From f826feaebf477c6996246b6d1a336019647411e8 Mon Sep 17 00:00:00 2001 From: Christopher Haar Date: Thu, 25 Jul 2024 17:22:09 +0200 Subject: [PATCH] feat(orgpolicy): add orgpolicy policy Signed-off-by: Christopher Haar --- .../v1beta1/zz_generated.conversion_hubs.go | 10 + .../v1beta1/zz_generated.deepcopy.go | 1097 +++++++++++++++++ .../orgpolicy/v1beta1/zz_generated.managed.go | 68 + .../v1beta1/zz_generated.managedlist.go | 17 + .../v1beta1/zz_generated.resolvers.go | 50 + .../orgpolicy/v1beta1/zz_groupversion_info.go | 32 + .../v1beta1/zz_policy_terraformed.go | 129 ++ apis/orgpolicy/v1beta1/zz_policy_types.go | 491 ++++++++ apis/zz_register.go | 2 + cmd/provider/orgpolicy/zz_main.go | 221 ++++ config/externalname.go | 5 + config/externalnamenottested.go | 5 - config/generated.lst | 2 +- .../orgpolicy/v1beta1/policy.yaml | 32 + examples/orgpolicy/v1beta1/policy.yaml | 16 + .../orgpolicy/policy/zz_controller.go | 92 ++ internal/controller/zz_monolith_setup.go | 2 + internal/controller/zz_orgpolicy_setup.go | 26 + .../orgpolicy.gcp.upbound.io_policies.yaml | 1054 ++++++++++++++++ 19 files changed, 3345 insertions(+), 6 deletions(-) create mode 100755 apis/orgpolicy/v1beta1/zz_generated.conversion_hubs.go create mode 100644 apis/orgpolicy/v1beta1/zz_generated.deepcopy.go create mode 100644 apis/orgpolicy/v1beta1/zz_generated.managed.go create mode 100644 apis/orgpolicy/v1beta1/zz_generated.managedlist.go create mode 100644 apis/orgpolicy/v1beta1/zz_generated.resolvers.go create mode 100755 apis/orgpolicy/v1beta1/zz_groupversion_info.go create mode 100755 apis/orgpolicy/v1beta1/zz_policy_terraformed.go create mode 100755 apis/orgpolicy/v1beta1/zz_policy_types.go create mode 100644 cmd/provider/orgpolicy/zz_main.go create mode 100644 examples-generated/orgpolicy/v1beta1/policy.yaml create mode 100644 examples/orgpolicy/v1beta1/policy.yaml create mode 100755 internal/controller/orgpolicy/policy/zz_controller.go create mode 100755 internal/controller/zz_orgpolicy_setup.go create mode 100644 package/crds/orgpolicy.gcp.upbound.io_policies.yaml diff --git a/apis/orgpolicy/v1beta1/zz_generated.conversion_hubs.go b/apis/orgpolicy/v1beta1/zz_generated.conversion_hubs.go new file mode 100755 index 000000000..689fe6c61 --- /dev/null +++ b/apis/orgpolicy/v1beta1/zz_generated.conversion_hubs.go @@ -0,0 +1,10 @@ +// SPDX-FileCopyrightText: 2024 The Crossplane Authors +// +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by upjet. DO NOT EDIT. + +package v1beta1 + +// Hub marks this type as a conversion hub. +func (tr *Policy) Hub() {} diff --git a/apis/orgpolicy/v1beta1/zz_generated.deepcopy.go b/apis/orgpolicy/v1beta1/zz_generated.deepcopy.go new file mode 100644 index 000000000..c99538e13 --- /dev/null +++ b/apis/orgpolicy/v1beta1/zz_generated.deepcopy.go @@ -0,0 +1,1097 @@ +//go:build !ignore_autogenerated + +// SPDX-FileCopyrightText: 2024 The Crossplane Authors +// +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by controller-gen. DO NOT EDIT. + +package v1beta1 + +import ( + "github.com/crossplane/crossplane-runtime/apis/common/v1" + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ConditionInitParameters) DeepCopyInto(out *ConditionInitParameters) { + *out = *in + if in.Description != nil { + in, out := &in.Description, &out.Description + *out = new(string) + **out = **in + } + if in.Expression != nil { + in, out := &in.Expression, &out.Expression + *out = new(string) + **out = **in + } + if in.Location != nil { + in, out := &in.Location, &out.Location + *out = new(string) + **out = **in + } + if in.Title != nil { + in, out := &in.Title, &out.Title + *out = new(string) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConditionInitParameters. +func (in *ConditionInitParameters) DeepCopy() *ConditionInitParameters { + if in == nil { + return nil + } + out := new(ConditionInitParameters) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ConditionObservation) DeepCopyInto(out *ConditionObservation) { + *out = *in + if in.Description != nil { + in, out := &in.Description, &out.Description + *out = new(string) + **out = **in + } + if in.Expression != nil { + in, out := &in.Expression, &out.Expression + *out = new(string) + **out = **in + } + if in.Location != nil { + in, out := &in.Location, &out.Location + *out = new(string) + **out = **in + } + if in.Title != nil { + in, out := &in.Title, &out.Title + *out = new(string) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConditionObservation. +func (in *ConditionObservation) DeepCopy() *ConditionObservation { + if in == nil { + return nil + } + out := new(ConditionObservation) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ConditionParameters) DeepCopyInto(out *ConditionParameters) { + *out = *in + if in.Description != nil { + in, out := &in.Description, &out.Description + *out = new(string) + **out = **in + } + if in.Expression != nil { + in, out := &in.Expression, &out.Expression + *out = new(string) + **out = **in + } + if in.Location != nil { + in, out := &in.Location, &out.Location + *out = new(string) + **out = **in + } + if in.Title != nil { + in, out := &in.Title, &out.Title + *out = new(string) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConditionParameters. +func (in *ConditionParameters) DeepCopy() *ConditionParameters { + if in == nil { + return nil + } + out := new(ConditionParameters) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *DryRunSpecInitParameters) DeepCopyInto(out *DryRunSpecInitParameters) { + *out = *in + if in.InheritFromParent != nil { + in, out := &in.InheritFromParent, &out.InheritFromParent + *out = new(bool) + **out = **in + } + if in.Reset != nil { + in, out := &in.Reset, &out.Reset + *out = new(bool) + **out = **in + } + if in.Rules != nil { + in, out := &in.Rules, &out.Rules + *out = make([]RulesInitParameters, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DryRunSpecInitParameters. +func (in *DryRunSpecInitParameters) DeepCopy() *DryRunSpecInitParameters { + if in == nil { + return nil + } + out := new(DryRunSpecInitParameters) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *DryRunSpecObservation) DeepCopyInto(out *DryRunSpecObservation) { + *out = *in + if in.Etag != nil { + in, out := &in.Etag, &out.Etag + *out = new(string) + **out = **in + } + if in.InheritFromParent != nil { + in, out := &in.InheritFromParent, &out.InheritFromParent + *out = new(bool) + **out = **in + } + if in.Reset != nil { + in, out := &in.Reset, &out.Reset + *out = new(bool) + **out = **in + } + if in.Rules != nil { + in, out := &in.Rules, &out.Rules + *out = make([]RulesObservation, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.UpdateTime != nil { + in, out := &in.UpdateTime, &out.UpdateTime + *out = new(string) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DryRunSpecObservation. +func (in *DryRunSpecObservation) DeepCopy() *DryRunSpecObservation { + if in == nil { + return nil + } + out := new(DryRunSpecObservation) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *DryRunSpecParameters) DeepCopyInto(out *DryRunSpecParameters) { + *out = *in + if in.InheritFromParent != nil { + in, out := &in.InheritFromParent, &out.InheritFromParent + *out = new(bool) + **out = **in + } + if in.Reset != nil { + in, out := &in.Reset, &out.Reset + *out = new(bool) + **out = **in + } + if in.Rules != nil { + in, out := &in.Rules, &out.Rules + *out = make([]RulesParameters, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DryRunSpecParameters. +func (in *DryRunSpecParameters) DeepCopy() *DryRunSpecParameters { + if in == nil { + return nil + } + out := new(DryRunSpecParameters) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Policy) DeepCopyInto(out *Policy) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Policy. +func (in *Policy) DeepCopy() *Policy { + if in == nil { + return nil + } + out := new(Policy) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *Policy) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PolicyInitParameters) DeepCopyInto(out *PolicyInitParameters) { + *out = *in + if in.DryRunSpec != nil { + in, out := &in.DryRunSpec, &out.DryRunSpec + *out = new(DryRunSpecInitParameters) + (*in).DeepCopyInto(*out) + } + if in.Spec != nil { + in, out := &in.Spec, &out.Spec + *out = new(SpecInitParameters) + (*in).DeepCopyInto(*out) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyInitParameters. +func (in *PolicyInitParameters) DeepCopy() *PolicyInitParameters { + if in == nil { + return nil + } + out := new(PolicyInitParameters) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PolicyList) DeepCopyInto(out *PolicyList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]Policy, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyList. +func (in *PolicyList) DeepCopy() *PolicyList { + if in == nil { + return nil + } + out := new(PolicyList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *PolicyList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PolicyObservation) DeepCopyInto(out *PolicyObservation) { + *out = *in + if in.DryRunSpec != nil { + in, out := &in.DryRunSpec, &out.DryRunSpec + *out = new(DryRunSpecObservation) + (*in).DeepCopyInto(*out) + } + if in.Etag != nil { + in, out := &in.Etag, &out.Etag + *out = new(string) + **out = **in + } + if in.ID != nil { + in, out := &in.ID, &out.ID + *out = new(string) + **out = **in + } + if in.Parent != nil { + in, out := &in.Parent, &out.Parent + *out = new(string) + **out = **in + } + if in.Spec != nil { + in, out := &in.Spec, &out.Spec + *out = new(SpecObservation) + (*in).DeepCopyInto(*out) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyObservation. +func (in *PolicyObservation) DeepCopy() *PolicyObservation { + if in == nil { + return nil + } + out := new(PolicyObservation) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PolicyParameters) DeepCopyInto(out *PolicyParameters) { + *out = *in + if in.DryRunSpec != nil { + in, out := &in.DryRunSpec, &out.DryRunSpec + *out = new(DryRunSpecParameters) + (*in).DeepCopyInto(*out) + } + if in.Parent != nil { + in, out := &in.Parent, &out.Parent + *out = new(string) + **out = **in + } + if in.ParentRef != nil { + in, out := &in.ParentRef, &out.ParentRef + *out = new(v1.Reference) + (*in).DeepCopyInto(*out) + } + if in.ParentSelector != nil { + in, out := &in.ParentSelector, &out.ParentSelector + *out = new(v1.Selector) + (*in).DeepCopyInto(*out) + } + if in.Spec != nil { + in, out := &in.Spec, &out.Spec + *out = new(SpecParameters) + (*in).DeepCopyInto(*out) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyParameters. +func (in *PolicyParameters) DeepCopy() *PolicyParameters { + if in == nil { + return nil + } + out := new(PolicyParameters) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PolicySpec) DeepCopyInto(out *PolicySpec) { + *out = *in + in.ResourceSpec.DeepCopyInto(&out.ResourceSpec) + in.ForProvider.DeepCopyInto(&out.ForProvider) + in.InitProvider.DeepCopyInto(&out.InitProvider) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicySpec. +func (in *PolicySpec) DeepCopy() *PolicySpec { + if in == nil { + return nil + } + out := new(PolicySpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PolicyStatus) DeepCopyInto(out *PolicyStatus) { + *out = *in + in.ResourceStatus.DeepCopyInto(&out.ResourceStatus) + in.AtProvider.DeepCopyInto(&out.AtProvider) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyStatus. +func (in *PolicyStatus) DeepCopy() *PolicyStatus { + if in == nil { + return nil + } + out := new(PolicyStatus) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *RulesConditionInitParameters) DeepCopyInto(out *RulesConditionInitParameters) { + *out = *in + if in.Description != nil { + in, out := &in.Description, &out.Description + *out = new(string) + **out = **in + } + if in.Expression != nil { + in, out := &in.Expression, &out.Expression + *out = new(string) + **out = **in + } + if in.Location != nil { + in, out := &in.Location, &out.Location + *out = new(string) + **out = **in + } + if in.Title != nil { + in, out := &in.Title, &out.Title + *out = new(string) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RulesConditionInitParameters. +func (in *RulesConditionInitParameters) DeepCopy() *RulesConditionInitParameters { + if in == nil { + return nil + } + out := new(RulesConditionInitParameters) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *RulesConditionObservation) DeepCopyInto(out *RulesConditionObservation) { + *out = *in + if in.Description != nil { + in, out := &in.Description, &out.Description + *out = new(string) + **out = **in + } + if in.Expression != nil { + in, out := &in.Expression, &out.Expression + *out = new(string) + **out = **in + } + if in.Location != nil { + in, out := &in.Location, &out.Location + *out = new(string) + **out = **in + } + if in.Title != nil { + in, out := &in.Title, &out.Title + *out = new(string) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RulesConditionObservation. +func (in *RulesConditionObservation) DeepCopy() *RulesConditionObservation { + if in == nil { + return nil + } + out := new(RulesConditionObservation) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *RulesConditionParameters) DeepCopyInto(out *RulesConditionParameters) { + *out = *in + if in.Description != nil { + in, out := &in.Description, &out.Description + *out = new(string) + **out = **in + } + if in.Expression != nil { + in, out := &in.Expression, &out.Expression + *out = new(string) + **out = **in + } + if in.Location != nil { + in, out := &in.Location, &out.Location + *out = new(string) + **out = **in + } + if in.Title != nil { + in, out := &in.Title, &out.Title + *out = new(string) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RulesConditionParameters. +func (in *RulesConditionParameters) DeepCopy() *RulesConditionParameters { + if in == nil { + return nil + } + out := new(RulesConditionParameters) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *RulesInitParameters) DeepCopyInto(out *RulesInitParameters) { + *out = *in + if in.AllowAll != nil { + in, out := &in.AllowAll, &out.AllowAll + *out = new(string) + **out = **in + } + if in.Condition != nil { + in, out := &in.Condition, &out.Condition + *out = new(ConditionInitParameters) + (*in).DeepCopyInto(*out) + } + if in.DenyAll != nil { + in, out := &in.DenyAll, &out.DenyAll + *out = new(string) + **out = **in + } + if in.Enforce != nil { + in, out := &in.Enforce, &out.Enforce + *out = new(string) + **out = **in + } + if in.Values != nil { + in, out := &in.Values, &out.Values + *out = new(ValuesInitParameters) + (*in).DeepCopyInto(*out) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RulesInitParameters. +func (in *RulesInitParameters) DeepCopy() *RulesInitParameters { + if in == nil { + return nil + } + out := new(RulesInitParameters) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *RulesObservation) DeepCopyInto(out *RulesObservation) { + *out = *in + if in.AllowAll != nil { + in, out := &in.AllowAll, &out.AllowAll + *out = new(string) + **out = **in + } + if in.Condition != nil { + in, out := &in.Condition, &out.Condition + *out = new(ConditionObservation) + (*in).DeepCopyInto(*out) + } + if in.DenyAll != nil { + in, out := &in.DenyAll, &out.DenyAll + *out = new(string) + **out = **in + } + if in.Enforce != nil { + in, out := &in.Enforce, &out.Enforce + *out = new(string) + **out = **in + } + if in.Values != nil { + in, out := &in.Values, &out.Values + *out = new(ValuesObservation) + (*in).DeepCopyInto(*out) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RulesObservation. +func (in *RulesObservation) DeepCopy() *RulesObservation { + if in == nil { + return nil + } + out := new(RulesObservation) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *RulesParameters) DeepCopyInto(out *RulesParameters) { + *out = *in + if in.AllowAll != nil { + in, out := &in.AllowAll, &out.AllowAll + *out = new(string) + **out = **in + } + if in.Condition != nil { + in, out := &in.Condition, &out.Condition + *out = new(ConditionParameters) + (*in).DeepCopyInto(*out) + } + if in.DenyAll != nil { + in, out := &in.DenyAll, &out.DenyAll + *out = new(string) + **out = **in + } + if in.Enforce != nil { + in, out := &in.Enforce, &out.Enforce + *out = new(string) + **out = **in + } + if in.Values != nil { + in, out := &in.Values, &out.Values + *out = new(ValuesParameters) + (*in).DeepCopyInto(*out) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RulesParameters. +func (in *RulesParameters) DeepCopy() *RulesParameters { + if in == nil { + return nil + } + out := new(RulesParameters) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *RulesValuesInitParameters) DeepCopyInto(out *RulesValuesInitParameters) { + *out = *in + if in.AllowedValues != nil { + in, out := &in.AllowedValues, &out.AllowedValues + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.DeniedValues != nil { + in, out := &in.DeniedValues, &out.DeniedValues + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RulesValuesInitParameters. +func (in *RulesValuesInitParameters) DeepCopy() *RulesValuesInitParameters { + if in == nil { + return nil + } + out := new(RulesValuesInitParameters) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *RulesValuesObservation) DeepCopyInto(out *RulesValuesObservation) { + *out = *in + if in.AllowedValues != nil { + in, out := &in.AllowedValues, &out.AllowedValues + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.DeniedValues != nil { + in, out := &in.DeniedValues, &out.DeniedValues + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RulesValuesObservation. +func (in *RulesValuesObservation) DeepCopy() *RulesValuesObservation { + if in == nil { + return nil + } + out := new(RulesValuesObservation) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *RulesValuesParameters) DeepCopyInto(out *RulesValuesParameters) { + *out = *in + if in.AllowedValues != nil { + in, out := &in.AllowedValues, &out.AllowedValues + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.DeniedValues != nil { + in, out := &in.DeniedValues, &out.DeniedValues + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RulesValuesParameters. +func (in *RulesValuesParameters) DeepCopy() *RulesValuesParameters { + if in == nil { + return nil + } + out := new(RulesValuesParameters) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SpecInitParameters) DeepCopyInto(out *SpecInitParameters) { + *out = *in + if in.InheritFromParent != nil { + in, out := &in.InheritFromParent, &out.InheritFromParent + *out = new(bool) + **out = **in + } + if in.Reset != nil { + in, out := &in.Reset, &out.Reset + *out = new(bool) + **out = **in + } + if in.Rules != nil { + in, out := &in.Rules, &out.Rules + *out = make([]SpecRulesInitParameters, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SpecInitParameters. +func (in *SpecInitParameters) DeepCopy() *SpecInitParameters { + if in == nil { + return nil + } + out := new(SpecInitParameters) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SpecObservation) DeepCopyInto(out *SpecObservation) { + *out = *in + if in.Etag != nil { + in, out := &in.Etag, &out.Etag + *out = new(string) + **out = **in + } + if in.InheritFromParent != nil { + in, out := &in.InheritFromParent, &out.InheritFromParent + *out = new(bool) + **out = **in + } + if in.Reset != nil { + in, out := &in.Reset, &out.Reset + *out = new(bool) + **out = **in + } + if in.Rules != nil { + in, out := &in.Rules, &out.Rules + *out = make([]SpecRulesObservation, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.UpdateTime != nil { + in, out := &in.UpdateTime, &out.UpdateTime + *out = new(string) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SpecObservation. +func (in *SpecObservation) DeepCopy() *SpecObservation { + if in == nil { + return nil + } + out := new(SpecObservation) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SpecParameters) DeepCopyInto(out *SpecParameters) { + *out = *in + if in.InheritFromParent != nil { + in, out := &in.InheritFromParent, &out.InheritFromParent + *out = new(bool) + **out = **in + } + if in.Reset != nil { + in, out := &in.Reset, &out.Reset + *out = new(bool) + **out = **in + } + if in.Rules != nil { + in, out := &in.Rules, &out.Rules + *out = make([]SpecRulesParameters, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SpecParameters. +func (in *SpecParameters) DeepCopy() *SpecParameters { + if in == nil { + return nil + } + out := new(SpecParameters) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SpecRulesInitParameters) DeepCopyInto(out *SpecRulesInitParameters) { + *out = *in + if in.AllowAll != nil { + in, out := &in.AllowAll, &out.AllowAll + *out = new(string) + **out = **in + } + if in.Condition != nil { + in, out := &in.Condition, &out.Condition + *out = new(RulesConditionInitParameters) + (*in).DeepCopyInto(*out) + } + if in.DenyAll != nil { + in, out := &in.DenyAll, &out.DenyAll + *out = new(string) + **out = **in + } + if in.Enforce != nil { + in, out := &in.Enforce, &out.Enforce + *out = new(string) + **out = **in + } + if in.Values != nil { + in, out := &in.Values, &out.Values + *out = new(RulesValuesInitParameters) + (*in).DeepCopyInto(*out) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SpecRulesInitParameters. +func (in *SpecRulesInitParameters) DeepCopy() *SpecRulesInitParameters { + if in == nil { + return nil + } + out := new(SpecRulesInitParameters) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SpecRulesObservation) DeepCopyInto(out *SpecRulesObservation) { + *out = *in + if in.AllowAll != nil { + in, out := &in.AllowAll, &out.AllowAll + *out = new(string) + **out = **in + } + if in.Condition != nil { + in, out := &in.Condition, &out.Condition + *out = new(RulesConditionObservation) + (*in).DeepCopyInto(*out) + } + if in.DenyAll != nil { + in, out := &in.DenyAll, &out.DenyAll + *out = new(string) + **out = **in + } + if in.Enforce != nil { + in, out := &in.Enforce, &out.Enforce + *out = new(string) + **out = **in + } + if in.Values != nil { + in, out := &in.Values, &out.Values + *out = new(RulesValuesObservation) + (*in).DeepCopyInto(*out) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SpecRulesObservation. +func (in *SpecRulesObservation) DeepCopy() *SpecRulesObservation { + if in == nil { + return nil + } + out := new(SpecRulesObservation) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SpecRulesParameters) DeepCopyInto(out *SpecRulesParameters) { + *out = *in + if in.AllowAll != nil { + in, out := &in.AllowAll, &out.AllowAll + *out = new(string) + **out = **in + } + if in.Condition != nil { + in, out := &in.Condition, &out.Condition + *out = new(RulesConditionParameters) + (*in).DeepCopyInto(*out) + } + if in.DenyAll != nil { + in, out := &in.DenyAll, &out.DenyAll + *out = new(string) + **out = **in + } + if in.Enforce != nil { + in, out := &in.Enforce, &out.Enforce + *out = new(string) + **out = **in + } + if in.Values != nil { + in, out := &in.Values, &out.Values + *out = new(RulesValuesParameters) + (*in).DeepCopyInto(*out) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SpecRulesParameters. +func (in *SpecRulesParameters) DeepCopy() *SpecRulesParameters { + if in == nil { + return nil + } + out := new(SpecRulesParameters) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ValuesInitParameters) DeepCopyInto(out *ValuesInitParameters) { + *out = *in + if in.AllowedValues != nil { + in, out := &in.AllowedValues, &out.AllowedValues + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.DeniedValues != nil { + in, out := &in.DeniedValues, &out.DeniedValues + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ValuesInitParameters. +func (in *ValuesInitParameters) DeepCopy() *ValuesInitParameters { + if in == nil { + return nil + } + out := new(ValuesInitParameters) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ValuesObservation) DeepCopyInto(out *ValuesObservation) { + *out = *in + if in.AllowedValues != nil { + in, out := &in.AllowedValues, &out.AllowedValues + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.DeniedValues != nil { + in, out := &in.DeniedValues, &out.DeniedValues + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ValuesObservation. +func (in *ValuesObservation) DeepCopy() *ValuesObservation { + if in == nil { + return nil + } + out := new(ValuesObservation) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ValuesParameters) DeepCopyInto(out *ValuesParameters) { + *out = *in + if in.AllowedValues != nil { + in, out := &in.AllowedValues, &out.AllowedValues + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } + if in.DeniedValues != nil { + in, out := &in.DeniedValues, &out.DeniedValues + *out = make([]*string, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(string) + **out = **in + } + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ValuesParameters. +func (in *ValuesParameters) DeepCopy() *ValuesParameters { + if in == nil { + return nil + } + out := new(ValuesParameters) + in.DeepCopyInto(out) + return out +} diff --git a/apis/orgpolicy/v1beta1/zz_generated.managed.go b/apis/orgpolicy/v1beta1/zz_generated.managed.go new file mode 100644 index 000000000..acdd2450b --- /dev/null +++ b/apis/orgpolicy/v1beta1/zz_generated.managed.go @@ -0,0 +1,68 @@ +// SPDX-FileCopyrightText: 2024 The Crossplane Authors +// +// SPDX-License-Identifier: Apache-2.0 +// Code generated by angryjet. DO NOT EDIT. + +package v1beta1 + +import xpv1 "github.com/crossplane/crossplane-runtime/apis/common/v1" + +// GetCondition of this Policy. +func (mg *Policy) GetCondition(ct xpv1.ConditionType) xpv1.Condition { + return mg.Status.GetCondition(ct) +} + +// GetDeletionPolicy of this Policy. +func (mg *Policy) GetDeletionPolicy() xpv1.DeletionPolicy { + return mg.Spec.DeletionPolicy +} + +// GetManagementPolicies of this Policy. +func (mg *Policy) GetManagementPolicies() xpv1.ManagementPolicies { + return mg.Spec.ManagementPolicies +} + +// GetProviderConfigReference of this Policy. +func (mg *Policy) GetProviderConfigReference() *xpv1.Reference { + return mg.Spec.ProviderConfigReference +} + +// GetPublishConnectionDetailsTo of this Policy. +func (mg *Policy) GetPublishConnectionDetailsTo() *xpv1.PublishConnectionDetailsTo { + return mg.Spec.PublishConnectionDetailsTo +} + +// GetWriteConnectionSecretToReference of this Policy. +func (mg *Policy) GetWriteConnectionSecretToReference() *xpv1.SecretReference { + return mg.Spec.WriteConnectionSecretToReference +} + +// SetConditions of this Policy. +func (mg *Policy) SetConditions(c ...xpv1.Condition) { + mg.Status.SetConditions(c...) +} + +// SetDeletionPolicy of this Policy. +func (mg *Policy) SetDeletionPolicy(r xpv1.DeletionPolicy) { + mg.Spec.DeletionPolicy = r +} + +// SetManagementPolicies of this Policy. +func (mg *Policy) SetManagementPolicies(r xpv1.ManagementPolicies) { + mg.Spec.ManagementPolicies = r +} + +// SetProviderConfigReference of this Policy. +func (mg *Policy) SetProviderConfigReference(r *xpv1.Reference) { + mg.Spec.ProviderConfigReference = r +} + +// SetPublishConnectionDetailsTo of this Policy. +func (mg *Policy) SetPublishConnectionDetailsTo(r *xpv1.PublishConnectionDetailsTo) { + mg.Spec.PublishConnectionDetailsTo = r +} + +// SetWriteConnectionSecretToReference of this Policy. +func (mg *Policy) SetWriteConnectionSecretToReference(r *xpv1.SecretReference) { + mg.Spec.WriteConnectionSecretToReference = r +} diff --git a/apis/orgpolicy/v1beta1/zz_generated.managedlist.go b/apis/orgpolicy/v1beta1/zz_generated.managedlist.go new file mode 100644 index 000000000..905392829 --- /dev/null +++ b/apis/orgpolicy/v1beta1/zz_generated.managedlist.go @@ -0,0 +1,17 @@ +// SPDX-FileCopyrightText: 2024 The Crossplane Authors +// +// SPDX-License-Identifier: Apache-2.0 +// Code generated by angryjet. DO NOT EDIT. + +package v1beta1 + +import resource "github.com/crossplane/crossplane-runtime/pkg/resource" + +// GetItems of this PolicyList. +func (l *PolicyList) GetItems() []resource.Managed { + items := make([]resource.Managed, len(l.Items)) + for i := range l.Items { + items[i] = &l.Items[i] + } + return items +} diff --git a/apis/orgpolicy/v1beta1/zz_generated.resolvers.go b/apis/orgpolicy/v1beta1/zz_generated.resolvers.go new file mode 100644 index 000000000..b214418bb --- /dev/null +++ b/apis/orgpolicy/v1beta1/zz_generated.resolvers.go @@ -0,0 +1,50 @@ +// SPDX-FileCopyrightText: 2024 The Crossplane Authors +// +// SPDX-License-Identifier: Apache-2.0 +// Code generated by angryjet. DO NOT EDIT. +// Code transformed by upjet. DO NOT EDIT. + +package v1beta1 + +import ( + "context" + reference "github.com/crossplane/crossplane-runtime/pkg/reference" + resource "github.com/crossplane/upjet/pkg/resource" + errors "github.com/pkg/errors" + + xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" + client "sigs.k8s.io/controller-runtime/pkg/client" + + // ResolveReferences of this Policy. + apisresolver "github.com/upbound/provider-gcp/internal/apis" +) + +func (mg *Policy) ResolveReferences(ctx context.Context, c client.Reader) error { + var m xpresource.Managed + var l xpresource.ManagedList + r := reference.NewAPIResolver(c, mg) + + var rsp reference.ResolutionResponse + var err error + { + m, l, err = apisresolver.GetManagedResource("cloudplatform.gcp.upbound.io", "v1beta1", "Folder", "FolderList") + if err != nil { + return errors.Wrap(err, "failed to get the reference target managed resource and its list for reference resolution") + } + + rsp, err = r.Resolve(ctx, reference.ResolutionRequest{ + CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Parent), + Extract: resource.ExtractParamPath("name", true), + Reference: mg.Spec.ForProvider.ParentRef, + Selector: mg.Spec.ForProvider.ParentSelector, + To: reference.To{List: l, Managed: m}, + }) + } + if err != nil { + return errors.Wrap(err, "mg.Spec.ForProvider.Parent") + } + mg.Spec.ForProvider.Parent = reference.ToPtrValue(rsp.ResolvedValue) + mg.Spec.ForProvider.ParentRef = rsp.ResolvedReference + + return nil +} diff --git a/apis/orgpolicy/v1beta1/zz_groupversion_info.go b/apis/orgpolicy/v1beta1/zz_groupversion_info.go new file mode 100755 index 000000000..ab645360d --- /dev/null +++ b/apis/orgpolicy/v1beta1/zz_groupversion_info.go @@ -0,0 +1,32 @@ +// SPDX-FileCopyrightText: 2024 The Crossplane Authors +// +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by upjet. DO NOT EDIT. + +// +kubebuilder:object:generate=true +// +groupName=orgpolicy.gcp.upbound.io +// +versionName=v1beta1 +package v1beta1 + +import ( + "k8s.io/apimachinery/pkg/runtime/schema" + "sigs.k8s.io/controller-runtime/pkg/scheme" +) + +// Package type metadata. +const ( + CRDGroup = "orgpolicy.gcp.upbound.io" + CRDVersion = "v1beta1" +) + +var ( + // CRDGroupVersion is the API Group Version used to register the objects + CRDGroupVersion = schema.GroupVersion{Group: CRDGroup, Version: CRDVersion} + + // SchemeBuilder is used to add go types to the GroupVersionKind scheme + SchemeBuilder = &scheme.Builder{GroupVersion: CRDGroupVersion} + + // AddToScheme adds the types in this group-version to the given scheme. + AddToScheme = SchemeBuilder.AddToScheme +) diff --git a/apis/orgpolicy/v1beta1/zz_policy_terraformed.go b/apis/orgpolicy/v1beta1/zz_policy_terraformed.go new file mode 100755 index 000000000..0a7cca7ce --- /dev/null +++ b/apis/orgpolicy/v1beta1/zz_policy_terraformed.go @@ -0,0 +1,129 @@ +// SPDX-FileCopyrightText: 2024 The Crossplane Authors +// +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by upjet. DO NOT EDIT. + +package v1beta1 + +import ( + "dario.cat/mergo" + "github.com/pkg/errors" + + "github.com/crossplane/upjet/pkg/resource" + "github.com/crossplane/upjet/pkg/resource/json" +) + +// GetTerraformResourceType returns Terraform resource type for this Policy +func (mg *Policy) GetTerraformResourceType() string { + return "google_org_policy_policy" +} + +// GetConnectionDetailsMapping for this Policy +func (tr *Policy) GetConnectionDetailsMapping() map[string]string { + return nil +} + +// GetObservation of this Policy +func (tr *Policy) GetObservation() (map[string]any, error) { + o, err := json.TFParser.Marshal(tr.Status.AtProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(o, &base) +} + +// SetObservation for this Policy +func (tr *Policy) SetObservation(obs map[string]any) error { + p, err := json.TFParser.Marshal(obs) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Status.AtProvider) +} + +// GetID returns ID of underlying Terraform resource of this Policy +func (tr *Policy) GetID() string { + if tr.Status.AtProvider.ID == nil { + return "" + } + return *tr.Status.AtProvider.ID +} + +// GetParameters of this Policy +func (tr *Policy) GetParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.ForProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// SetParameters for this Policy +func (tr *Policy) SetParameters(params map[string]any) error { + p, err := json.TFParser.Marshal(params) + if err != nil { + return err + } + return json.TFParser.Unmarshal(p, &tr.Spec.ForProvider) +} + +// GetInitParameters of this Policy +func (tr *Policy) GetInitParameters() (map[string]any, error) { + p, err := json.TFParser.Marshal(tr.Spec.InitProvider) + if err != nil { + return nil, err + } + base := map[string]any{} + return base, json.TFParser.Unmarshal(p, &base) +} + +// GetInitParameters of this Policy +func (tr *Policy) GetMergedParameters(shouldMergeInitProvider bool) (map[string]any, error) { + params, err := tr.GetParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get parameters for resource '%q'", tr.GetName()) + } + if !shouldMergeInitProvider { + return params, nil + } + + initParams, err := tr.GetInitParameters() + if err != nil { + return nil, errors.Wrapf(err, "cannot get init parameters for resource '%q'", tr.GetName()) + } + + // Note(lsviben): mergo.WithSliceDeepCopy is needed to merge the + // slices from the initProvider to forProvider. As it also sets + // overwrite to true, we need to set it back to false, we don't + // want to overwrite the forProvider fields with the initProvider + // fields. + err = mergo.Merge(¶ms, initParams, mergo.WithSliceDeepCopy, func(c *mergo.Config) { + c.Overwrite = false + }) + if err != nil { + return nil, errors.Wrapf(err, "cannot merge spec.initProvider and spec.forProvider parameters for resource '%q'", tr.GetName()) + } + + return params, nil +} + +// LateInitialize this Policy using its observed tfState. +// returns True if there are any spec changes for the resource. +func (tr *Policy) LateInitialize(attrs []byte) (bool, error) { + params := &PolicyParameters{} + if err := json.TFParser.Unmarshal(attrs, params); err != nil { + return false, errors.Wrap(err, "failed to unmarshal Terraform state parameters for late-initialization") + } + opts := []resource.GenericLateInitializerOption{resource.WithZeroValueJSONOmitEmptyFilter(resource.CNameWildcard)} + + li := resource.NewGenericLateInitializer(opts...) + return li.LateInitialize(&tr.Spec.ForProvider, params) +} + +// GetTerraformSchemaVersion returns the associated Terraform schema version +func (tr *Policy) GetTerraformSchemaVersion() int { + return 0 +} diff --git a/apis/orgpolicy/v1beta1/zz_policy_types.go b/apis/orgpolicy/v1beta1/zz_policy_types.go new file mode 100755 index 000000000..587afac76 --- /dev/null +++ b/apis/orgpolicy/v1beta1/zz_policy_types.go @@ -0,0 +1,491 @@ +// SPDX-FileCopyrightText: 2024 The Crossplane Authors +// +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by upjet. DO NOT EDIT. + +package v1beta1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime/schema" + + v1 "github.com/crossplane/crossplane-runtime/apis/common/v1" +) + +type ConditionInitParameters struct { + + // Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. + Description *string `json:"description,omitempty" tf:"description,omitempty"` + + // Textual representation of an expression in Common Expression Language syntax. + Expression *string `json:"expression,omitempty" tf:"expression,omitempty"` + + // Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file. + Location *string `json:"location,omitempty" tf:"location,omitempty"` + + // Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression. + Title *string `json:"title,omitempty" tf:"title,omitempty"` +} + +type ConditionObservation struct { + + // Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. + Description *string `json:"description,omitempty" tf:"description,omitempty"` + + // Textual