Added org policy policy resource. #5199
Conversation
|
Oops! It looks like you're using an unknown release-note type in your changelog entries:
Please only use the types listed in https://github.com/GoogleCloudPlatform/magic-modules/blob/master/.ci/RELEASE_NOTES_GUIDE.md. |
|
Hello! I am a robot who works on Magic Modules PRs. I have detected that you are a community contributor, so your PR will be assigned to someone with a commit-bit on this repo for initial review. Thanks for your contribution! A human will be with you soon. @c2thorn, please review this PR or find an appropriate assignee. |
|
Hi! I'm the modular magician. Your PR generated some diffs in downstreams - here they are. Diff report:Terraform GA: Diff ( 29 files changed, 1356 insertions(+), 9574 deletions(-)) |
|
|
||
| func resourceOrgPolicyPolicyCustomImport(d *schema.ResourceData, meta interface{}) error { | ||
| config := meta.(*Config) | ||
| if err := parseImportId([]string{ |
There was a problem hiding this comment.
I would add a comment which says "this differs from the normal import method because it permits slashes in the first element and requires the parent to start at the beginning of the string.
There was a problem hiding this comment.
I can't think of any off the top of my head, but do we see this import pattern in other resources? Any merit to a generic solution?
There was a problem hiding this comment.
There are other resources in the DCL that allow a forward slashes in the values for certain fields. Usually, as it is here, this is because the field is a parent field and there can be more than one type of parent for the resource.
| - type: SERIALIZATION_ONLY | ||
| - type: CUSTOM_TERRAFORM_PRODUCT_NAME | ||
| details: | ||
| product: "" |
There was a problem hiding this comment.
Maybe a comment that says "this produces the correct name google_folder"?
| // of the DCL resource with a different location type. All references in samples | ||
| // to a resource with an alternate location will point to the main version. | ||
| func (r Resource) IsAlternateLocation() bool { | ||
| // For now, we consider non-regional resources to be alternate. |
There was a problem hiding this comment.
I'd extend this comment to say "non-locational resources have the empty string for their location."
| return serializeProjectToHCL(m) | ||
| } | ||
|
|
||
| func serializeProjectToHCL(m map[string]interface{}) (string, error) { |
There was a problem hiding this comment.
I notice this doesn't have folder, is that a git history mishap or is that on purpose?
There was a problem hiding this comment.
Folder does not need a custom serializer because it has the same schema in DCL and terraform.
| @@ -235,9 +235,9 @@ func resource{{$.PathType}}Create(d *schema.ResourceData, meta interface{}) erro | |||
| } | |||
| {{ end }} | |||
|
|
|||
| id, err := {{ $.IdFunction }}(d, config, "{{$.ID}}") | |||
There was a problem hiding this comment.
Does this mean we can remove IdFunction and ID now that the DCL exports an ID method?
There was a problem hiding this comment.
I believe so. Should I do that in this PR?
There was a problem hiding this comment.
Hmm... leave a TODO, maybe? This does already include an awful lot of changes that are required-but-tangentially-related.
There was a problem hiding this comment.
I believe this would be better tracked if there were a GH issue that this TODO could point to
|
@c2thorn - Thomas and I pair programmed most of this, so I'll take a first pass on review but we'll ping you when we need a fresh pair of eyes. :) |
trodge
force-pushed
the
orgpolicy-policy-dcl
branch
from
70ed626
to
d474c59
Compare
|
Hi! I'm the modular magician. Your PR generated some diffs in downstreams - here they are. Diff report:Terraform GA: Diff ( 29 files changed, 1356 insertions(+), 9574 deletions(-)) |
go.sum
Outdated
| @@ -0,0 +1 @@ | |||
| 3644975SUM_LINE | |||
There was a problem hiding this comment.
This file should be removed - some kind of issue copying makefile commands I assume?
mmv1/third_party/terraform/go.sum
Outdated
| @@ -1577,3 +1579,6 @@ rsc.io/sampler v1.3.0 h1:7uVkIFmeBqHfdjD+gZwtXXI+RODJ2Wc4O7MPEh/QiW4= | |||
| rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= | |||
| sigs.k8s.io/yaml v1.1.0 h1:4A07+ZFc2wgJwo8YNlQpr1rVlgUDlxXHhPJciaPY5gs= | |||
| sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o= | |||
| 3644975SUM_LINE | |||
There was a problem hiding this comment.
