCP workload identity pool provider ID."
+variable "impersonate_service_account_email" {
+  description = "Service account to be impersonated by workload identity."
   type        = string
 }
 
-variable "impersonate_service_account_email" {
-  description = "Service account to be impersonated by workload identity."
+variable "workload_identity_pool_provider_id" {
+  description = "GCP workload identity pool provider ID."
   type        = string
 }

blueprints/data-solutions/data-platform-foundations/03-orchestration.tf

@@ -67,8 +67,10 @@ module "orch-project" {
     "roles/storage.objectViewer" = [module.load-sa-df-0.iam_email]
   }
   oslogin = false
-  policy_boolean = {
-    "constraints/compute.requireOsLogin" = false
+  org_policies = {
+    "constraints/compute.requireOsLogin" = {
+      enforce = false
+    }
   }
   services = concat(var.project_services, [
     "artifactregistry.googleapis.com",

blueprints/data-solutions/data-playground/main.tf

@@ -40,8 +40,10 @@ module "project" {
     "storage.googleapis.com",
     "storage-component.googleapis.com"
   ]
-  policy_boolean = {
-    # "constraints/compute.requireOsLogin" = false
+  org_policies = {
+    # "constraints/compute.requireOsLogin" = {
+    #   enforce = false
+    # }
     # Example of applying a project wide policy, mainly useful for Composer
   }
   service_encryption_key_ids = {