representation of an expression in Common Expression Language syntax. + Expression *string `json:"expression,omitempty" tf:"expression,omitempty"` + + // Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file. + Location *string `json:"location,omitempty" tf:"location,omitempty"` + + // Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression. + Title *string `json:"title,omitempty" tf:"title,omitempty"` +} + +type ConditionParameters struct { + + // Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. + // +kubebuilder:validation:Optional + Description *string `json:"description,omitempty" tf:"description,omitempty"` + + // Textual representation of an expression in Common Expression Language syntax. + // +kubebuilder:validation:Optional + Expression *string `json:"expression,omitempty" tf:"expression,omitempty"` + + // Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file. + // +kubebuilder:validation:Optional + Location *string `json:"location,omitempty" tf:"location,omitempty"` + + // Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression. + // +kubebuilder:validation:Optional + Title *string `json:"title,omitempty" tf:"title,omitempty"` +} + +type DryRunSpecInitParameters struct { + + // Determines the inheritance behavior for this policy. If inherit_from_parent is true, policy rules set higher up in the hierarchy (up to the closest root) are inherited and present in the effective policy. If it is false, then no rules are inherited, and this policy becomes the new root for evaluation. This field can be set only for policies which configure list constraints. + InheritFromParent *bool `json:"inheritFromParent,omitempty" tf:"inherit_from_parent,omitempty"` + + // Ignores policies set above this resource and restores the constraint_default enforcement behavior of the specific constraint at this resource. This field can be set in policies for either list or boolean constraints. If set, rules must be empty and inherit_from_parent must be set to false. + Reset *bool `json:"reset,omitempty" tf:"reset,omitempty"` + + // In policies for boolean constraints, the following requirements apply: - There must be one and only one policy rule where condition is unset. - Boolean policy rules with conditions must set enforced to the opposite of the policy rule without a condition. - During policy evaluation, policy rules with conditions that are true for a target resource take precedence. + Rules []RulesInitParameters `json:"rules,omitempty" tf:"rules,omitempty"` +} + +type DryRunSpecObservation struct { + + // An opaque tag indicating the current version of the policy, used for concurrency control. This field is ignored if used in a CreatePolicy request. When the policyis returned from either aGetPolicyor aListPoliciesrequest, thisetagindicates the version of the current policy to use when executing a read-modify-write loop. When the policy is returned from aGetEffectivePolicyrequest, theetag` will be unset. + Etag *string `json:"etag,omitempty" tf:"etag,omitempty"` + + // Determines the inheritance behavior for this policy. If inherit_from_parent is true, policy rules set higher up in the hierarchy (up to the closest root) are inherited and present in the effective policy. If it is false, then no rules are inherited, and this policy becomes the new root for evaluation. This field can be set only for policies which configure list constraints. + InheritFromParent *bool `json:"inheritFromParent,omitempty" tf:"inherit_from_parent,omitempty"` + + // Ignores policies set above this resource and restores the constraint_default enforcement behavior of the specific constraint at this resource. This field can be set in policies for either list or boolean constraints. If set, rules must be empty and inherit_from_parent must be set to false. + Reset *bool `json:"reset,omitempty" tf:"reset,omitempty"` + + // In policies for boolean constraints, the following requirements apply: - There must be one and only one policy rule where condition is unset. - Boolean policy rules with conditions must set enforced to the opposite of the policy rule without a condition. - During policy evaluation, policy rules with conditions that are true for a target resource take precedence. + Rules []RulesObservation `json:"rules,omitempty" tf:"rules,omitempty"` + + // Output only. The time stamp this was previously updated. This represents the last time a call to CreatePolicy or UpdatePolicy was made for that policy. + UpdateTime *string `json:"updateTime,omitempty" tf:"update_time,omitempty"` +} + +type DryRunSpecParameters struct { + + // Determines the inheritance behavior for this policy. If inherit_from_parent is true, policy rules set higher up in the hierarchy (up to the closest root) are inherited and present in the effective policy. If it is false, then no rules are inherited, and this policy becomes the new root for evaluation. This field can be set only for policies which configure list constraints. + // +kubebuilder:validation:Optional + InheritFromParent *bool `json:"inheritFromParent,omitempty" tf:"inherit_from_parent,omitempty"` + + // Ignores policies set above this resource and restores the constraint_default enforcement behavior of the specific constraint at this resource. This field can be set in policies for either list or boolean constraints. If set, rules must be empty and inherit_from_parent must be set to false. + // +kubebuilder:validation:Optional + Reset *bool `json:"reset,omitempty" tf:"reset,omitempty"` + + // In policies for boolean constraints, the following requirements apply: - There must be one and only one policy rule where condition is unset. - Boolean policy rules with conditions must set enforced to the opposite of the policy rule without a condition. - During policy evaluation, policy rules with conditions that are true for a target resource take precedence. + // +kubebuilder:validation:Optional + Rules []RulesParameters `json:"rules,omitempty" tf:"rules,omitempty"` +} + +type PolicyInitParameters struct { + + // Dry-run policy. Audit-only policy, can be used to monitor how the policy would have impacted the existing and future resources if it's enforced. + DryRunSpec *DryRunSpecInitParameters `json:"dryRunSpec,omitempty" tf:"dry_run_spec,omitempty"` + + // Basic information about the Organization Policy. + Spec *SpecInitParameters `json:"spec,omitempty" tf:"spec,omitempty"` +} + +type PolicyObservation struct { + + // Dry-run policy. Audit-only policy, can be used to monitor how the policy would have impacted the existing and future resources if it's enforced. + DryRunSpec *DryRunSpecObservation `json:"dryRunSpec,omitempty" tf:"dry_run_spec,omitempty"` + + // Optional. An opaque tag indicating the current state of the policy, used for concurrency control. This 'etag' is computed by the server based on the value of other fields, and may be sent on update and delete requests to ensure the client has an up-to-date value before proceeding. + Etag *string `json:"etag,omitempty" tf:"etag,omitempty"` + + // an identifier for the resource with format {{parent}}/policies/{{name}} + ID *string `json:"id,omitempty" tf:"id,omitempty"` + + // The parent of the resource. + Parent *string `json:"parent,omitempty" tf:"parent,omitempty"` + + // Basic information about the Organization Policy. + Spec *SpecObservation `json:"spec,omitempty" tf:"spec,omitempty"` +} + +type PolicyParameters struct { + + // Dry-run policy. Audit-only policy, can be used to monitor how the policy would have impacted the existing and future resources if it's enforced. + // +kubebuilder:validation:Optional + DryRunSpec *DryRunSpecParameters `json:"dryRunSpec,omitempty" tf:"dry_run_spec,omitempty"` + + // The parent of the resource. + // +crossplane:generate:reference:type=github.com/upbound/provider-gcp/apis/cloudplatform/v1beta1.Folder + // +crossplane:generate:reference:extractor=github.com/crossplane/upjet/pkg/resource.ExtractParamPath("name",true) + // +kubebuilder:validation:Optional + Parent *string `json:"parent,omitempty" tf:"parent,omitempty"` + + // Reference to a Folder in cloudplatform to populate parent. + // +kubebuilder:validation:Optional + ParentRef *v1.Reference `json:"parentRef,omitempty" tf:"-"` + + // Selector for a Folder in cloudplatform to populate parent. + // +kubebuilder:validation:Optional + ParentSelector *v1.Selector `json:"parentSelector,omitempty" tf:"-"` + + // Basic information about the Organization Policy. + // +kubebuilder:validation:Optional + Spec *SpecParameters `json:"spec,omitempty" tf:"spec,omitempty"` +} + +type RulesConditionInitParameters struct { + + // Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. + Description *string `json:"description,omitempty" tf:"description,omitempty"` + + // Textual representation of an expression in Common Expression Language syntax. + Expression *string `json:"expression,omitempty" tf:"expression,omitempty"` + + // Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file. + Location *string `json:"location,omitempty" tf:"location,omitempty"` + + // Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression. + Title *string `json:"title,omitempty" tf:"title,omitempty"` +} + +type RulesConditionObservation struct { + + // Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. + Description *string `json:"description,omitempty" tf:"description,omitempty"` + + // Textual representation of an expression in Common Expression Language syntax. + Expression *string `json:"expression,omitempty" tf:"expression,omitempty"` + + // Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file. + Location *string `json:"location,omitempty" tf:"location,omitempty"` + + // Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression. + Title *string `json:"title,omitempty" tf:"title,omitempty"` +} + +type RulesConditionParameters struct { + + // Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. + // +kubebuilder:validation:Optional + Description *string `json:"description,omitempty" tf:"description,omitempty"` + + // Textual representation of an expression in Common Expression Language syntax. + // +kubebuilder:validation:Optional + Expression *string `json:"expression,omitempty" tf:"expression,omitempty"` + + // Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file. + // +kubebuilder:validation:Optional + Location *string `json:"location,omitempty" tf:"location,omitempty"` + + // Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression. + // +kubebuilder:validation:Optional + Title *string `json:"title,omitempty" tf:"title,omitempty"` +} + +type RulesInitParameters struct { + + // Setting this to "TRUE" means that all values are allowed. This field can be set only in policies for list constraints. + AllowAll *string `json:"allowAll,omitempty" tf:"allow_all,omitempty"` + + // A condition which determines whether this rule is used in the evaluation of the policy. When set, the expression field in the `Expr' must include from 1 to 10 subexpressions, joined by the "||" or "&&" operators. Each subexpression must be of the form "resource.matchTag('/tag_key_short_name, 'tag_value_short_name')". or "resource.matchTagId('tagKeys/key_id', 'tagValues/value_id')". where key_name and value_name are the resource names for Label Keys and Values. These names are available from the Tag Manager Service. An example expression is: "resource.matchTag('123456789/environment, 'prod')". or "resource.matchTagId('tagKeys/123', 'tagValues/456')". + Condition *ConditionInitParameters `json:"condition,omitempty" tf:"condition,omitempty"` + + // Setting this to "TRUE" means that all values are denied. This field can be set only in policies for list constraints. + DenyAll *string `json:"denyAll,omitempty" tf:"deny_all,omitempty"` + + // If "TRUE", then the policy is enforced. If "FALSE", then any configuration is acceptable. This field can be set only in policies for boolean constraints. + Enforce *string `json:"enforce,omitempty" tf:"enforce,omitempty"` + + // List of values to be used for this policy rule. This field can be set only in policies for list constraints. + Values *ValuesInitParameters `json:"values,omitempty" tf:"values,omitempty"` +} + +type RulesObservation struct { + + // Setting this to "TRUE" means that all values are allowed. This field can be set only in policies for list constraints. + AllowAll *string `json:"allowAll,omitempty" tf:"allow_all,omitempty"` + + // A condition which determines whether this rule is used in the evaluation of the policy. When set, the expression field in the `Expr' must include from 1 to 10 subexpressions, joined by the "||" or "&&" operators. Each subexpression must be of the form "resource.matchTag('/tag_key_short_name, 'tag_value_short_name')". or "resource.matchTagId('tagKeys/key_id', 'tagValues/value_id')". where key_name and value_name are the resource names for Label Keys and Values. These names are available from the Tag Manager Service. An example expression is: "resource.matchTag('123456789/environment, 'prod')". or "resource.matchTagId('tagKeys/123', 'tagValues/456')". + Condition *ConditionObservation `json:"condition,omitempty" tf:"condition,omitempty"` + + // Setting this to "TRUE" means that all values are denied. This field can be set only in policies for list constraints. + DenyAll *string `json:"denyAll,omitempty" tf:"deny_all,omitempty"` + + // If "TRUE", then the policy is enforced. If "FALSE", then any configuration is acceptable. This field can be set only in policies for boolean constraints. + Enforce *string `json:"enforce,omitempty" tf:"enforce,omitempty"` + + // List of values to be used for this policy rule. This field can be set only in policies for list constraints. + Values *ValuesObservation `json:"values,omitempty" tf:"values,omitempty"` +} + +type RulesParameters struct { + + // Setting this to "TRUE" means that all values are allowed. This field can be set only in policies for list constraints. + // +kubebuilder:validation:Optional + AllowAll *string `json:"allowAll,omitempty" tf:"allow_all,omitempty"` + + // A condition which determines whether this rule is used in the evaluation of the policy. When set, the expression field in the `Expr' must include from 1 to 10 subexpressions, joined by the "||" or "&&" operators. Each subexpression must be of the form "resource.matchTag('/tag_key_short_name, 'tag_value_short_name')". or "resource.matchTagId('tagKeys/key_id', 'tagValues/value_id')". where key_name and value_name are the resource names for Label Keys and Values. These names are available from the Tag Manager Service. An example expression is: "resource.matchTag('123456789/environment, 'prod')". or "resource.matchTagId('tagKeys/123', 'tagValues/456')". + // +kubebuilder:validation:Optional + Condition *ConditionParameters `json:"condition,omitempty" tf:"condition,omitempty"` + + // Setting this to "TRUE" means that all values are denied. This field can be set only in policies for list constraints. + // +kubebuilder:validation:Optional + DenyAll *string `json:"denyAll,omitempty" tf:"deny_all,omitempty"` + + // If "TRUE", then the policy is enforced. If "FALSE", then any configuration is acceptable. This field can be set only in policies for boolean constraints. + // +kubebuilder:validation:Optional + Enforce *string `json:"enforce,omitempty" tf:"enforce,omitempty"` + + // List of values to be used for this policy rule. This field can be set only in policies for list constraints. + // +kubebuilder:validation:Optional + Values *ValuesParameters `json:"values,omitempty" tf:"values,omitempty"` +} + +type RulesValuesInitParameters struct { + + // List of values allowed at this resource. + AllowedValues []*string `json:"allowedValues,omitempty" tf:"allowed_values,omitempty"` + + // List of values denied at this resource. + DeniedValues []*string `json:"deniedValues,omitempty" tf:"denied_values,omitempty"` +} + +type RulesValuesObservation struct { + + // List of values allowed at this resource. + AllowedValues []*string `json:"allowedValues,omitempty" tf:"allowed_values,omitempty"` + + // List of values denied at this resource. + DeniedValues []*string `json:"deniedValues,omitempty" tf:"denied_values,omitempty"` +} + +type RulesValuesParameters struct { + + // List of values allowed at this resource. + // +kubebuilder:validation:Optional + AllowedValues []*string `json:"allowedValues,omitempty" tf:"allowed_values,omitempty"` + + // List of values denied at this resource. + // +kubebuilder:validation:Optional + DeniedValues []*string `json:"deniedValues,omitempty" tf:"denied_values,omitempty"` +} + +type SpecInitParameters struct { + + // Determines the inheritance behavior for this Policy. If inherit_from_parent is true, PolicyRules set higher up in the hierarchy (up to the closest root) are inherited and present in the effective policy. If it is false, then no rules are inherited, and this Policy becomes the new root for evaluation. This field can be set only for Policies which configure list constraints. + InheritFromParent *bool `json:"inheritFromParent,omitempty" tf:"inherit_from_parent,omitempty"` + + // Ignores policies set above this resource and restores the constraint_default enforcement behavior of the specific Constraint at this resource. This field can be set in policies for either list or boolean constraints. If set, rules must be empty and inherit_from_parent must be set to false. + Reset *bool `json:"reset,omitempty" tf:"reset,omitempty"` + + // Up to 10 PolicyRules are allowed. In Policies for boolean constraints, the following requirements apply: - There must be one and only one PolicyRule where condition is unset. - BooleanPolicyRules with conditions must set enforced to the opposite of the PolicyRule without a condition. - During policy evaluation, PolicyRules with conditions that are true for a target resource take precedence. + Rules []SpecRulesInitParameters `json:"rules,omitempty" tf:"rules,omitempty"` +} + +type SpecObservation struct { + + // An opaque tag indicating the current version of the Policy, used for concurrency control. This field is ignored if used in a CreatePolicy request. When the Policy is returned from either a