[DM] Org_Policy updates(#231)

- Added version, links to docs
  - Fixed resource names
  - Fixed pydocstyle warnings
  - Added schema validation against the API documentation
  - Added project parameter to gcloud deployment-manager calls

dm/templates/org_policy/org_policy.py

@@ -11,15 +11,11 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-"""
-This template creates an organization policy to allow VMs to have public
-IPs.
-"""
+"""This template creates an organization policy."""
 
 
 def generate_config(context):
-    """ Entry point for the deployment resources. """
-
+    """Entry point for the deployment resources."""
     project = context.properties['projectId']
     resources = []
 

dm/templates/org_policy/org_policy.py.schema

@@ -15,17 +15,28 @@
 info:
   title: Organization Policy
   author: Sourced Group Inc.
-  description: Creates organizational policies.
+  version: 1.0.0
+  description: |
+    Creates organizational policies.
+
+    For more information on this resource:
+    https://cloud.google.com/resource-manager/reference/rest/v1/Policy
+
+    APIs endpoints used by this template:
+      - gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.setOrgPolicy =>
+          https://cloud.google.com/resource-manager/reference/rest/v1/projects/setOrgPolicy
+      - gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.clearOrgPolicy =>
+          https://cloud.google.com/resource-manager/reference/rest/v1/projects/clearOrgPolicy
 
 imports:
   - path: org_policy.py
 
-additionalProperties: false
-
 required:
   - projectId
   - policies
 
+additionalProperties: false
+
 properties:
   projectId:
     type: string
@@ -42,6 +53,74 @@ properties:
         - constraint: constraints/compute.disableNestedVirtualization
           booleanPolicy:
             enforced: true
+    uniqItems: true
+    items:
+      version:
+        type: integer
+        description: Version of the Policy. Default version is 0.
+        minimum: 1
+      constraint:
+        type: string
+        description: |
+          The name of the Constraint the Policy is configuring.
+          For example, `constraints/serviceuser.services`.
+          Immutable after creation.
+      listPolicy:
+        type: object
+        description: List of values either allowed or disallowed.
+        additionalProperties: false
+        properties:
+          allowedValues:
+            type: array
+            description: |
+              List of values allowed at this resource. Can only be set if
+              `allValues` is set to `ALL_VALUES_UNSPECIFIED`.
+            uniqItems: true
+            items:
+              type: string
+          deniedValues:
+            type: array
+            description: |
+              List of values allowed at this resource. Can only be set if
+              `allValues` is set to `ALL_VALUES_UNSPECIFIED`.
+            uniqItems: true
+            items:
+              type: string
+          allValues:
+            type: string
+            description: |
+              The policy allValues state.
+              https://cloud.google.com/resource-manager/reference/rest/v1/Policy#AllValues
+            pattern: ^(ALL_VALUES_UNSPECIFIED|ALLOW|DENY)$
+          suggestedValue:
+            type: string
+            description: |
+              Optional. The Google Cloud Console will try to default to a
+              configuration that matches the value specified in this Policy. If
+              suggestedValue is not set, it will inherit the value specified
+              higher in the hierarchy, unless inheritFromParent is false.
+          inheritFromParent:
+            type: boolean
+            description: |
+              Determines the inheritance behavior for this Policy.
+              For more details please look for `inheritFromParent` in the doc
+              https://cloud.google.com/resource-manager/reference/rest/v1/Policy
+      booleanPolicy:
+        type: object
+        description: |
+          For boolean Constraints, whether to enforce the Constraint or not.
+        additionalProperties: false
+        properties:
+          enforced:
+          type: boolean
+          description: |
+            If true, then the Policy is enforced. If false, then any
+            configuration is acceptable.
+      restoreDefault:
+        type: object
+        description: |
+          Restores the default behavior of the constraint.
+          Independent of Constraint type.
 
 documentation:
   - templates/org_policy/README.md

dm/templates/org_policy/tests/integration/org_policy.bats

@@ -54,19 +54,23 @@ function teardown() {
 
 
 @test "Creating deployment ${DEPLOYMENT_NAME} from ${CONFIG}" {
-    gcloud deployment-manager deployments create "${DEPLOYMENT_NAME}" --config "${CONFIG}"
+    gcloud deployment-manager deployments create "${DEPLOYMENT_NAME}" \
+        --config "${CONFIG}" --project "${CLOUD_FOUNDATION_PROJECT_ID}"
 }
 
 @test "Verifying that resources were created in deployment ${DEPLOYMENT_NAME}" {
-    run gcloud beta resource-manager org-policies list --project "${CLOUD_FOUNDATION_PROJECT_ID}"
+    run gcloud beta resource-manager org-policies list \
+        --project "${CLOUD_FOUNDATION_PROJECT_ID}"
     [[ "$output" =~ "compute.vmExternalIpAccess" ]]
     [[ "$output" =~ "compute.disableNestedVirtualization" ]]
 }
 
 @test "Deleting deployment" {
-    gcloud deployment-manager deployments delete "${DEPLOYMENT_NAME}" -q
+    gcloud deployment-manager deployments delete "${DEPLOYMENT_NAME}" \
+        --project "${CLOUD_FOUNDATION_PROJECT_ID}" -q
 
-    run gcloud beta resource-manager org-policies list --project "${CLOUD_FOUNDATION_PROJECT_ID}"
+    run gcloud beta resource-manager org-policies list \
+        --project "${CLOUD_FOUNDATION_PROJECT_ID}"
     [[ ! "$output" =~ "compute.vmExternalIpAccess" ]]
     [[ ! "$output" =~ "compute.disableNestedVirtualization" ]]
 }