blueprints/factories/project-factory/README.md

@@ -68,13 +68,13 @@ module "projects" {
   iam                    = try(each.value.iam, {})
   kms_service_agents     = try(each.value.kms, {})
   labels                 = try(each.value.labels, {})
-  org_policies           = try(each.value.org_policies, null)
+  org_policies           = try(each.value.org_policies, {})
   service_accounts       = try(each.value.service_accounts, {})
   services               = try(each.value.services, [])
   service_identities_iam = try(each.value.service_identities_iam, {})
   vpc                    = try(each.value.vpc, null)
 }
-# tftest modules=7 resources=27
+# tftest modules=7 resources=28
 ```
 
 ### Projects configuration
@@ -153,16 +153,16 @@ labels:
   environment: prod
 
 # [opt] Org policy overrides defined at project level
-org_policies:       
-  policy_boolean:
-    constraints/compute.disableGuestAttributesAccess: true
-  policy_list:
-    constraints/compute.trustedImageProjects:
-      inherit_from_parent: null
-      status: true
-      suggested_value: null
+org_policies:
+  constraints/compute.disableGuestAttributesAccess: 
+    enforce: true
+  constraints/compute.trustedImageProjects:
+    allow:
       values:
-        - projects/fast-prod-iac-core-0
+        - projects/fast-dev-iac-core-0
+  constraints/compute.vmExternalIpAccess:
+    deny:
+      all: true
 
 # [opt] Service account to create for the project and their roles on the project
 # in name => [roles] format
@@ -221,7 +221,7 @@ vpc:
 | name | description | type | required | default |
 |---|---|:---:|:---:|:---:|
 | [billing_account_id](variables.tf#L17) | Billing account id. | <code>string</code> | ✓ |  |
-| [project_id](variables.tf#L119) | Project id. | <code>string</code> | ✓ |  |
+| [project_id](variables.tf#L145) | Project id. | <code>string</code> | ✓ |  |
 | [billing_alert](variables.tf#L22) | Billing alert configuration. | <code title="object&#40;&#123;&#10;  amount &#61; number&#10;  thresholds &#61; object&#40;&#123;&#10;    current    &#61; list&#40;number&#41;&#10;    forecasted &#61; list&#40;number&#41;&#10;  &#125;&#41;&#10;  credit_treatment &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
 | [defaults](variables.tf#L35) | Project factory default values. | <code title="object&#40;&#123;&#10;  billing_account_id &#61; string&#10;  billing_alert &#61; object&#40;&#123;&#10;    amount &#61; number&#10;    thresholds &#61; object&#40;&#123;&#10;      current    &#61; list&#40;number&#41;&#10;      forecasted &#61; list&#40;number&#41;&#10;    &#125;&#41;&#10;    credit_treatment &#61; string&#10;  &#125;&#41;&#10;  environment_dns_zone  &#61; string&#10;  essential_contacts    &#61; list&#40;string&#41;&#10;  labels                &#61; map&#40;string&#41;&#10;  notification_channels &#61; list&#40;string&#41;&#10;  shared_vpc_self_link  &#61; string&#10;  vpc_host_project      &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
 | [dns_zones](variables.tf#L57) | DNS private zones to create as child of var.defaults.environment_dns_zone. | <code>list&#40;string&#41;</code> |  | <code>&#91;&#93;</code> |
@@ -231,13 +231,13 @@ vpc:
 | [iam](variables.tf#L81) | Custom IAM settings in role => [principal] format. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [kms_service_agents](variables.tf#L87) | KMS IAM configuration in as service => [key]. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [labels](variables.tf#L93) | Labels to be assigned at project level. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> |
-| [org_policies](variables.tf#L99) | Org-policy overrides at project level. | <code title="object&#40;&#123;&#10;  policy_boolean &#61; map&#40;bool&#41;&#10;  policy_list &#61; map&#40;object&#40;&#123;&#10;    inherit_from_parent &#61; bool&#10;    suggested_value     &#61; string&#10;    status              &#61; bool&#10;    values              &#61; list&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
-| [prefix](variables.tf#L113) | Prefix used for the project id. | <code>string</code> |  | <code>null</code> |
-| [service_accounts](variables.tf#L124) | Service accounts to be created, and roles assigned them on the project. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [service_accounts_iam](variables.tf#L130) | IAM bindings on service account resources. Format is KEY => {ROLE => [MEMBERS]} | <code>map&#40;map&#40;list&#40;string&#41;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [service_identities_iam](variables.tf#L144) | Custom IAM settings for service identities in service => [role] format. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [services](variables.tf#L137) | Services to be enabled for the project. | <code>list&#40;string&#41;</code> |  | <code>&#91;&#93;</code> |
-| [vpc](variables.tf#L151) | VPC configuration for the project. | <code title="object&#40;&#123;&#10;  host_project &#61; string&#10;  gke_setup &#61; object&#40;&#123;&#10;    enable_security_admin     &#61; bool&#10;    enable_host_service_agent &#61; bool&#10;  &#125;&#41;&#10;  subnets_iam &#61; map&#40;list&#40;string&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
+| [org_policies](variables.tf#L99) | Org-policy overrides at project level. | <code title="map&#40;object&#40;&#123;&#10;  inherit_from_parent &#61; optional&#40;bool&#41; &#35; for list policies only.&#10;  reset               &#61; optional&#40;bool&#41;&#10;  allow &#61; optional&#40;object&#40;&#123;&#10;    all    &#61; optional&#40;bool&#41;&#10;    values &#61; optional&#40;list&#40;string&#41;&#41;&#10;  &#125;&#41;&#41;&#10;  deny &#61; optional&#40;object&#40;&#123;&#10;    all    &#61; optional&#40;bool&#41;&#10;    values &#61; optional&#40;list&#40;string&#41;&#41;&#10;  &#125;&#41;&#41;&#10;  enforce &#61; optional&#40;bool, true&#41; &#35; for boolean policies only.&#10;  rules &#61; optional&#40;list&#40;object&#40;&#123;&#10;    allow &#61; optional&#40;object&#40;&#123;&#10;      all    &#61; optional&#40;bool&#41;&#10;      values &#61; optional&#40;list&#40;string&#41;&#41;&#10;    &#125;&#41;&#41;&#10;    deny &#61; optional&#40;object&#40;&#123;&#10;      all    &#61; optional&#40;bool&#41;&#10;      values &#61; optional&#40;list&#40;string&#41;&#41;&#10;    &#125;&#41;&#41;&#10;    enforce &#61; optional&#40;bool, true&#41; &#35; for boolean policies only.&#10;    condition &#61; object&#40;&#123;&#10;      description &#61; optional&#40;string&#41;&#10;      expression  &#61; optional&#40;string&#41;&#10;      location    &#61; optional&#40;string&#41;&#10;      title       &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#10;  &#125;&#41;&#41;, &#91;&#93;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [prefix](variables.tf#L139) | Prefix used for the project id. | <code>string</code> |  | <code>null</code> |