GetPolicy or a ListPolicies request, this etag indicates the version of the current Policy to use when executing a read-modify-write loop. When the Policy is returned from a GetEffectivePolicy request, the etag will be unset. + Etag *string `json:"etag,omitempty" tf:"etag,omitempty"` + + // Determines the inheritance behavior for this Policy. If inherit_from_parent is true, PolicyRules set higher up in the hierarchy (up to the closest root) are inherited and present in the effective policy. If it is false, then no rules are inherited, and this Policy becomes the new root for evaluation. This field can be set only for Policies which configure list constraints. + InheritFromParent *bool `json:"inheritFromParent,omitempty" tf:"inherit_from_parent,omitempty"` + + // Ignores policies set above this resource and restores the constraint_default enforcement behavior of the specific Constraint at this resource. This field can be set in policies for either list or boolean constraints. If set, rules must be empty and inherit_from_parent must be set to false. + Reset *bool `json:"reset,omitempty" tf:"reset,omitempty"` + + // Up to 10 PolicyRules are allowed. In Policies for boolean constraints, the following requirements apply: - There must be one and only one PolicyRule where condition is unset. - BooleanPolicyRules with conditions must set enforced to the opposite of the PolicyRule without a condition. - During policy evaluation, PolicyRules with conditions that are true for a target resource take precedence. + Rules []SpecRulesObservation `json:"rules,omitempty" tf:"rules,omitempty"` + + // Output only. The time stamp this was previously updated. This represents the last time a call to CreatePolicy or UpdatePolicy was made for that Policy. + UpdateTime *string `json:"updateTime,omitempty" tf:"update_time,omitempty"` +} + +type SpecParameters struct { + + // Determines the inheritance behavior for this Policy. If inherit_from_parent is true, PolicyRules set higher up in the hierarchy (up to the closest root) are inherited and present in the effective policy. If it is false, then no rules are inherited, and this Policy becomes the new root for evaluation. This field can be set only for Policies which configure list constraints. + // +kubebuilder:validation:Optional + InheritFromParent *bool `json:"inheritFromParent,omitempty" tf:"inherit_from_parent,omitempty"` + + // Ignores policies set above this resource and restores the constraint_default enforcement behavior of the specific Constraint at this resource. This field can be set in policies for either list or boolean constraints. If set, rules must be empty and inherit_from_parent must be set to false. + // +kubebuilder:validation:Optional + Reset *bool `json:"reset,omitempty" tf:"reset,omitempty"` + + // Up to 10 PolicyRules are allowed. In Policies for boolean constraints, the following requirements apply: - There must be one and only one PolicyRule where condition is unset. - BooleanPolicyRules with conditions must set enforced to the opposite of the PolicyRule without a condition. - During policy evaluation, PolicyRules with conditions that are true for a target resource take precedence. + // +kubebuilder:validation:Optional + Rules []SpecRulesParameters `json:"rules,omitempty" tf:"rules,omitempty"` +} + +type SpecRulesInitParameters struct { + + // Setting this to "TRUE" means that all values are allowed. This field can be set only in policies for list constraints. + AllowAll *string `json:"allowAll,omitempty" tf:"allow_all,omitempty"` + + // A condition which determines whether this rule is used in the evaluation of the policy. When set, the expression field in the `Expr' must include from 1 to 10 subexpressions, joined by the "||" or "&&" operators. Each subexpression must be of the form "resource.matchTag('/tag_key_short_name, 'tag_value_short_name')". or "resource.matchTagId('tagKeys/key_id', 'tagValues/value_id')". where key_name and value_name are the resource names for Label Keys and Values. These names are available from the Tag Manager Service. An example expression is: "resource.matchTag('123456789/environment, 'prod')". or "resource.matchTagId('tagKeys/123', 'tagValues/456')". + Condition *RulesConditionInitParameters `json:"condition,omitempty" tf:"condition,omitempty"` + + // Setting this to "TRUE" means that all values are denied. This field can be set only in policies for list constraints. + DenyAll *string `json:"denyAll,omitempty" tf:"deny_all,omitempty"` + + // If "TRUE", then the policy is enforced. If "FALSE", then any configuration is acceptable. This field can be set only in policies for boolean constraints. + Enforce *string `json:"enforce,omitempty" tf:"enforce,omitempty"` + + // List of values to be used for this policy rule. This field can be set only in policies for list constraints. + Values *RulesValuesInitParameters `json:"values,omitempty" tf:"values,omitempty"` +} + +type SpecRulesObservation struct { + + // Setting this to "TRUE" means that all values are allowed. This field can be set only in policies for list constraints. + AllowAll *string `json:"allowAll,omitempty" tf:"allow_all,omitempty"` + + // A condition which determines whether this rule is used in the evaluation of the policy. When set, the expression field in the `Expr' must include from 1 to 10 subexpressions, joined by the "||" or "&&" operators. Each subexpression must be of the form "resource.matchTag('/tag_key_short_name, 'tag_value_short_name')". or "resource.matchTagId('tagKeys/key_id', 'tagValues/value_id')". where key_name and value_name are the resource names for Label Keys and Values. These names are available from the Tag Manager Service. An example expression is: "resource.matchTag('123456789/environment, 'prod')". or "resource.matchTagId('tagKeys/123', 'tagValues/456')". + Condition *RulesConditionObservation `json:"condition,omitempty" tf:"condition,omitempty"` + + // Setting this to "TRUE" means that all values are denied. This field can be set only in policies for list constraints. + DenyAll *string `json:"denyAll,omitempty" tf:"deny_all,omitempty"` + + // If "TRUE", then the policy is enforced. If "FALSE", then any configuration is acceptable. This field can be set only in policies for boolean constraints. + Enforce *string `json:"enforce,omitempty" tf:"enforce,omitempty"` + + // List of values to be used for this policy rule. This field can be set only in policies for list constraints. + Values *RulesValuesObservation `json:"values,omitempty" tf:"values,omitempty"` +} + +type SpecRulesParameters struct { + + // Setting this to "TRUE" means that all values are allowed. This field can be set only in policies for list constraints. + // +kubebuilder:validation:Optional + AllowAll *string `json:"allowAll,omitempty" tf:"allow_all,omitempty"` + + // A condition which determines whether this rule is used in the evaluation of the policy. When set, the expression field in the `Expr' must include from 1 to 10 subexpressions, joined by the "||" or "&&" operators. Each subexpression must be of the form "resource.matchTag('/tag_key_short_name, 'tag_value_short_name')". or "resource.matchTagId('tagKeys/key_id', 'tagValues/value_id')". where key_name and value_name are the resource names for Label Keys and Values. These names are available from the Tag Manager Service. An example expression is: "resource.matchTag('123456789/environment, 'prod')". or "resource.matchTagId('tagKeys/123', 'tagValues/456')". + // +kubebuilder:validation:Optional + Condition *RulesConditionParameters `json:"condition,omitempty" tf:"condition,omitempty"` + + // Setting this to "TRUE" means that all values are denied. This field can be set only in policies for list constraints. + // +kubebuilder:validation:Optional + DenyAll *string `json:"denyAll,omitempty" tf:"deny_all,omitempty"` + + // If "TRUE", then the policy is enforced. If "FALSE", then any configuration is acceptable. This field can be set only in policies for boolean constraints. + // +kubebuilder:validation:Optional + Enforce *string `json:"enforce,omitempty" tf:"enforce,omitempty"` + + // List of values to be used for this policy rule. This field can be set only in policies for list constraints. + // +kubebuilder:validation:Optional + Values *RulesValuesParameters `json:"values,omitempty" tf:"values,omitempty"` +} + +type ValuesInitParameters struct { + + // List of values allowed at this resource. + AllowedValues []*string `json:"allowedValues,omitempty" tf:"allowed_values,omitempty"` + + // List of values denied at this resource. + DeniedValues []*string `json:"deniedValues,omitempty" tf:"denied_values,omitempty"` +} + +type ValuesObservation struct { + + // List of values allowed at this resource. + AllowedValues []*string `json:"allowedValues,omitempty" tf:"allowed_values,omitempty"` + + // List of values denied at this resource. + DeniedValues []*string `json:"deniedValues,omitempty" tf:"denied_values,omitempty"` +} + +type ValuesParameters struct { + + // List of values allowed at this resource. + // +kubebuilder:validation:Optional + AllowedValues []*string `json:"allowedValues,omitempty" tf:"allowed_values,omitempty"` + + // List of values denied at this resource. + // +kubebuilder:validation:Optional + DeniedValues []*string `json:"deniedValues,omitempty" tf:"denied_values,omitempty"` +} + +// PolicySpec defines the desired state of Policy +type PolicySpec struct { + v1.ResourceSpec `json:",inline"` + ForProvider PolicyParameters `json:"forProvider"` + // THIS IS A BETA FIELD. It will be honored + // unless the Management Policies feature flag is disabled. + // InitProvider holds the same fields as ForProvider, with the exception + // of Identifier and other resource reference fields. The fields that are + // in InitProvider are merged into ForProvider when the resource is created. + // The same fields are also added to the terraform ignore_changes hook, to + // avoid updating them after creation. This is useful for fields that are + // required on creation, but we do not desire to update them after creation, + // for example because of an external controller is managing them, like an + // autoscaler. + InitProvider PolicyInitParameters `json:"initProvider,omitempty"` +} + +// PolicyStatus defines the observed state of Policy. +type PolicyStatus struct { + v1.ResourceStatus `json:",inline"` + AtProvider PolicyObservation `json:"atProvider,omitempty"` +} + +// +kubebuilder:object:root=true +// +kubebuilder:subresource:status +// +kubebuilder:storageversion + +// Policy is the Schema for the Policys API. An organization policy gives you programmatic control over your organization's cloud resources. Using Organization Policies, you will be able to configure constraints across your entire resource hierarchy. +// +kubebuilder:printcolumn:name="SYNCED",type="string",JSONPath=".status.conditions[?(@.type=='Synced')].status" +// +kubebuilder:printcolumn:name="READY",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status" +// +kubebuilder:printcolumn:name="EXTERNAL-NAME",type="string",JSONPath=".metadata.annotations.crossplane\\.io/external-name" +// +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" +// +kubebuilder:resource:scope=Cluster,categories={crossplane,managed,gcp} +type Policy struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + Spec PolicySpec `json:"spec"` + Status PolicyStatus `json:"status,omitempty"` +} + +// +kubebuilder:object:root=true + +// PolicyList contains a list of Policys +type PolicyList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + Items []Policy `json:"items"` +} + +// Repository type metadata. +var ( + Policy_Kind = "Policy" + Policy_GroupKind = schema.GroupKind{Group: CRDGroup, Kind: Policy_Kind}.String() + Policy_KindAPIVersion = Policy_Kind + "." + CRDGroupVersion.String() + Policy_GroupVersionKind = CRDGroupVersion.WithKind(Policy_Kind) +) + +func init() { + SchemeBuilder.Register(&Policy{}, &PolicyList{}) +} diff --git a/apis/zz_register.go b/apis/zz_register.go index 3e95ce170..b685c7d97 100755 --- a/apis/zz_register.go +++ b/apis/zz_register.go @@ -114,6 +114,7 @@ import ( v1beta2networkmanagement "github.com/upbound/provider-gcp/apis/networkmanagement/v1beta2" v1beta1notebooks "github.com/upbound/provider-gcp/apis/notebooks/v1beta1" v1beta2notebooks "github.com/upbound/provider-gcp/apis/notebooks/v1beta2" + v1beta1orgpolicy "github.com/upbound/provider-gcp/apis/orgpolicy/v1beta1" v1beta1osconfig "github.com/upbound/provider-gcp/apis/osconfig/v1beta1" v1beta2osconfig "github.com/upbound/provider-gcp/apis/osconfig/v1beta2" v1beta1oslogin "github.com/upbound/provider-gcp/apis/oslogin/v1beta1" @@ -255,6 +256,7 @@ func init() { v1beta2networkmanagement.SchemeBuilder.AddToScheme, v1beta1notebooks.SchemeBuilder.AddToScheme, v1beta2notebooks.SchemeBuilder.AddToScheme, + v1beta1orgpolicy.SchemeBuilder.AddToScheme, v1beta1osconfig.SchemeBuilder.AddToScheme, v1beta2osconfig.SchemeBuilder.AddToScheme, v1beta1oslogin.SchemeBuilder.AddToScheme, diff --git a/cmd/provider/orgpolicy/zz_main.go b/cmd/provider/orgpolicy/zz_main.go new file mode 100644 index 000000000..568c8838a --- /dev/null +++ b/cmd/provider/orgpolicy/zz_main.go @@ -0,0 +1,221 @@ +// SPDX-FileCopyrightText: 2024 The Crossplane Authors +// +// SPDX-License-Identifier: Apache-2.0 + +package main + +import ( + "context" + "fmt" + "io" + "log" + "os" + "path/filepath" + "time" + + xpv1 "github.com/crossplane/crossplane-runtime/apis/common/v1" + "github.com/crossplane/crossplane-runtime/pkg/certificates" + xpcontroller "github.com/crossplane/crossplane-runtime/pkg/controller" + "github.com/crossplane/crossplane-runtime/pkg/feature" + "github.com/crossplane/crossplane-runtime/pkg/logging" + "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" + "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" + "github.com/crossplane/crossplane-runtime/pkg/resource" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/conversion" + "gopkg.in/alecthomas/kingpin.v2" + kerrors "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + _ "k8s.io/client-go/plugin/pkg/client/auth/gcp" + "k8s.io/client-go/tools/leaderelection/resourcelock" + ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/cache" + "sigs.k8s.io/controller-runtime/pkg/log/zap" + "sigs.k8s.io/controller-runtime/pkg/metrics" + "sigs.k8s.io/controller-runtime/pkg/webhook" + + "github.com/upbound/provider-gcp/apis" + "github.com/upbound/provider-gcp/apis/v1alpha1" + "github.com/upbound/provider-gcp/config" + resolverapis "github.com/upbound/provider-gcp/internal/apis" + "github.com/upbound/provider-gcp/internal/clients" + "github.com/upbound/provider-gcp/internal/controller" + "github.com/upbound/provider-gcp/internal/features" +) + +const ( + webhookTLSCertDirEnvVar = "WEBHOOK_TLS_CERT_DIR" + tlsServerCertDirEnvVar = "TLS_SERVER_CERTS_DIR" + certsDirEnvVar = "CERTS_DIR" + tlsServerCertDir = "/tls/server" +) + +func deprecationAction(flagName string) kingpin.Action { + return func(c *kingpin.ParseContext) error { + _, err := fmt.Fprintf(os.Stderr, "warning: Command-line flag %q is deprecated and no longer used. It will be removed in a future release. Please remove it from all of your configurations (ControllerConfigs, etc.).\n", flagName) + kingpin.FatalIfError(err, "Failed to print the deprecation notice.") + return nil + } +} + +func main() { + var ( + app = kingpin.New(filepath.Base(os.Args[0]), "Terraform based Crossplane provider for GCP").DefaultEnvars() + debug = app.Flag("debug", "Run with debug logging.").Short('d').Bool() + syncInterval = app.Flag("sync", "Sync interval controls how often all resources will be double checked for drift.").Short('s').Default("1h").Duration() + pollInterval = app.Flag("poll", "Poll interval controls how often an individual resource should be checked for drift.").Default("10m").Duration() + pollStateMetricInterval = app.Flag("poll-state-metric", "State metric recording interval").Default("5s").Duration() + leaderElection = app.Flag("leader-election", "Use leader election for the controller manager.").Short('l').Default("false").OverrideDefaultFromEnvar("LEADER_ELECTION").Bool() + maxReconcileRate = app.Flag("max-reconcile-rate", "The global maximum rate per second at which resources may checked for drift from the desired state.").Default("100").Int() + + namespace = app.Flag("namespace", "Namespace used to set as default scope in default secret store config.").Default("crossplane-system").Envar("POD_NAMESPACE").String() + essTLSCertsPath = app.Flag("ess-tls-cert-dir", "Path of ESS TLS certificates.").Envar("ESS_TLS_CERTS_DIR").String() + enableExternalSecretStores = app.Flag("enable-external-secret-stores", "Enable support for ExternalSecretStores.").Default("false").Envar("ENABLE_EXTERNAL_SECRET_STORES").Bool() + enableManagementPolicies = app.Flag("enable-management-policies", "Enable support for Management Policies.").Default("true").Envar("ENABLE_MANAGEMENT_POLICIES").Bool() + + certsDirSet = false + // we record whether the command-line option "--certs-dir" was supplied + // in the registered PreAction for the flag. + certsDir = app.Flag("certs-dir", "The directory that contains the server key and certificate.").Default(tlsServerCertDir).Envar(certsDirEnvVar).PreAction(func(_ *kingpin.ParseContext) error { + certsDirSet = true + return nil + }).String() + + // now deprecated command-line arguments with the Terraform SDK-based upjet architecture + _ = app.Flag("provider-ttl", "[DEPRECATED: This option is no longer used and it will be removed in a future release.] TTL for the native plugin processes before they are replaced. Changing the default may increase memory consumption.").Hidden().Action(deprecationAction("provider-ttl")).Int() + _ = app.Flag("terraform-version", "[DEPRECATED: This option is no longer used and it will be removed in a future release.] Terraform version.").Envar("TERRAFORM_VERSION").Hidden().Action(deprecationAction("terraform-version")).String() + _ = app.Flag("terraform-provider-version", "[DEPRECATED: This option is no longer used and it will be removed in a future release.] Terraform provider