diff --git a/dm/templates/org_policy/org_policy.py b/dm/templates/org_policy/org_policy.py index 73711cebc7a..9f430679294 100644 --- a/dm/templates/org_policy/org_policy.py +++ b/dm/templates/org_policy/org_policy.py @@ -11,15 +11,11 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. -""" -This template creates an organization policy to allow VMs to have public -IPs. -""" +"""This template creates an organization policy.""" def generate_config(context): - """ Entry point for the deployment resources. """ - + """Entry point for the deployment resources.""" project = context.properties['projectId'] resources = [] diff --git a/dm/templates/org_policy/org_policy.py.schema b/dm/templates/org_policy/org_policy.py.schema index 7265eb5aa3a..fda6f99f290 100644 --- a/dm/templates/org_policy/org_policy.py.schema +++ b/dm/templates/org_policy/org_policy.py.schema @@ -15,17 +15,28 @@ info: title: Organization Policy author: Sourced Group Inc. - description: Creates organizational policies. + version: 1.0.0 + description: | + Creates organizational policies. + + For more information on this resource: + https://cloud.google.com/resource-manager/reference/rest/v1/Policy + + APIs endpoints used by this template: + - gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.setOrgPolicy => + https://cloud.google.com/resource-manager/reference/rest/v1/projects/setOrgPolicy + - gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.clearOrgPolicy => + https://cloud.google.com/resource-manager/reference/rest/v1/projects/clearOrgPolicy imports: - path: org_policy.py -additionalProperties: false - required: - projectId - policies +additionalProperties: false + properties: projectId: type: string @@ -42,6 +53,74 @@ properties: - constraint: constraints/compute.disableNestedVirtualization booleanPolicy: enforced: true + uniqItems: true + items: + version: + type: integer + description: Version of the Policy. Default version is 0. + minimum: 1 + constraint: + type: string + description: | + The name of the Constraint the Policy is configuring. + For example, `constraints/serviceuser.services`. + Immutable after creation. + listPolicy: + type: object + description: List of values either allowed or disallowed. + additionalProperties: false + properties: + allowedValues: + type: array + description: | + List of values allowed at this resource. Can only be set if + `allValues` is set to `ALL_VALUES_UNSPECIFIED`. + uniqItems: true + items: + type: string + deniedValues: + type: array + description: | + List of values allowed at this resource. Can only be set if + `allValues` is set to `ALL_VALUES_UNSPECIFIED`. + uniqItems: true + items: + type: string + allValues: + type: string + description: | + The policy allValues state. + https://cloud.google.com/resource-manager/reference/rest/v1/Policy#AllValues + pattern: ^(ALL_VALUES_UNSPECIFIED|ALLOW|DENY)$ + suggestedValue: + type: string + description: | + Optional. The Google Cloud Console will try to default to a + configuration that matches the value specified in this Policy. If + suggestedValue is not set, it will inherit the value specified + higher in the hierarchy, unless inheritFromParent is false. + inheritFromParent: + type: boolean + description: | + Determines the inheritance behavior for this Policy. + For more details please look for `inheritFromParent` in the doc + https://cloud.google.com/resource-manager/reference/rest/v1/Policy + booleanPolicy: + type: object + description: | + For boolean Constraints, whether to enforce the Constraint or not. + additionalProperties: false + properties: + enforced: + type: boolean + description: | + If true, then the Policy is enforced. If false, then any + configuration is acceptable. + restoreDefault: + type: object + description: | + Restores the default behavior of the constraint. + Independent of Constraint type. documentation: - templates/org_policy/README.md diff --git a/dm/templates/org_policy/tests/integration/org_policy.bats b/dm/templates/org_policy/tests/integration/org_policy.bats index 7f7170f1d55..ebece2f04bf 100644 --- a/dm/templates/org_policy/tests/integration/org_policy.bats +++ b/dm/templates/org_policy/tests/integration/org_policy.bats @@ -54,19 +54,23 @@ function teardown() { @test "Creating deployment ${DEPLOYMENT_NAME} from ${CONFIG}" { - gcloud deployment-manager deployments create "${DEPLOYMENT_NAME}" --config "${CONFIG}" + gcloud deployment-manager deployments create "${DEPLOYMENT_NAME}" \ + --config "${CONFIG}" --project "${CLOUD_FOUNDATION_PROJECT_ID}" } @test "Verifying that resources were created in deployment ${DEPLOYMENT_NAME}" { - run gcloud beta resource-manager org-policies list --project "${CLOUD_FOUNDATION_PROJECT_ID}" + run gcloud beta resource-manager org-policies list \ + --project "${CLOUD_FOUNDATION_PROJECT_ID}" [[ "$output" =~ "compute.vmExternalIpAccess" ]] [[ "$output" =~ "compute.disableNestedVirtualization" ]] } @test "Deleting deployment" { - gcloud deployment-manager deployments delete "${DEPLOYMENT_NAME}" -q + gcloud deployment-manager deployments delete "${DEPLOYMENT_NAME}" \ + --project "${CLOUD_FOUNDATION_PROJECT_ID}" -q - run gcloud beta resource-manager org-policies list --project "${CLOUD_FOUNDATION_PROJECT_ID}" + run gcloud beta resource-manager org-policies list \ + --project "${CLOUD_FOUNDATION_PROJECT_ID}" [[ ! "$output" =~ "compute.vmExternalIpAccess" ]] [[ ! "$output" =~ "compute.disableNestedVirtualization" ]] }