+| [service_accounts](variables.tf#L150) | Service accounts to be created, and roles assigned them on the project. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [service_accounts_iam](variables.tf#L156) | IAM bindings on service account resources. Format is KEY => {ROLE => [MEMBERS]} | <code>map&#40;map&#40;list&#40;string&#41;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [service_identities_iam](variables.tf#L164) | Custom IAM settings for service identities in service => [role] format. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [services](variables.tf#L171) | Services to be enabled for the project. | <code>list&#40;string&#41;</code> |  | <code>&#91;&#93;</code> |
+| [vpc](variables.tf#L178) | VPC configuration for the project. | <code title="object&#40;&#123;&#10;  host_project &#61; string&#10;  gke_setup &#61; object&#40;&#123;&#10;    enable_security_admin     &#61; bool&#10;    enable_host_service_agent &#61; bool&#10;  &#125;&#41;&#10;  subnets_iam &#61; map&#40;list&#40;string&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
 
 ## Outputs
 

blueprints/factories/project-factory/main.tf

@@ -148,9 +148,8 @@ module "project" {
   contacts                   = { for c in local.essential_contacts : c => ["ALL"] }
   iam                        = local.iam
   labels                     = local.labels
+  org_policies               = try(var.org_policies, {})
   parent                     = var.folder_id
-  policy_boolean             = try(var.org_policies.policy_boolean, {})
-  policy_list                = try(var.org_policies.policy_list, {})
   service_encryption_key_ids = var.kms_service_agents
   services                   = local.services
   shared_vpc_service_config = var.vpc == null ? null : {

blueprints/factories/project-factory/sample-data/projects/project.yaml

@@ -48,15 +48,15 @@ labels:
 
 # [opt] Org policy overrides defined at project level
 org_policies:
-  policy_boolean:
-    constraints/compute.disableGuestAttributesAccess: true
-  policy_list:
-    constraints/compute.trustedImageProjects:
-      inherit_from_parent: null
-      status: true
-      suggested_value: null
+  constraints/compute.disableGuestAttributesAccess:
+    enforce: true
+  constraints/compute.trustedImageProjects:
+    allow:
       values:
         - projects/fast-dev-iac-core-0
+  constraints/compute.vmExternalIpAccess:
+    deny:
+      all: true
 
 # [opt] Service account to create for the project and their roles on the project
 # in name => [roles] format

blueprints/factories/project-factory/variables.tf

@@ -98,16 +98,42 @@ variable "labels" {
 
 variable "org_policies" {
   description = "Org-policy overrides at project level."
-  type = object({
-    policy_boolean = map(bool)
-    policy_list = map(object({
-      inherit_from_parent = bool
-      suggested_value     = string
-      status              = bool
-      values              = list(string)
+  type = map(object({
+    inherit_from_parent = optional(bool) # for list policies only.
+    reset               = optional(bool)
+
+    # default (unconditional) values
+    allow = optional(object({
+      all    = optional(bool)
+      values = optional(list(string))
     }))
-  })
-  default = null
+    deny = optional(object({
+      all    = optional(bool)
+      values = optional(list(string))
+    }))
+    enforce = optional(bool, true) # for boolean policies only.
+
+    # conditional values
+    rules = optional(list(object({
+      allow = optional(object({
+        all    = optional(bool)
+        values = optional(list(string))
+      }))
+      deny = optional(object({
+        all    = optional(bool)
+        values = optional(list(string))
+      }))
+      enforce = optional(bool, true) # for boolean policies only.
+      condition = object({
+        description = optional(string)
+        expression  = optional(string)
+        location    = optional(string)
+        title       = optional(string)
+      })
+    })), [])
+  }))
+  default  = {}
+  nullable = false
 }
 
 variable "prefix" {
@@ -134,12 +160,6 @@ variable "service_accounts_iam" {
   nullable    = false
 }
 
-variable "services" {
-  description = "Services to be enabled for the project."
-  type        = list(string)
-  default     = []
-  nullable    = false
-}
 
 variable "service_identities_iam" {
   description = "Custom IAM settings for service identities in service => [role] format."
@@ -148,6 +168,13 @@ variable "service_identities_iam" {
   nullable    = false
 }
 
+variable "services" {
+  description = "Services to be enabled for the project."
+  type        = list(string)
+  default     = []
+  nullable    = false
+}
+
 variable "vpc" {
   description = "VPC configuration for the project."
   type = object({
@@ -160,6 +187,3 @@ variable "vpc" {
   })
   default = null
 }
-
-
-

blueprints/networking/filtering-proxy/main.tf

@@ -226,13 +226,10 @@ module "folder-apps" {
   source = "../../../modules/folder"
   parent = var.root_node
   name   = "apps"
-  policy_list = {
+  org_policies = {
     # prevent VMs with public IPs in the apps folder
     "constraints/compute.vmExternalIpAccess" = {
-      inherit_from_parent = false
-      suggested_value     = null
-      status              = false
-      values              = []
+      deny = { all = true }
     }
   }
 }