version.").Envar("TERRAFORM_PROVIDER_VERSION").Hidden().Action(deprecationAction("terraform-provider-version")).String() + _ = app.Flag("terraform-native-provider-path", "[DEPRECATED: This option is no longer used and it will be removed in a future release.] Terraform native provider path for shared execution.").Envar("TERRAFORM_NATIVE_PROVIDER_PATH").Hidden().Action(deprecationAction("terraform-native-provider-path")).String() + _ = app.Flag("terraform-provider-source", "[DEPRECATED: This option is no longer used and it will be removed in a future release.] Terraform provider source.").Envar("TERRAFORM_PROVIDER_SOURCE").Hidden().Action(deprecationAction("terraform-provider-source")).String() + ) + + kingpin.MustParse(app.Parse(os.Args[1:])) + log.Default().SetOutput(io.Discard) + ctrl.SetLogger(zap.New(zap.WriteTo(io.Discard))) + + zl := zap.New(zap.UseDevMode(*debug)) + logr := logging.NewLogrLogger(zl.WithName("provider-gcp")) + if *debug { + // The controller-runtime runs with a no-op logger by default. It is + // *very* verbose even at info level, so we only provide it a real + // logger when we're running in debug mode. + ctrl.SetLogger(zl) + } + + // currently, we configure the jitter to be the 5% of the poll interval + pollJitter := time.Duration(float64(*pollInterval) * 0.05) + logr.Debug("Starting", "sync-interval", syncInterval.String(), + "poll-interval", pollInterval.String(), "poll-jitter", pollJitter, "max-reconcile-rate", *maxReconcileRate) + + cfg, err := ctrl.GetConfig() + kingpin.FatalIfError(err, "Cannot get API server rest config") + + // Get the TLS certs directory from the environment variables set by + // Crossplane if they're available. + // In older XP versions we used WEBHOOK_TLS_CERT_DIR, in newer versions + // we use TLS_SERVER_CERTS_DIR. If an explicit certs dir is not supplied + // via the command-line options, then these environment variables are used + // instead. + if !certsDirSet { + // backwards-compatibility concerns + xpCertsDir := os.Getenv(certsDirEnvVar) + if xpCertsDir == "" { + xpCertsDir = os.Getenv(tlsServerCertDirEnvVar) + } + if xpCertsDir == "" { + xpCertsDir = os.Getenv(webhookTLSCertDirEnvVar) + } + // we probably don't need this condition but just to be on the + // safe side, if we are missing any kingpin machinery details... + if xpCertsDir != "" { + *certsDir = xpCertsDir + } + } + + mgr, err := ctrl.NewManager(ratelimiter.LimitRESTConfig(cfg, *maxReconcileRate), ctrl.Options{ + LeaderElection: *leaderElection, + LeaderElectionID: "crossplane-leader-election-provider-gcp-orgpolicy", + Cache: cache.Options{ + SyncPeriod: syncInterval, + }, + WebhookServer: webhook.NewServer( + webhook.Options{ + CertDir: *certsDir, + }), + LeaderElectionResourceLock: resourcelock.LeasesResourceLock, + LeaseDuration: func() *time.Duration { d := 60 * time.Second; return &d }(), + RenewDeadline: func() *time.Duration { d := 50 * time.Second; return &d }(), + }) + kingpin.FatalIfError(err, "Cannot create controller manager") + kingpin.FatalIfError(apis.AddToScheme(mgr.GetScheme()), "Cannot add GCP APIs to scheme") + kingpin.FatalIfError(resolverapis.BuildScheme(apis.AddToSchemes), "Cannot register the GCP APIs with the API resolver's runtime scheme") + + metricRecorder := managed.NewMRMetricRecorder() + stateMetrics := statemetrics.NewMRStateMetrics() + + metrics.Registry.MustRegister(metricRecorder) + metrics.Registry.MustRegister(stateMetrics) + + ctx := context.Background() + provider, err := config.GetProvider(ctx, false) + kingpin.FatalIfError(err, "Cannot initialize the provider configuration") + o := tjcontroller.Options{ + Options: xpcontroller.Options{ + Logger: logr, + GlobalRateLimiter: ratelimiter.NewGlobal(*maxReconcileRate), + PollInterval: *pollInterval, + MaxConcurrentReconciles: *maxReconcileRate, + Features: &feature.Flags{}, + MetricOptions: &xpcontroller.MetricOptions{ + PollStateMetricInterval: *pollStateMetricInterval, + MRMetrics: metricRecorder, + MRStateMetrics: stateMetrics, + }, + }, + Provider: provider, + SetupFn: clients.TerraformSetupBuilder(provider.TerraformProvider), + PollJitter: pollJitter, + OperationTrackerStore: tjcontroller.NewOperationStore(logr), + StartWebhooks: *certsDir != "", + } + + if *enableManagementPolicies { + o.Features.Enable(features.EnableBetaManagementPolicies) + logr.Info("Beta feature enabled", "flag", features.EnableBetaManagementPolicies) + } + + if *enableExternalSecretStores { + o.SecretStoreConfigGVK = &v1alpha1.StoreConfigGroupVersionKind + logr.Info("Alpha feature enabled", "flag", features.EnableAlphaExternalSecretStores) + + o.ESSOptions = &tjcontroller.ESSOptions{} + if *essTLSCertsPath != "" { + logr.Info("ESS TLS certificates path is set. Loading mTLS configuration.") + tCfg, err := certificates.LoadMTLSConfig(filepath.Join(*essTLSCertsPath, "ca.crt"), filepath.Join(*essTLSCertsPath, "tls.crt"), filepath.Join(*essTLSCertsPath, "tls.key"), false) + kingpin.FatalIfError(err, "Cannot load ESS TLS config.") + + o.ESSOptions.TLSConfig = tCfg + } + + // Ensure default store config exists. + kingpin.FatalIfError(resource.Ignore(kerrors.IsAlreadyExists, mgr.GetClient().Create(ctx, &v1alpha1.StoreConfig{ + TypeMeta: metav1.TypeMeta{}, + ObjectMeta: metav1.ObjectMeta{ + Name: "default", + }, + Spec: v1alpha1.StoreConfigSpec{ + // NOTE(turkenh): We only set required spec and expect optional + // ones to properly be initialized with CRD level default values. + SecretStoreConfig: xpv1.SecretStoreConfig{ + DefaultScope: *namespace, + }, + }, + Status: v1alpha1.StoreConfigStatus{}, + })), "cannot create default store config") + } + + kingpin.FatalIfError(conversion.RegisterConversions(o.Provider), "Cannot initialize the webhook conversion registry") + kingpin.FatalIfError(controller.Setup_orgpolicy(mgr, o), "Cannot setup GCP controllers") + kingpin.FatalIfError(mgr.Start(ctrl.SetupSignalHandler()), "Cannot start controller manager") +} diff --git a/config/externalname.go b/config/externalname.go index 91cb86274..38e8ac93c 100644 --- a/config/externalname.go +++ b/config/externalname.go @@ -1002,6 +1002,11 @@ var terraformPluginSDKExternalNameConfigs = map[string]config.ExternalName{ // Imported by using the following projects/{{project}}/locations/global/certificateMaps/{{map}}/certificateMapEntries/{{name}} "google_certificate_manager_certificate_map_entry": config.TemplatedStringAsIdentifier("name", "projects/{{ .setup.configuration.project }}/locations/global/certificateMaps/{{ .parameters.map }}/certificateMapEntries/{{ .external_name }}"), + // orgpolicy + // + // Imported by using the following {{parent}}/policies/{{name}} + "google_org_policy_policy": config.TemplatedStringAsIdentifier("name", "{{ .parameters.parent }}/policies/{{ .external_name }}"), + // tags // // Imported by using the following tagBindings/{{name}} diff --git a/config/externalnamenottested.go b/config/externalnamenottested.go index 55a36e593..029bc8978 100644 --- a/config/externalnamenottested.go +++ b/config/externalnamenottested.go @@ -428,11 +428,6 @@ var ExternalNameNotTestedConfigs = map[string]config.ExternalName{ // Imported by using the following projects/{{project}}/iap_tunnel/zones/{{zone}}/instances/{{tunnel_instance}} roles/iap.tunnelResourceAccessor user:jane@example.com "google_iap_tunnel_instance_iam_member": config.IdentifierFromProvider, - // orgpolicy - // - // Imported by using the following {{parent}}/policies/{{name}} - "google_org_policy_policy": config.TemplatedStringAsIdentifier("name", "{{ .parameters.parent }}/policies/{{ .external_name }}"), - // tags // // Imported by using the following tagKeys/{{tag_key}} roles/viewer user:jane@example.com diff --git a/config/generated.lst b/config/generated.lst index 9600f67d8..58148d042 100644 --- a/config/generated.lst +++ b/config/generated.lst @@ -1 +1 @@ -["google_access_context_manager_access_level","google_access_context_manager_access_level_condition","google_access_context_manager_access_policy","google_access_context_manager_access_policy_iam_member","google_access_context_manager_service_perimeter","google_access_context_manager_service_perimeter_resource","google_active_directory_domain","google_alloydb_backup","google_alloydb_cluster","google_alloydb_instance","google_apigee_addons_config","google_apigee_endpoint_attachment","google_apigee_envgroup","google_apigee_envgroup_attachment","google_apigee_environment","google_apigee_environment_iam_member","google_apigee_instance","google_apigee_instance_attachment","google_apigee_nat_address","google_apigee_organization","google_app_engine_application","google_app_engine_application_url_dispatch_rules","google_app_engine_firewall_rule","google_app_engine_service_network_settings","google_app_engine_standard_app_version","google_artifact_registry_repository","google_artifact_registry_repository_iam_member","google_beyondcorp_app_connection","google_beyondcorp_app_connector","google_beyondcorp_app_gateway","google_bigquery_analytics_hub_data_exchange","google_bigquery_analytics_hub_data_exchange_iam_member","google_bigquery_analytics_hub_listing","google_bigquery_connection","google_bigquery_data_transfer_config","google_bigquery_dataset","google_bigquery_dataset_access","google_bigquery_dataset_iam_binding","google_bigquery_dataset_iam_member","google_bigquery_dataset_iam_policy","google_bigquery_job","google_bigquery_reservation","google_bigquery_reservation_assignment","google_bigquery_routine","google_bigquery_table","google_bigquery_table_iam_binding","google_bigquery_table_iam_member","google_bigquery_table_iam_policy","google_bigtable_app_profile","google_bigtable_gc_policy","google_bigtable_instance","google_bigtable_instance_iam_binding","google_bigtable_instance_iam_member","google_bigtable_instance_iam_policy","google_bigtable_table","google_bigtable_table_iam_binding","google_bigtable_table_iam_member","google_bigtable_table_iam_policy","google_binary_authorization_attestor","google_binary_authorization_policy","google_certificate_manager_certificate","google_certificate_manager_certificate_map","google_certificate_manager_certificate_map_entry","google_certificate_manager_dns_authorization","google_cloud_ids_endpoint","google_cloud_run_domain_mapping","google_cloud_run_service","google_cloud_run_service_iam_member","google_cloud_run_v2_job","google_cloud_run_v2_service","google_cloud_scheduler_job","google_cloud_tasks_queue","google_cloudbuild_trigger","google_cloudbuild_worker_pool","google_cloudfunctions2_function","google_cloudfunctions_function","google_cloudfunctions_function_iam_member","google_composer_environment","google_compute_address","google_compute_attached_disk","google_compute_autoscaler","google_compute_backend_bucket","google_compute_backend_bucket_signed_url_key","google_compute_backend_service","google_compute_backend_service_signed_url_key","google_compute_disk","google_compute_disk_iam_member","google_compute_disk_resource_policy_attachment","google_compute_external_vpn_gateway","google_compute_firewall","google_compute_firewall_policy","google_compute_firewall_policy_association","google_compute_firewall_policy_rule","google_compute_forwarding_rule","google_compute_global_address","google_compute_global_forwarding_rule","google_compute_global_network_endpoint","google_compute_global_network_endpoint_group","google_compute_ha_vpn_gateway","google_compute_health_check","google_compute_http_health_check","google_compute_https_health_check","google_compute_image","google_compute_image_iam_member","google_compute_instance","google_compute_instance_from_template","google_compute_instance_group","google_compute_instance_group_manager","google_compute_instance_group_named_port","google_compute_instance_iam_member","google_compute_instance_template","google_compute_interconnect_attachment","google_compute_managed_ssl_certificate","google_compute_network","google_compute_network_endpoint","google_compute_network_endpoint_group","google_compute_network_firewall_policy","google_compute_network_firewall_policy_association","google_compute_network_peering","google_compute_network_peering_routes_config","google_compute_node_group","google_compute_node_template","google_compute_packet_mirroring","google_compute_per_instance_config","google_compute_project_default_network_tier","google_compute_project_metadata","google_compute_project_metadata_item","google_compute_region_autoscaler","google_compute_region_backend_service","google_compute_region_disk","google_compute_region_disk_iam_member","google_compute_region_disk_resource_policy_attachment","google_compute_region_health_check","google_compute_region_instance_group_manager","google_compute_region_network_endpoint","google_compute_region_network_endpoint_group","google_compute_region_network_firewall_policy","google_compute_region_network_firewall_policy_association","google_compute_region_per_instance_config","google_compute_region_ssl_certificate","google_compute_region_target_http_proxy","google_compute_region_target_https_proxy","google_compute_region_target_tcp_proxy","google_compute_region_url_map","google_compute_reservation","google_compute_resource_policy","google_compute_route","google_compute_router","google_compute_router_interface","google_compute_router_nat","google_compute_router_peer","google_compute_security_policy","google_compute_service_attachment","google_compute_shared_vpc_host_project","google_compute_shared_vpc_service_project","google_compute_snapshot","google_compute_snapshot_iam_member","google_compute_ssl_certificate","google_compute_ssl_policy","google_compute_subnetwork","google_compute_subnetwork_iam_member","google_compute_target_grpc_proxy","google_compute_target_http_proxy","google_compute_target_https_proxy","google_compute_target_instance","google_compute_target_pool","google_compute_target_ssl_proxy","google_compute_target_tcp_proxy","google_compute_url_map","google_compute_vpn_gateway","google_compute_vpn_tunnel","google_container_analysis_note","google_container_attached_cluster","google_container_aws_cluster","google_container_aws_node_pool","google_container_azure_client","google_container_azure_cluster","google_container_azure_node_pool","google_container_cluster","google_container_node_pool","google_container_registry","google_data_catalog_entry","google_data_catalog_entry_group","google_data_catalog_tag","google_data_catalog_tag_template","google_data_fusion_instance","google_data_loss_prevention_deidentify_template","google_data_loss_prevention_inspect_template","google_data_loss_prevention_job_trigger","google_data_loss_prevention_stored_info_type","google_dataflow_job","google_dataplex_asset","google_dataplex_lake","google_dataplex_zone","google_dataproc_autoscaling_policy","google_dataproc_cluster","google_dataproc_job","google_dataproc_metastore_service","google_dataproc_workflow_template","google_datastore_index","google_datastream_connection_profile","google_datastream_private_connection","google_dialogflow_cx_agent","google_dialogflow_cx_entity_type","google_dialogflow_cx_environment","google_dialogflow_cx_flow","google_dialogflow_cx_intent","google_dialogflow_cx_page","google_dialogflow_cx_version","google_dialogflow_cx_webhook","google_dns_managed_zone","google_dns_managed_zone_iam_member","google_dns_policy","google_dns_record_set","google_document_ai_processor","google_essential_contacts_contact","google_eventarc_channel","google_eventarc_google_channel_config","google_eventarc_trigger","google_filestore_backup","google_filestore_instance","google_filestore_snapshot","google_firebaserules_release","google_firebaserules_ruleset","google_folder","google_folder_iam_member","google_gke_backup_backup_plan","google_gke_hub_membership","google_gke_hub_membership_iam_member","google_healthcare_consent_store","google_healthcare_dataset","google_healthcare_dataset_iam_member","google_iam_workload_identity_pool","google_iam_workload_identity_pool_provider","google_iap_app_engine_service_iam_member","google_iap_app_engine_version_iam_member","google_iap_tunnel_iam_member","google_iap_web_backend_service_iam_member","google_iap_web_iam_member","google_iap_web_type_app_engine_iam_member","google_iap_web_type_compute_iam_member","google_identity_platform_default_supported_idp_config","google_identity_platform_inbound_saml_config","google_identity_platform_oauth_idp_config","google_identity_platform_project_default_config","google_identity_platform_tenant","google_identity_platform_tenant_default_supported_idp_config","google_identity_platform_tenant_inbound_saml_config","google_identity_platform_tenant_oauth_idp_config","google_kms_crypto_key","google_kms_crypto_key_iam_member","google_kms_crypto_key_version","google_kms_key_ring","google_kms_key_ring_iam_member","google_kms_key_ring_import_job","google_kms_secret_ciphertext","google_logging_folder_bucket_config","google_logging_folder_exclusion","google_logging_folder_sink","google_logging_log_view","google_logging_metric","google_logging_project_bucket_config","google_logging_project_exclusion","google_logging_project_sink","google_memcache_instance","google_ml_engine_model","google_monitoring_alert_policy","google_monitoring_custom_service","google_monitoring_dashboard","google_monitoring_group","google_monitoring_metric_descriptor","google_monitoring_notification_channel","google_monitoring_service","google_monitoring_slo","google_monitoring_uptime_check_config","google_network_connectivity_hub","google_network_connectivity_spoke","google_network_management_connectivity_test","google_notebooks_environment","google_notebooks_instance","google_notebooks_instance_iam_member","google_notebooks_runtime","google_notebooks_runtime_iam_member","google_organization_iam_audit_config","google_organization_iam_custom_role","google_organization_iam_member","google_os_config_os_policy_assignment","google_os_config_patch_deployment","google_os_login_ssh_public_key","google_privateca_ca_pool","google_privateca_ca_pool_iam_member","google_privateca_certificate","google_privateca_certificate_authority","google_privateca_certificate_template","google_privateca_certificate_template_iam_member","google_project","google_project_default_service_accounts","google_project_iam_audit_config","google_project_iam_custom_role","google_project_iam_member","google_project_service","google_project_usage_export_bucket","google_pubsub_lite_reservation","google_pubsub_lite_subscription","google_pubsub_lite_topic","google_pubsub_schema","google_pubsub_subscription","google_pubsub_subscription_iam_member","google_pubsub_topic","google_pubsub_topic_iam_member","google_redis_instance","google_secret_manager_secret","google_secret_manager_secret_iam_member","google_secret_manager_secret_version","google_service_account","google_service_account_iam_member","google_service_account_key","google_service_networking_connection","google_service_networking_peered_dns_domain","google_sourcerepo_repository","google_sourcerepo_repository_iam_member","google_spanner_database","google_spanner_database_iam_member","google_spanner_instance","google_spanner_instance_iam_member","google_sql_database","google_sql_database_instance","google_sql_source_representation_instance","google_sql_ssl_cert","google_sql_user","google_storage_bucket","google_storage_bucket_access_control","google_storage_bucket_acl","google_storage_bucket_iam_member","google_storage_bucket_object","google_storage_default_object_access_control","google_storage_default_object_acl","google_storage_hmac_key","google_storage_notification","google_storage_object_access_control","google_storage_object_acl","google_storage_transfer_agent_pool","google_tags_tag_binding","google_tags_tag_key","google_tags_tag_value","google_tpu_node","google_vertex_ai_dataset","google_vertex_ai_featurestore","google_vertex_ai_featurestore_entitytype","google_vertex_ai_tensorboard","google_vpc_access_connector","google_workflows_workflow"] \ No newline at end of file +["google_access_context_manager_access_level","google_access_context_manager_access_level_condition","google_access_context_manager_access_policy","google_access_context_manager_access_policy_iam_member","google_access_context_manager_service_perimeter","google_access_context_manager_service_perimeter_resource","google_active_directory_domain","google_alloydb_backup","google_alloydb_cluster","google_alloydb_instance","google_apigee_addons_config","google_apigee_endpoint_attachment","google_apigee_envgroup","google_apigee_envgroup_attachment","google_apigee_environment","google_apigee_environment_iam_member","google_apigee_instance","google_apigee_instance_attachment","google_apigee_nat_address","google_apigee_organization","google_app_engine_application","google_app_engine_application_url_dispatch_rules","google_app_engine_firewall_rule","google_app_engine_service_network_settings","google_app_engine_standard_app_version","google_artifact_registry_repository","google_artifact_registry_repository_iam_member","google_beyondcorp_app_connection","google_beyondcorp_app_connector","google_beyondcorp_app_gateway","google_bigquery_analytics_hub_data_exchange","google_bigquery_analytics_hub_data_exchange_iam_member","google_bigquery_analytics_hub_listing","google_bigquery_connection","google_bigquery_data_transfer_config","google_bigquery_dataset","google_bigquery_dataset_access","google_bigquery_dataset_iam_binding","google_bigquery_dataset_iam_member","google_bigquery_dataset_iam_policy","google_bigquery_job","google_bigquery_reservation","google_bigquery_reservation_assignment","google_bigquery_routine","google_bigquery_table","google_bigquery_table_iam_binding","google_bigquery_table_iam_member","google_bigquery_table_iam_policy","google_bigtable_app_profile","google_bigtable_gc_policy","google_bigtable_instance","google_bigtable_instance_iam_binding","google_bigtable_instance_iam_member","google_bigtable_instance_iam_policy","google_bigtable_table","google_bigtable_table_iam_binding","google_bigtable_table_iam_member","google_bigtable_table_iam_policy","google_binary_authorization_attestor","google_binary_authorization_policy","google_certificate_manager_certificate","google_certificate_manager_certificate_map","google_certificate_manager_certificate_map_entry","google_certificate_manager_dns_authorization","google_cloud_ids_endpoint","google_cloud_run_domain_mapping","google_cloud_run_service","google_cloud_run_service_iam_member","google_cloud_run_v2_job","google_cloud_run_v2_service","google_cloud_scheduler_job","google_cloud_tasks_queue","google_cloudbuild_trigger","google_cloudbuild_worker_pool","google_cloudfunctions2_function","google_cloudfunctions_function","google_cloudfunctions_function_iam_member","google_composer_environment","google_compute_address","google_compute_attached_disk","google_compute_autoscaler","google_compute_backend_bucket","google_compute_backend_bucket_signed_url_key","google_compute_backend_service","google_compute_backend_service_signed_url_key","google_compute_disk","google_compute_disk_iam_member","google_compute_disk_resource_policy_attachment","google_compute_external_vpn_gateway","google_compute_firewall","google_compute_firewall_policy","google_compute_firewall_policy_association","google_compute_firewall_policy_rule","google_compute_forwarding_rule","google_compute_global_address","google_compute_global_forwarding_rule","google_compute_global_network_endpoint","google_compute_global_network_endpoint_group","google_compute_ha_vpn_gateway","google_compute_health_check","google_compute_http_health_check","google_compute_https_health_check","google_compute_image","google_compute_image_iam_member","google_compute_instance","google_compute_instance_from_template","google_compute_instance_group","google_compute_instance_group_manager","google_compute_instance_group_named_port","google_compute_instance_iam_member","google_compute_instance_template","google_compute_interconnect_attachment","google_compute_managed_ssl_certificate","google_compute_network","google_compute_network_endpoint","google_compute_network_endpoint_group","google_compute_network_firewall_policy","google_compute_network_firewall_policy_association","google_compute_network_peering","google_compute_network_peering_routes_config","google_compute_node_group","google_compute_node_template","google_compute_packet_mirroring","google_compute_per_instance_config","google_compute_project_default_network_tier","google_compute_project_metadata","google_compute_project_metadata_item","google_compute_region_autoscaler","google_compute_region_backend_service","google_compute_region_disk","google_compute_region_disk_iam_member","google_compute_region_disk_resource_policy_attachment","google_compute_region_health_check","google_compute_region_instance_group_manager","google_compute_region_network_endpoint","google_compute_region_network_endpoint_group","google_compute_region_network_firewall_policy","google_compute_region_network_firewall_policy_association","google_compute_region_per_instance_config","google_compute_region_ssl_certificate","google_compute_region_target_http_proxy","google_compute_region_target_https_proxy","google_compute_region_target_tcp_proxy","google_compute_region_url_map","google_compute_reservation","google_compute_resource_policy","google_compute_route","google_compute_router","google_compute_router_interface","google_compute_router_nat","google_compute_router_peer","google_compute_security_policy","google_compute_service_attachment","google_compute_shared_vpc_host_project","google_compute_shared_vpc_service_project","google_compute_snapshot","google_compute_snapshot_iam_member","google_compute_ssl_certificate","google_compute_ssl_policy","google_compute_subnetwork","google_compute_subnetwork_iam_member","google_compute_target_grpc_proxy","google_compute_target_http_proxy","google_compute_target_https_proxy","google_compute_target_instance","google_compute_target_pool","google_compute_target_ssl_proxy","google_compute_target_tcp_proxy","google_compute_url_map","google_compute_vpn_gateway","google_compute_vpn_tunnel","google_container_analysis_note","google_container_attached_cluster","google_container_aws_cluster","google_container_aws_node_pool","google_container_azure_client","google_container_azure_cluster","google_container_azure_node_pool","google_container_cluster","google_container_node_pool","google_container_registry","google_data_catalog_entry","google_data_catalog_entry_group","google_data_catalog_tag","google_data_catalog_tag_template","google_data_fusion_instance","google_data_loss_prevention_deidentify_template","google_data_loss_prevention_inspect_template","google_data_loss_prevention_job_trigger","google_data_loss_prevention_stored_info_type","google_dataflow_job","google_dataplex_asset","google_dataplex_lake","google_dataplex_zone","google_dataproc_autoscaling_policy","google_dataproc_cluster","google_dataproc_job","google_dataproc_metastore_service","google_dataproc_workflow_template","google_datastore_index","google_datastream_connection_profile","google_datastream_private_connection","google_dialogflow_cx_agent","google_dialogflow_cx_entity_type","google_dialogflow_cx_environment","google_dialogflow_cx_flow","google_dialogflow_cx_intent","google_dialogflow_cx_page","google_dialogflow_cx_version","google_dialogflow_cx_webhook","google_dns_managed_zone","google_dns_managed_zone_iam_member","google_dns_policy","google_dns_record_set","google_document_ai_processor","google_essential_contacts_contact","google_eventarc_channel","google_eventarc_google_channel_config","google_eventarc_trigger","google_filestore_backup","google_filestore_instance","google_filestore_snapshot","google_firebaserules_release","google_firebaserules_ruleset","google_folder","google_folder_iam_member","google_gke_backup_backup_plan","google_gke_hub_membership","google_gke_hub_membership_iam_member","google_healthcare_consent_store","google_healthcare_dataset","google_healthcare_dataset_iam_member","google_iam_workload_identity_pool","google_iam_workload_identity_pool_provider","google_iap_app_engine_service_iam_member","google_iap_app_engine_version_iam_member","google_iap_tunnel_iam_member","google_iap_web_backend_service_iam_member","google_iap_web_iam_member","google_iap_web_type_app_engine_iam_member","google_iap_web_type_compute_iam_member","google_identity_platform_default_supported_idp_config","google_identity_platform_inbound_saml_config","google_identity_platform_oauth_idp_config","google_identity_platform_project_default_config","google_identity_platform_tenant","google_identity_platform_tenant_default_supported_idp_config","google_identity_platform_tenant_inbound_saml_config","google_identity_platform_tenant_oauth_idp_config","google_kms_crypto_key","google_kms_crypto_key_iam_member","google_kms_crypto_key_version","google_kms_key_ring","google_kms_key_ring_iam_member","google_kms_key_ring_import_job","google_kms_secret_ciphertext","google_logging_folder_bucket_config","google_logging_folder_exclusion","google_logging_folder_sink","google_logging_log_view","google_logging_metric","google_logging_project_bucket_config","google_logging_project_exclusion","google_logging_project_sink","google_memcache_instance","google_ml_engine_model","google_monitoring_alert_policy","google_monitoring_custom_service","google_monitoring_dashboard","google_monitoring_group","google_monitoring_metric_descriptor","google_monitoring_notification_channel","google_monitoring_service","google_monitoring_slo","google_monitoring_uptime_check_config","google_network_connectivity_hub","google_network_connectivity_spoke","google_network_management_connectivity_test","google_notebooks_environment","google_notebooks_instance","google_notebooks_instance_iam_member","google_notebooks_runtime","google_notebooks_runtime_iam_member","google_org_policy_policy","google_organization_iam_audit_config","google_organization_iam_custom_role","google_organization_iam_member","google_os_config_os_policy_assignment","google_os_config_patch_deployment","google_os_login_ssh_public_key","google_privateca_ca_pool","google_privateca_ca_pool_iam_member","google_privateca_certificate","google_privateca_certificate_authority","google_privateca_certificate_template","google_privateca_certificate_template_iam_member","google_project","google_project_default_service_accounts","google_project_iam_audit_config","google_project_iam_custom_role","google_project_iam_member","google_project_service","google_project_usage_export_bucket","google_pubsub_lite_reservation","google_pubsub_lite_subscription","google_pubsub_lite_topic","google_pubsub_schema","google_pubsub_subscription","google_pubsub_subscription_iam_member","google_pubsub_topic","google_pubsub_topic_iam_member","google_redis_instance","google_secret_manager_secret","google_secret_manager_secret_iam_member","google_secret_manager_secret_version","google_service_account","google_service_account_iam_member","google_service_account_key","google_service_networking_connection","google_service_networking_peered_dns_domain","google_sourcerepo_repository","google_sourcerepo_repository_iam_member","google_spanner_database","google_spanner_database_iam_member","google_spanner_instance","google_spanner_instance_iam_member","google_sql_database","google_sql_database_instance","google_sql_source_representation_instance","google_sql_ssl_cert","google_sql_user","google_storage_bucket","google_storage_bucket_access_control","google_storage_bucket_acl","google_storage_bucket_iam_member","google_storage_bucket_object","google_storage_default_object_access_control","google_storage_default_object_acl","google_storage_hmac_key","google_storage_notification","google_storage_object_access_control","google_storage_object_acl","google_storage_transfer_agent_pool","google_tags_tag_binding","google_tags_tag_key","google_tags_tag_value","google_tpu_node","google_vertex_ai_dataset","google_vertex_ai_featurestore","google_vertex_ai_featurestore_entitytype","google_vertex_ai_tensorboard","google_vpc_access_connector","google_workflows_workflow"] \ No newline at end of file diff --git a/examples-generated/orgpolicy/v1beta1/policy.yaml b/examples-generated/orgpolicy/v1beta1/policy.yaml new file mode 100644 index 000000000..a9032b124 --- /dev/null +++ b/examples-generated/orgpolicy/v1beta1/policy.yaml @@ -0,0 +1,32 @@ +apiVersion: orgpolicy.gcp.upbound.io/v1beta1 +kind: Policy +metadata: + annotations: + meta.upbound.io/example-id: orgpolicy/v1beta1/policy + labels: + testing.upbound.io/example-name: primary + name: primary +spec: + forProvider: + parentSelector: + matchLabels: + testing.upbound.io/example-name: basic + spec: + - rules: + - enforce: "FALSE" + +--- + +apiVersion: cloudplatform.gcp.upbound.io/v1beta1 +kind: Project +metadata: + annotations: + meta.upbound.io/example-id: orgpolicy/v1beta1/policy + labels: + testing.upbound.io/example-name: basic + name: basic +spec: + forProvider: + name: id + orgId: "123456789" + projectId: id diff --git a/examples/orgpolicy/v1beta1/policy.yaml b/examples/orgpolicy/v1beta1/policy.yaml new file mode 100644 index 000000000..e9af4b1b7 --- /dev/null +++ b/examples/orgpolicy/v1beta1/policy.yaml @@ -0,0 +1,16 @@ +apiVersion: orgpolicy.gcp.upbound.io/v1beta1 +kind: Policy +metadata: + annotations: + meta.upbound.io/example-id: orgpolicy/v1beta1/policy + upjet.upbound.io/manual-intervention: "Policy requires Org Access Rights" + crossplane.io/external-name: iam.disableServiceAccountKeyUpload + labels: + testing.upbound.io/example-name: primary + name: primary +spec: + forProvider: + parent: projects/${project.project_id} + spec: + rules: + - enforce: "FALSE" diff --git a/internal/controller/orgpolicy/policy/zz_controller.go b/internal/controller/orgpolicy/policy/zz_controller.go new file mode 100755 index 000000000..b3282346e --- /dev/null +++ b/internal/controller/orgpolicy/policy/zz_controller.go @@ -0,0 +1,92 @@ +// SPDX-FileCopyrightText: 2024 The Crossplane Authors +// +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by upjet. DO NOT EDIT. + +package policy + +import ( + "time" + + "github.com/crossplane/crossplane-runtime/pkg/connection" + "github.com/crossplane/crossplane-runtime/pkg/event" + "github.com/crossplane/crossplane-runtime/pkg/ratelimiter" + "github.com/crossplane/crossplane-runtime/pkg/reconciler/managed" + xpresource "github.com/crossplane/crossplane-runtime/pkg/resource" + "github.com/crossplane/crossplane-runtime/pkg/statemetrics" + tjcontroller "github.com/crossplane/upjet/pkg/controller" + "github.com/crossplane/upjet/pkg/controller/handler" + "github.com/crossplane/upjet/pkg/metrics" + "github.com/pkg/errors" + ctrl "sigs.k8s.io/controller-runtime" + + v1beta1 "github.com/upbound/provider-gcp/apis/orgpolicy/v1beta1" + features "github.com/upbound/provider-gcp/internal/features" +) + +// Setup adds a controller that reconciles Policy managed resources. +func Setup(mgr ctrl.Manager, o tjcontroller.Options) error { + name := managed.ControllerName(v1beta1.Policy_GroupVersionKind.String()) + var initializers managed.InitializerChain + initializers = append(initializers, managed.NewNameAsExternalName(mgr.GetClient())) + cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())} + if o.SecretStoreConfigGVK != nil { + cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig))) + } + eventHandler := handler.NewEventHandler(handler.WithLogger(o.Logger.WithValues("gvk", v1beta1.Policy_GroupVersionKind))) + ac := tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Policy_GroupVersionKind), tjcontroller.WithEventHandler(eventHandler), tjcontroller.WithStatusUpdates(false)) + opts := []managed.ReconcilerOption{ + managed.WithExternalConnecter( + tjcontroller.NewTerraformPluginSDKAsyncConnector(mgr.GetClient(), o.OperationTrackerStore, o.SetupFn, o.Provider.Resources["google_org_policy_policy"], + tjcontroller.WithTerraformPluginSDKAsyncLogger(o.Logger), + tjcontroller.WithTerraformPluginSDKAsyncConnectorEventHandler(eventHandler), + tjcontroller.WithTerraformPluginSDKAsyncCallbackProvider(ac), + tjcontroller.WithTerraformPluginSDKAsyncMetricRecorder(metrics.NewMetricRecorder(v1beta1.Policy_GroupVersionKind, mgr, o.PollInterval)), + tjcontroller.WithTerraformPluginSDKAsyncManagementPolicies(o.Features.Enabled(features.EnableBetaManagementPolicies)))), + managed.WithLogger(o.Logger.WithValues("controller", name)), + managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))), + managed.WithFinalizer(tjcontroller.NewOperationTrackerFinalizer(o.OperationTrackerStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))), + managed.WithTimeout(3 * time.Minute), + managed.WithInitializers(initializers), + managed.WithConnectionPublishers(cps...), + managed.WithPollInterval(o.PollInterval), + } + if o.PollJitter != 0 { + opts = append(opts, managed.WithPollJitterHook(o.PollJitter)) + } + if o.Features.Enabled(features.EnableBetaManagementPolicies) { + opts = append(opts, managed.WithManagementPolicies()) + } + if o.MetricOptions != nil { + opts = append(opts, managed.WithMetricRecorder(o.MetricOptions.MRMetrics)) + } + + // register webhooks for the kind v1beta1.Policy + // if they're enabled. + if o.StartWebhooks { + if err := ctrl.NewWebhookManagedBy(mgr). + For(&v1beta1.Policy{}). + Complete(); err != nil { + return errors.Wrap(err, "cannot register webhook for the kind v1beta1.Policy") + } + } + + if o.MetricOptions != nil && o.MetricOptions.MRStateMetrics != nil { + stateMetricsRecorder := statemetrics.NewMRStateRecorder( + mgr.GetClient(), o.Logger, o.MetricOptions.MRStateMetrics, &v1beta1.PolicyList{}, o.MetricOptions.PollStateMetricInterval, + ) + if err := mgr.Add(stateMetricsRecorder); err != nil { + return errors.Wrap(err, "cannot register MR state metrics recorder for kind v1beta1.PolicyList") + } + } + + r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Policy_GroupVersionKind), opts...) + + return ctrl.NewControllerManagedBy(mgr). + Named(name). + WithOptions(o.ForControllerRuntime()). + WithEventFilter(xpresource.DesiredStateChanged()). + Watches(&v1beta1.Policy{}, eventHandler). + Complete(ratelimiter.NewReconciler(name, r, o.GlobalRateLimiter)) +} diff --git a/internal/controller/zz_monolith_setup.go b/internal/controller/zz_monolith_setup.go index 6fb628fcf..537ff767c 100755 --- a/internal/controller/zz_monolith_setup.go +++ b/internal/controller/zz_monolith_setup.go @@ -306,6 +306,7 @@ import ( instanceiammembernotebooks "github.com/upbound/provider-gcp/internal/controller/notebooks/instanceiammember" runtime "github.com/upbound/provider-gcp/internal/controller/notebooks/runtime" runtimeiammember "github.com/upbound/provider-gcp/internal/controller/notebooks/runtimeiammember" + policyorgpolicy "github.com/upbound/provider-gcp/internal/controller/orgpolicy/policy" ospolicyassignment "github.com/upbound/provider-gcp/internal/controller/osconfig/ospolicyassignment" patchdeployment "github.com/upbound/provider-gcp/internal/controller/osconfig/patchdeployment" sshpublickey "github.com/upbound/provider-gcp/internal/controller/oslogin/sshpublickey" @@ -665,6 +666,7 @@ func Setup_monolith(mgr ctrl.Manager, o controller.Options) error { instanceiammembernotebooks.Setup, runtime.Setup, runtimeiammember.Setup, + policyorgpolicy.Setup, ospolicyassignment.Setup, patchdeployment.Setup, sshpublickey.Setup, diff --git a/internal/controller/zz_orgpolicy_setup.go b/internal/controller/zz_orgpolicy_setup.go new file mode 100755 index 000000000..360d5deb1 --- /dev/null +++ b/internal/controller/zz_orgpolicy_setup.go @@ -0,0 +1,26 @@ +// SPDX-FileCopyrightText: 2024 The Crossplane Authors +// +// SPDX-License-Identifier: Apache-2.0 + +package controller + +import ( + ctrl "sigs.k8s.io/controller-runtime" + + "github.com/crossplane/upjet/pkg/controller" + + policy "github.com/upbound/provider-gcp/internal/controller/orgpolicy/policy" +) + +// Setup_orgpolicy creates all controllers with the supplied logger and adds them to +// the supplied manager. +func Setup_orgpolicy(mgr ctrl.Manager, o controller.Options) error { + for _, setup := range []func(ctrl.Manager, controller.Options) error{ + policy.Setup, + } { + if err := setup(mgr, o); err != nil { + return err + } + } + return nil +} diff --git a/package/crds/orgpolicy.gcp.upbound.io_policies.yaml b/package/crds/orgpolicy.gcp.upbound.io_policies.yaml new file mode 100644 index 000000000..15a91048b --- /dev/null +++ b/package/crds/orgpolicy.gcp.upbound.io_policies.yaml @@ -0,0 +1,1054 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: policies.orgpolicy.gcp.upbound.io +spec: + group: orgpolicy.gcp.upbound.io + names: + categories: + - crossplane + - managed + - gcp + kind: Policy + listKind: PolicyList + plural: policies + singular: policy + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=='Synced')].status + name: SYNCED + type: string + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string + - jsonPath: .metadata.annotations.crossplane\.io/external-name + name: EXTERNAL-NAME + type: string + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: Policy is the Schema for the Policys API. An organization policy + gives you programmatic control over your organization's cloud resources. Using + Organization Policies, you will be able to configure constraints across + your entire resource hierarchy. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: PolicySpec defines the desired state of Policy + properties: + deletionPolicy: + default: Delete + description: |- + DeletionPolicy specifies what will happen to the underlying external + when this managed resource is deleted - either "Delete" or "Orphan" the + external resource. + This field is planned to be deprecated in favor of the ManagementPolicies + field in a future release. Currently, both could be set independently and + non-default values would be honored if the feature flag is enabled. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + enum: + - Orphan + - Delete + type: string + forProvider: + properties: + dryRunSpec: + description: Dry-run policy. Audit-only policy, can be used to + monitor how the policy would have impacted the existing and + future resources if it's enforced. + properties: + inheritFromParent: + description: Determines the inheritance behavior for this + policy. If inherit_from_parent is true, policy rules set + higher up in the hierarchy (up to the closest root) are + inherited and present in the effective policy. If it is + false, then no rules are inherited, and this policy becomes + the new root for evaluation. This field can be set only + for policies which configure list constraints. + type: boolean + reset: + description: Ignores policies set above this resource and + restores the constraint_default enforcement behavior of + the specific constraint at this resource. This field can + be set in policies for either list or boolean constraints. + If set, rules must be empty and inherit_from_parent must + be set to false. + type: boolean + rules: + description: 'In policies for boolean constraints, the following + requirements apply: - There must be one and only one policy + rule where condition is unset. - Boolean policy rules with + conditions must set enforced to the opposite of the policy + rule without a condition. - During policy evaluation, policy + rules with conditions that are true for a target resource + take precedence.' + items: + properties: + allowAll: + description: Setting this to "TRUE" means that all values + are allowed. This field can be set only in policies + for list constraints. + type: string + condition: + description: 'A condition which determines whether this + rule is used in the evaluation of the policy. When + set, the expression field in the `Expr'' must include + from 1 to 10 subexpressions, joined by the "||" or + "&&" operators. Each subexpression must be of the + form "resource.matchTag(''/tag_key_short_name, ''tag_value_short_name'')". + or "resource.matchTagId(''tagKeys/key_id'', ''tagValues/value_id'')". + where key_name and value_name are the resource names + for Label Keys and Values. These names are available + from the Tag Manager Service. An example expression + is: "resource.matchTag(''123456789/environment, ''prod'')". + or "resource.matchTagId(''tagKeys/123'', ''tagValues/456'')".' + properties: + description: + description: Optional. Description of the expression. + This is a longer text which describes the expression, + e.g. when hovered over it in a UI. + type: string + expression: + description: Textual representation of an expression + in Common Expression Language syntax. + type: string + location: + description: Optional. String indicating the location + of the expression for error reporting, e.g. a + file name and a position in the file. + type: string + title: + description: Optional. Title for the expression, + i.e. a short string describing its purpose. This + can be used e.g. in UIs which allow to enter the + expression. + type: string + type: object + denyAll: + description: Setting this to "TRUE" means that all values + are denied. This field can be set only in policies + for list constraints. + type: string + enforce: + description: If "TRUE", then the policy is enforced. + If "FALSE", then any configuration is acceptable. + This field can be set only in policies for boolean + constraints. + type: string + values: + description: List of values to be used for this policy + rule. This field can be set only in policies for list + constraints. + properties: + allowedValues: + description: List of values allowed at this resource. + items: + type: string + type: array + deniedValues: + description: List of values denied at this resource. + items: + type: string + type: array + type: object + type: object + type: array + type: object + parent: + description: The parent of the resource. + type: string + parentRef: + description: Reference to a Folder in cloudplatform to populate + parent. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + parentSelector: + description: Selector for a Folder in cloudplatform to populate + parent. + properties: + matchControllerRef: + description: |- + MatchControllerRef ensures an object with the same controller reference + as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object + spec: + description: Basic information about the Organization Policy. + properties: + inheritFromParent: + description: Determines the inheritance behavior for this + Policy. If inherit_from_parent is true, PolicyRules set + higher up in the hierarchy (up to the closest root) are + inherited and present in the effective policy. If it is + false, then no rules are inherited, and this Policy becomes + the new root for evaluation. This field can be set only + for Policies which configure list constraints. + type: boolean + reset: + description: Ignores policies set above this resource and + restores the constraint_default enforcement behavior of + the specific Constraint at this resource. This field can + be set in policies for either list or boolean constraints. + If set, rules must be empty and inherit_from_parent must + be set to false. + type: boolean + rules: + description: 'Up to 10 PolicyRules are allowed. In Policies + for boolean constraints, the following requirements apply: + - There must be one and only one PolicyRule where condition + is unset. - BooleanPolicyRules with conditions must set + enforced to the opposite of the PolicyRule without a condition. + - During policy evaluation, PolicyRules with conditions + that are true for a target resource take precedence.' + items: + properties: + allowAll: + description: Setting this to "TRUE" means that all values + are allowed. This field can be set only in policies + for list constraints. + type: string + condition: + description: 'A condition which determines whether this + rule is used in the evaluation of the policy. When + set, the expression field in the `Expr'' must include + from 1 to 10 subexpressions, joined by the "||" or + "&&" operators. Each subexpression must be of the + form "resource.matchTag(''/tag_key_short_name, ''tag_value_short_name'')". + or "resource.matchTagId(''tagKeys/key_id'', ''tagValues/value_id'')". + where key_name and value_name are the resource names + for Label Keys and Values. These names are available + from the Tag Manager Service. An example expression + is: "resource.matchTag(''123456789/environment, ''prod'')". + or "resource.matchTagId(''tagKeys/123'', ''tagValues/456'')".' + properties: + description: + description: Optional. Description of the expression. + This is a longer text which describes the expression, + e.g. when hovered over it in a UI. + type: string + expression: + description: Textual representation of an expression + in Common Expression Language syntax. + type: string + location: + description: Optional. String indicating the location + of the expression for error reporting, e.g. a + file name and a position in the file. + type: string + title: + description: Optional. Title for the expression, + i.e. a short string describing its purpose. This + can be used e.g. in UIs which allow to enter the + expression. + type: string + type: object + denyAll: + description: Setting this to "TRUE" means that all values + are denied. This field can be set only in policies + for list constraints. + type: string + enforce: + description: If "TRUE", then the policy is enforced. + If "FALSE", then any configuration is acceptable. + This field can be set only in policies for boolean + constraints. + type: string + values: + description: List of values to be used for this policy + rule. This field can be set only in policies for list + constraints. + properties: + allowedValues: + description: List of values allowed at this resource. + items: + type: string + type: array + deniedValues: + description: List of values denied at this resource. + items: + type: string + type: array + type: object + type: object + type: array + type: object + type: object + initProvider: + description: |- + THIS IS A BETA FIELD. It will be honored + unless the Management Policies feature flag is disabled. + InitProvider holds the same fields as ForProvider, with the exception + of Identifier and other resource reference fields. The fields that are + in InitProvider are merged into ForProvider when the resource is created. + The same fields are also added to the terraform ignore_changes hook, to + avoid updating them after creation. This is useful for fields that are + required on creation, but we do not desire to update them after creation, + for example because of an external controller is managing them, like an + autoscaler. + properties: + dryRunSpec: + description: Dry-run policy. Audit-only policy, can be used to + monitor how the policy would have impacted the existing and + future resources if it's enforced. + properties: + inheritFromParent: + description: Determines the inheritance behavior for this + policy. If inherit_from_parent is true, policy rules set + higher up in the hierarchy (up to the closest root) are + inherited and present in the effective policy. If it is + false, then no rules are inherited, and this policy becomes + the new root for evaluation. This field can be set only + for policies which configure list constraints. + type: boolean + reset: + description: Ignores policies set above this resource and + restores the constraint_default enforcement behavior of + the specific constraint at this resource. This field can + be set in policies for either list or boolean constraints. + If set, rules must be empty and inherit_from_parent must + be set to false. + type: boolean + rules: + description: 'In policies for boolean constraints, the following + requirements apply: - There must be one and only one policy + rule where condition is unset. - Boolean policy rules with + conditions must set enforced to the opposite of the policy + rule without a condition. - During policy evaluation, policy + rules with conditions that are true for a target resource + take precedence.' + items: + properties: + allowAll: + description: Setting this to "TRUE" means that all values + are allowed. This field can be set only in policies + for list constraints. + type: string + condition: + description: 'A condition which determines whether this + rule is used in the evaluation of the policy. When + set, the expression field in the `Expr'' must include + from 1 to 10 subexpressions, joined by the "||" or + "&&" operators. Each subexpression must be of the + form "resource.matchTag(''/tag_key_short_name, ''tag_value_short_name'')". + or "resource.matchTagId(''tagKeys/key_id'', ''tagValues/value_id'')". + where key_name and value_name are the resource names + for Label Keys and Values. These names are available + from the Tag Manager Service. An example expression + is: "resource.matchTag(''123456789/environment, ''prod'')". + or "resource.matchTagId(''tagKeys/123'', ''tagValues/456'')".' + properties: + description: + description: Optional. Description of the expression. + This is a longer text which describes the expression, + e.g. when hovered over it in a UI. + type: string + expression: + description: Textual representation of an expression + in Common Expression Language syntax. + type: string + location: + description: Optional. String indicating the location + of the expression for error reporting, e.g. a + file name and a position in the file. + type: string + title: + description: Optional. Title for the expression, + i.e. a short string describing its purpose. This + can be used e.g. in UIs which allow to enter the + expression. + type: string + type: object + denyAll: + description: Setting this to "TRUE" means that all values + are denied. This field can be set only in policies + for list constraints. + type: string + enforce: + description: If "TRUE", then the policy is enforced. + If "FALSE", then any configuration is acceptable. + This field can be set only in policies for boolean + constraints. + type: string + values: + description: List of values to be used for this policy + rule. This field can be set only in policies for list + constraints. + properties: + allowedValues: + description: List of values allowed at this resource. + items: + type: string + type: array + deniedValues: + description: List of values denied at this resource. + items: + type: string + type: array + type: object + type: object + type: array + type: object + spec: + description: Basic information about the Organization Policy. + properties: + inheritFromParent: + description: Determines the inheritance behavior for this + Policy. If inherit_from_parent is true, PolicyRules set + higher up in the hierarchy (up to the closest root) are + inherited and present in the effective policy. If it is + false, then no rules are inherited, and this Policy becomes + the new root for evaluation. This field can be set only + for Policies which configure list constraints. + type: boolean + reset: + description: Ignores policies set above this resource and + restores the constraint_default enforcement behavior of + the specific Constraint at this resource. This field can + be set in policies for either list or boolean constraints. + If set, rules must be empty and inherit_from_parent must + be set to false. + type: boolean + rules: + description: 'Up to 10 PolicyRules are allowed. In Policies + for boolean constraints, the following requirements apply: + - There must be one and only one PolicyRule where condition + is unset. - BooleanPolicyRules with conditions must set + enforced to the opposite of the PolicyRule without a condition. + - During policy evaluation, PolicyRules with conditions + that are true for a target resource take precedence.' + items: + properties: + allowAll: + description: Setting this to "TRUE" means that all values + are allowed. This field can be set only in policies + for list constraints. + type: string + condition: + description: 'A condition which determines whether this + rule is used in the evaluation of the policy. When + set, the expression field in the `Expr'' must include + from 1 to 10 subexpressions, joined by the "||" or + "&&" operators. Each subexpression must be of the + form "resource.matchTag(''/tag_key_short_name, ''tag_value_short_name'')". + or "resource.matchTagId(''tagKeys/key_id'', ''tagValues/value_id'')". + where key_name and value_name are the resource names + for Label Keys and Values. These names are available + from the Tag Manager Service. An example expression + is: "resource.matchTag(''123456789/environment, ''prod'')". + or "resource.matchTagId(''tagKeys/123'', ''tagValues/456'')".' + properties: + description: + description: Optional. Description of the expression. + This is a longer text which describes the expression, + e.g. when hovered over it in a UI. + type: string + expression: + description: Textual representation of an expression + in Common Expression Language syntax. + type: string + location: + description: Optional. String indicating the location + of the expression for error reporting, e.g. a + file name and a position in the file. + type: string + title: + description: Optional. Title for the expression, + i.e. a short string describing its purpose. This + can be used e.g. in UIs which allow to enter the + expression. + type: string + type: object + denyAll: + description: Setting this to "TRUE" means that all values + are denied. This field can be set only in policies + for list constraints. + type: string + enforce: + description: If "TRUE", then the policy is enforced. + If "FALSE", then any configuration is acceptable. + This field can be set only in policies for boolean + constraints. + type: string + values: + description: List of values to be used for this policy + rule. This field can be set only in policies for list + constraints. + properties: + allowedValues: + description: List of values allowed at this resource. + items: + type: string + type: array + deniedValues: + description: List of values denied at this resource. + items: + type: string + type: array + type: object + type: object + type: array + type: object + type: object + managementPolicies: + default: + - '*' + description: |- + THIS IS A BETA FIELD. It is on by default but can be opted out + through a Crossplane feature flag. + ManagementPolicies specify the array of actions Crossplane is allowed to + take on the managed and external resources. + This field is planned to replace the DeletionPolicy field in a future + release. Currently, both could be set independently and non-default + values would be honored if the feature flag is enabled. If both are + custom, the DeletionPolicy field will be ignored. + See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 + and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md + items: + description: |- + A ManagementAction represents an action that the Crossplane controllers + can take on an external resource. + enum: + - Observe + - Create + - Update + - Delete + - LateInitialize + - '*' + type: string + type: array + providerConfigRef: + default: + name: default + description: |- + ProviderConfigReference specifies how the provider that will be used to + create, observe, update, and delete this managed resource should be + configured. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + publishConnectionDetailsTo: + description: |- + PublishConnectionDetailsTo specifies the connection secret config which + contains a name, metadata and a reference to secret store config to + which any connection details for this managed resource should be written. + Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + properties: + configRef: + default: + name: default + description: |- + SecretStoreConfigRef specifies which secret store config should be used + for this ConnectionSecret. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: |- + Resolution specifies whether resolution of this reference is required. + The default is 'Required', which means the reconcile will fail if the + reference cannot be resolved. 'Optional' means this reference will be + a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: |- + Resolve specifies when this reference should be resolved. The default + is 'IfNotPresent', which will attempt to resolve the reference only when + the corresponding field is not present. Use 'Always' to resolve the + reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + metadata: + description: Metadata is the metadata for connection secret. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations are the annotations to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.annotations". + - It is up to Secret Store implementation for others store types. + type: object + labels: + additionalProperties: + type: string + description: |- + Labels are the labels/tags to be added to connection secret. + - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store types. + type: object + type: + description: |- + Type is the SecretType for the connection secret. + - Only valid for Kubernetes Secret Stores. + type: string + type: object + name: + description: Name is the name of the connection secret. + type: string + required: + - name + type: object + writeConnectionSecretToRef: + description: |- + WriteConnectionSecretToReference specifies the namespace and name of a + Secret to which any connection details for this managed resource should + be written. Connection details frequently include the endpoint, username, + and password required to connect to the managed resource. + This field is planned to be replaced in a future release in favor of + PublishConnectionDetailsTo. Currently, both could be set independently + and connection details would be published to both without affecting + each other. + properties: + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - name + - namespace + type: object + required: + - forProvider + type: object + status: + description: PolicyStatus defines the observed state of Policy. + properties: + atProvider: + properties: + dryRunSpec: + description: Dry-run policy. Audit-only policy, can be used to + monitor how the policy would have impacted the existing and + future resources if it's enforced. + properties: + etag: + description: An opaque tag indicating the current version + of the policy, used for concurrency control. This field + is ignored if used in a CreatePolicy request. When the policyis + returned from either aGetPolicyor aListPoliciesrequest, + thisetagindicates the version of the current policy to use + when executing a read-modify-write loop. When the policy + is returned from aGetEffectivePolicyrequest, theetag` will + be unset. + type: string + inheritFromParent: + description: Determines the inheritance behavior for this + policy. If inherit_from_parent is true, policy rules set + higher up in the hierarchy (up to the closest root) are + inherited and present in the effective policy. If it is + false, then no rules are inherited, and this policy becomes + the new root for evaluation. This field can be set only + for policies which configure list constraints. + type: boolean + reset: + description: Ignores policies set above this resource and + restores the constraint_default enforcement behavior of + the specific constraint at this resource. This field can + be set in policies for either list or boolean constraints. + If set, rules must be empty and inherit_from_parent must + be set to false. + type: boolean + rules: + description: 'In policies for boolean constraints, the following + requirements apply: - There must be one and only one policy + rule where condition is unset. - Boolean policy rules with + conditions must set enforced to the opposite of the policy + rule without a condition. - During policy evaluation, policy + rules with conditions that are true for a target resource + take precedence.' + items: + properties: + allowAll: + description: Setting this to "TRUE" means that all values + are allowed. This field can be set only in policies + for list constraints. + type: string + condition: + description: 'A condition which determines whether this + rule is used in the evaluation of the policy. When + set, the expression field in the `Expr'' must include + from 1 to 10 subexpressions, joined by the "||" or + "&&" operators. Each subexpression must be of the + form "resource.matchTag(''/tag_key_short_name, ''tag_value_short_name'')". + or "resource.matchTagId(''tagKeys/key_id'', ''tagValues/value_id'')". + where key_name and value_name are the resource names + for Label Keys and Values. These names are available + from the Tag Manager Service. An example expression + is: "resource.matchTag(''123456789/environment, ''prod'')". + or "resource.matchTagId(''tagKeys/123'', ''tagValues/456'')".' + properties: + description: + description: Optional. Description of the expression. + This is a longer text which describes the expression, + e.g. when hovered over it in a UI. + type: string + expression: + description: Textual representation of an expression + in Common Expression Language syntax. + type: string + location: + description: Optional. String indicating the location + of the expression for error reporting, e.g. a + file name and a position in the file. + type: string + title: + description: Optional. Title for the expression, + i.e. a short string describing its purpose. This + can be used e.g. in UIs which allow to enter the + expression. + type: string + type: object + denyAll: + description: Setting this to "TRUE" means that all values + are denied. This field can be set only in policies + for list constraints. + type: string + enforce: + description: If "TRUE", then the policy is enforced. + If "FALSE", then any configuration is acceptable. + This field can be set only in policies for boolean + constraints. + type: string + values: + description: List of values to be used for this policy + rule. This field can be set only in policies for list + constraints. + properties: + allowedValues: + description: List of values allowed at this resource. + items: + type: string + type: array + deniedValues: + description: List of values denied at this resource. + items: + type: string + type: array + type: object + type: object + type: array + updateTime: + description: Output only. The time stamp this was previously + updated. This represents the last time a call to CreatePolicy + or UpdatePolicy was made for that policy. + type: string + type: object + etag: + description: Optional. An opaque tag indicating the current state + of the policy, used for concurrency control. This 'etag' is + computed by the server based on the value of other fields, and + may be sent on update and delete requests to ensure the client + has an up-to-date value before proceeding. + type: string + id: + description: an identifier for the resource with format {{parent}}/policies/{{name}} + type: string + parent: + description: The parent of the resource. + type: string + spec: + description: Basic information about the Organization Policy. + properties: + etag: + description: An opaque tag indicating the current version + of the Policy, used for concurrency control. This field + is ignored if used in a CreatePolicy request. When the Policy + is returned from either a GetPolicy or a ListPolicies request, + this etag indicates the version of the current Policy to + use when executing a read-modify-write loop. When the Policy + is returned from a GetEffectivePolicy request, the etag + will be unset. + type: string + inheritFromParent: + description: Determines the inheritance behavior for this + Policy. If inherit_from_parent is true, PolicyRules set + higher up in the hierarchy (up to the closest root) are + inherited and present in the effective policy. If it is + false, then no rules are inherited, and this Policy becomes + the new root for evaluation. This field can be set only + for Policies which configure list constraints. + type: boolean + reset: + description: Ignores policies set above this resource and + restores the constraint_default enforcement behavior of + the specific Constraint at this resource. This field can + be set in policies for either list or boolean constraints. + If set, rules must be empty and inherit_from_parent must + be set to false. + type: boolean + rules: + description: 'Up to 10 PolicyRules are allowed. In Policies + for boolean constraints, the following requirements apply: + - There must be one and only one PolicyRule where condition + is unset. - BooleanPolicyRules with conditions must set + enforced to the opposite of the PolicyRule without a condition. + - During policy evaluation, PolicyRules with conditions + that are true for a target resource take precedence.' + items: + properties: + allowAll: + description: Setting this to "TRUE" means that all values + are allowed. This field can be set only in policies + for list constraints. + type: string + condition: + description: 'A condition which determines whether this + rule is used in the evaluation of the policy. When + set, the expression field in the `Expr'' must include + from 1 to 10 subexpressions, joined by the "||" or + "&&" operators. Each subexpression must be of the + form "resource.matchTag(''/tag_key_short_name, ''tag_value_short_name'')". + or "resource.matchTagId(''tagKeys/key_id'', ''tagValues/value_id'')". + where key_name and value_name are the resource names + for Label Keys and Values. These names are available + from the Tag Manager Service. An example expression + is: "resource.matchTag(''123456789/environment, ''prod'')". + or "resource.matchTagId(''tagKeys/123'', ''tagValues/456'')".' + properties: + description: + description: Optional. Description of the expression. + This is a longer text which describes the expression, + e.g. when hovered over it in a UI. + type: string + expression: + description: Textual representation of an expression + in Common Expression Language syntax. + type: string + location: + description: Optional. String indicating the location + of the expression for error reporting, e.g. a + file name and a position in the file. + type: string + title: + description: Optional. Title for the expression, + i.e. a short string describing its purpose. This + can be used e.g. in UIs which allow to enter the + expression. + type: string + type: object + denyAll: + description: Setting this to "TRUE" means that all values + are denied. This field can be set only in policies + for list constraints. + type: string + enforce: + description: If "TRUE", then the policy is enforced. + If "FALSE", then any configuration is acceptable. + This field can be set only in policies for boolean + constraints. + type: string + values: + description: List of values to be used for this policy + rule. This field can be set only in policies for list + constraints. + properties: + allowedValues: + description: List of values allowed at this resource. + items: + type: string + type: array + deniedValues: + description: List of values denied at this resource. + items: + type: string + type: array + type: object + type: object + type: array + updateTime: + description: Output only. The time stamp this was previously + updated. This represents the last time a call to CreatePolicy + or UpdatePolicy was made for that Policy. + type: string + type: object + type: object + conditions: + description: Conditions of the resource. + items: + description: A Condition that may apply to a resource. + properties: + lastTransitionTime: + description: |- + LastTransitionTime is the last time this condition transitioned from one + status to another. + format: date-time + type: string + message: + description: |- + A Message containing details about this condition's last transition from + one status to another, if any. + type: string + observedGeneration: + description: |- + ObservedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + type: integer + reason: + description: A Reason for this condition's last transition from + one status to another. + type: string + status: + description: Status of this condition; is it currently True, + False, or Unknown? + type: string + type: + description: |- + Type of this condition. At most one of each condition type may apply to + a resource at any point in time. + type: string + required: + - lastTransitionTime + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + observedGeneration: + description: |- + ObservedGeneration is the latest metadata.generation + which resulted in either a ready state, or stalled due to error + it can not recover from without human intervention. + format: int64 + type: integer + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {}