Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

org_policies with condition not idempotent #1076

Closed
AurelienBegou opened this issue Jan 2, 2023 · 2 comments · Fixed by #1079
Closed

org_policies with condition not idempotent #1076

AurelienBegou opened this issue Jan 2, 2023 · 2 comments · Fixed by #1079
Assignees
@juliocc

Comments

@AurelienBegou
Copy link

Hi,

First many thanks to your work, it allow to start in an efficient way.
I have a kind of issue, when I'm using as in the documentation the variable org_policies with a rule with condition each time I run an apply Terraform see changes.

org_policies = {
    "iam.disableServiceAccountKeyUpload" = {
      enforce = false
      rules = [
        {
          condition = {
            expression  = "resource.matchTagId(\"tagKeys/1234\", \"tagValues/1234\")"
            title       = "condition"
            description = "test condition"
            location    = "somewhere"
          }
          enforce = true
        }
      ]
    }
  }

Result

# module.org.google_org_policy_policy.default["iam.disableServiceAccountKeyUpload"] will be updated in-place
  ~ resource "google_org_policy_policy" "default" {
        id     = "organizations/xxx/policies/iam.disableServiceAccountKeyUpload"
        name   = "organizations/xxx/policies/iam.disableServiceAccountKeyUpload"
        # (1 unchanged attribute hidden)

      ~ spec {
            # (4 unchanged attributes hidden)

          ~ rules {
              ~ enforce = "TRUE" -> "FALSE"

              - condition {
                  - description = "test condition" -> null
                  - expression  = "resource.matchTagId(\"tagKeys/1234\", \"tagValues/1234\")" -> null
                  - location    = "somewhere" -> null
                  - title       = "condition" -> null
                }
            }
          ~ rules {
              ~ enforce = "FALSE" -> "TRUE"

              + condition {
                  + description = "test condition"
                  + expression  = "resource.matchTagId(\"tagKeys/1234\", \"tagValues/1234\")"
                  + location    = "somewhere"
                  + title       = "condition"
                }
            }
        }
    }

After some tests and analysis I was not able to found the issue. Have you any thoughts ?
@juliocc juliocc self-assigned this Jan 3, 2023
@juliocc juliocc mentioned this issue Jan 3, 2023
Merged
@juliocc
Copy link
Collaborator

juliocc commented Jan 3, 2023

Thanks for reporting this @AurelienBegou.

I've pushed a change in PR #1079 which should address this issue. Apparently the unconditional rule should always be the last one 🤷‍♂️

We should be merging #1079 shortly but if you're in a hurry you can try it directly from the jccb/fix-1076 branch.

@AurelienBegou
Copy link
Author

Your fix is working fine, many thanks for your quick reply and fix !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@juliocc juliocc

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Reorder org policy rules GoogleCloudPlatform/cloud-foundation-fabric
2 participants
@juliocc @AurelienBegou