This line should be removed.
There was a problem hiding this comment.
I've amended the commit that added this line. Let me know if it's still incorrect.
|
You'll need to rebase + update those |
trodge
force-pushed
the
orgpolicy-policy-dcl
branch
2 times, most recently
from
5c995c5
to
01b7437
Compare
|
Hi! I'm the modular magician. Your PR generated some diffs in downstreams - here they are. Diff report:Terraform GA: Diff ( 21 files changed, 1333 insertions(+), 24 deletions(-)) |
|
Awesome, looks like this all compiles and passes lints. /gcbrun to get the full test suite running. It'll take til tomorrow, we'll look at it in the morning. |
trodge
force-pushed
the
orgpolicy-policy-dcl
branch
from
01b7437
to
5e4d5e5
Compare
|
/gcbrun |
|
Ah, sorry, it needed me to do it. It's going to complain you're not on the allowlist. But it did trigger, we can check in at https://ci-oss.hashicorp.engineering/buildConfiguration/GoogleCloudBeta_ProviderGoogleCloudBetaMmUpstreamVcr/205879? in the morning - although I suspect permissions there will be a hassle. Something else to get sorted before the e2e experiment. |
|
Hi! I'm the modular magician. Your PR generated some diffs in downstreams - here they are. Diff report:Terraform GA: Diff ( 21 files changed, 1333 insertions(+), 24 deletions(-)) |
|
There's an issue in a DCL-based resource which is likely related to DCL-side handling of the |
|
Okay, I pushed a change that should fix that test failure. We'll have to see after the diff generation. |
|
Hi! I'm the modular magician. Your PR generated some diffs in downstreams - here they are. Diff report:Terraform GA: Diff ( 21 files changed, 1324 insertions(+), 15 deletions(-)) |
|
/gcbrun |
|
Hi! I'm the modular magician. Your PR generated some diffs in downstreams - here they are. Diff report:Terraform GA: Diff ( 21 files changed, 1324 insertions(+), 15 deletions(-)) |
|
I have triggered VCR tests in RECORDING mode for the following tests that failed during VCR: TestAccOrgPolicyPolicy_EnforcePolicy|TestAccOrgPolicyPolicy_FolderPolicy|TestAccOrgPolicyPolicy_OrganizationPolicy|TestAccOrgPolicyPolicy_ProjectPolicy You can view the result here: https://ci-oss.hashicorp.engineering/viewQueued.html?itemId=206047 |
|
Great. Now only the new tests are failing and we have gotten all of them to pass on our side already so we have a good reason to think they will pass when they run. |
|
Hi! I'm the modular magician. Your PR generated some diffs in downstreams - here they are. Diff report:Terraform GA: Diff ( 31 files changed, 1377 insertions(+), 9575 deletions(-)) |
|
Hi! I'm the modular magician. Your PR generated some diffs in downstreams - here they are. Diff report:Terraform GA: Diff ( 23 files changed, 1356 insertions(+), 15 deletions(-)) |
|
/gcbrun |
1 similar comment
|
/gcbrun |
trodge
force-pushed
the
orgpolicy-policy-dcl
branch
2 times, most recently
from
8f63d84
to
af6f45a
Compare
trodge
force-pushed
the
orgpolicy-policy-dcl
branch
from
af6f45a
to
9edff17
Compare
|
Hi! I'm the modular magician. Your PR generated some diffs in downstreams - here they are. Diff report:Terraform GA: Diff ( 23 files changed, 1354 insertions(+), 13 deletions(-)) |
|
/gcbrun |
|
Hi! I'm the modular magician. Your PR generated some diffs in downstreams - here they are. Diff report:Terraform GA: Diff ( 23 files changed, 1354 insertions(+), 13 deletions(-)) |
|
I have triggered VCR tests in RECORDING mode for the following tests that failed during VCR: TestAccComputeManagedSslCertificate_managedSslCertificateBasicExample|TestAccComputeServiceAttachment_serviceAttachmentBasicExample|TestAccOrgPolicyPolicy_EnforcePolicy|TestAccOrgPolicyPolicy_FolderPolicy|TestAccOrgPolicyPolicy_OrganizationPolicy|TestAccOrgPolicyPolicy_ProjectPolicy You can view the result here: https://ci-oss.hashicorp.engineering/viewQueued.html?itemId=206583 |
|
Tests failed during RECORDING mode: TestAccOrgPolicyPolicy_OrganizationPolicy|TestAccOrgPolicyPolicy_FolderPolicy|TestAccOrgPolicyPolicy_ProjectPolicy|TestAccOrgPolicyPolicy_EnforcePolicy|TestAccComputeServiceAttachment_serviceAttachmentBasicExample Please fix these to complete your PR |
| if err != nil { | ||
| return fmt.Errorf("Error constructing id: %s", err) |
There was a problem hiding this comment.
Why remove this extra formatting? The message still seems appropriate to me for the UseDCLID case, but if we need to modify it I think that's better than fully removing. Just makes it easier to read in the logs.
There was a problem hiding this comment.
I've put the extra formatting back, lowercased in case the error isn't at the start of a sentence.
| details: | ||
| function: resourceOrgPolicyPolicyCustomImport | ||
| - type: USE_DCL_ID | ||
| - type: ENUM_BOOL |
There was a problem hiding this comment.
Non-review question: how would contributors be able to to recognize that a boolean should have this override applied to it?
There was a problem hiding this comment.
If the field is a boolean in the DCL and it's necessary to be able to distinguish between true, false, and nil, then it needs to be an enum/string in terraform which can be "TRUE", "FALSE", or "".
In this case the distinction is important because these fields conflict with each other and setting enforce to false is different than leaving all of them unset.
There was a problem hiding this comment.
If it needs to have an unset case which is distinct from false. This would be a good place to insist we write those override docs!
There was a problem hiding this comment.
Yes if we could add a one-pager doc per override added, that would help. I don't quite remember if we had a specific place where we've kept them all, @ndmckinley do you remember? Maybe we can chat in an internal chat about it.
|
FYI with respect to tests the issue was "api not enabled", enabled and rerunning. |
| @@ -0,0 +1,10 @@ | |||
| - type: CUSTOM_IMPORT_FUNCTION | |||
There was a problem hiding this comment.
The generated sweeper does not seem to work correctly likely tied to the need for the custom import. We should probably add a NO_SWEEPER override for now.
|
FYI those tests all passed - this is a fully green run. |
…construction errors.
|
Hi! I'm the modular magician. Your PR generated some diffs in downstreams - here they are. Diff report:Terraform GA: Diff ( 23 files changed, 1354 insertions(+), 13 deletions(-)) |
I seem to have linked this issue in the wrong PR. |
|
@trodge @ndmckinley this is hashicorp/terraform-provider-google#9341, right? |
|
Thanks, yes - I got the internal bugs and missed the external one. Appreciate the pointer. |
* Added org policy policy resource. * Added additional comments. * Allow resources to use the normal terraform ID process by default - DCL by override. * Added a way to expand and flatten between terraform strings and dcl booleans. * Updated GA version of policy.yaml. * Ran make upgrade-dcl (and added missing tab to tf go.mod). * Added NO_SWEEPER override for orgpolicy policy and formatting for id construction errors. Co-authored-by: Nathan Mckinley <nmckinley@google.com>
Added org policy policy resource to tpgtools. This is a new, schema-incompatible version of google_organization_policy, google_folder_organization_policy, and google_project_organization_policy which can have any of the three parent resources.
Added cloudresourcemanager folder and project resources with serialization only override for use in testing. These resources are still not implemented in terraform through the DCL.
fixes hashicorp/terraform-provider-google#2605
If this PR is for Terraform, I acknowledge that I have:
make testandmake lintto ensure it passes unit and linter tests.Release Note Template for Downstream PRs (will be copied)