Add org_policy_custom_constraint resource (#6608) (#12691)

* Add org_policy_custom_constraint resource * Update resource config to reflect beta version * Update handwritten test to reflect beta version * Update example to use beta version of the provider * Remove unnecessary TestCheckResourceAttr calls * Update name attribute to be specified as a shortname * Add full example * Tweak config and documentation per final PR comments Signed-off-by: Modular Magician <magic-modules@google.com> Signed-off-by: Modular Magician <magic-modules@google.com>
hashicorp · Sep 30, 2022 · 23b7bce · 23b7bce
1 parent 7787e27
commit 23b7bce
Show file tree

Hide file tree

Showing 3 changed files with 156 additions and 0 deletions.
diff --git a/.changelog/6608.txt b/.changelog/6608.txt
@@ -0,0 +1,3 @@
+```release-note:new-resource
+google_org_policy_custom_constraint
+```
diff --git a/google/resource_org_policy_custom_constraint_test.go b/google/resource_org_policy_custom_constraint_test.go
@@ -0,0 +1 @@
+package google
diff --git a/website/docs/r/org_policy_custom_constraint.html.markdown b/website/docs/r/org_policy_custom_constraint.html.markdown
@@ -0,0 +1,152 @@
+---
+# ----------------------------------------------------------------------------
+#
+#     ***     AUTO GENERATED CODE    ***    Type: MMv1     ***
+#
+# ----------------------------------------------------------------------------
+#
+#     This file is automatically generated by Magic Modules and manual
+#     changes will be clobbered when the file is regenerated.
+#
+#     Please read more about how to change this file in
+#     .github/CONTRIBUTING.md.
+#
+# ----------------------------------------------------------------------------
+subcategory: "Organization Policy"
+page_title: "Google: google_org_policy_custom_constraint"
+description: |-
+  Custom constraints are created by administrators to provide more granular and customizable control over the specific fields that are restricted by your organization policies.
+---
+
+# google\_org\_policy\_custom\_constraint
+
+Custom constraints are created by administrators to provide more granular and customizable control over the specific fields that are restricted by your organization policies.
+
+~> **Warning:** This resource is in beta, and should be used with the terraform-provider-google-beta provider.
+See [Provider Versions](https://terraform.io/docs/providers/google/guides/provider_versions.html) for more details on beta resources.
+
+To get more information about CustomConstraint, see:
+
+* [API documentation](https://cloud.google.com/resource-manager/docs/reference/orgpolicy/rest/v2/organizations.constraints)
+* How-to Guides
+    * [Official Documentation](https://cloud.google.com/resource-manager/docs/organization-policy/creating-managing-custom-constraints)
+    * [Supported Services](https://cloud.google.com/resource-manager/docs/organization-policy/custom-constraint-supported-services)
+
+## Example Usage - Org Policy Custom Constraint Basic
+
+
+```hcl
+resource "google_org_policy_custom_constraint" "constraint" {
+  provider = google-beta
+
+  name         = "custom.disableGkeAutoUpgrade"
+  parent       = "organizations/123456789"
+
+  action_type    = "ALLOW"
+  condition      = "resource.management.autoUpgrade == false"
+  method_types   = ["CREATE", "UPDATE"]
+  resource_types = ["container.googleapis.com/NodePool"]
+}
+```
+## Example Usage - Org Policy Custom Constraint Full
+
+
+```hcl
+resource "google_org_policy_custom_constraint" "constraint" {
+  provider = google-beta
+
+  name         = "custom.disableGkeAutoUpgrade"
+  parent       = "organizations/123456789"
+  display_name = "Disable GKE auto upgrade"
+  description  = "Only allow GKE NodePool resource to be created or updated if AutoUpgrade is not enabled where this custom constraint is enforced."
+
+  action_type    = "ALLOW"
+  condition      = "resource.management.autoUpgrade == false"
+  method_types   = ["CREATE", "UPDATE"]
+  resource_types = ["container.googleapis.com/NodePool"]
+}
+
+resource "google_org_policy_policy" "bool" {
+  provider = google-beta
+
+  name   = "organizations/123456789/policies/${google_org_policy_custom_constraint.constraint.name}"
+  parent = "organizations/123456789"
+
+  spec {
+    rules {
+      enforce = "TRUE"
+    }
+  }
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+
+* `name` -
+  (Required)
+  Immutable. The name of the custom constraint. This is unique within the organization.
+
+* `condition` -
+  (Required)
+  A CEL condition that refers to a supported service resource, for example `resource.management.autoUpgrade == false`. For details about CEL usage, see [Common Expression Language](https://cloud.google.com/resource-manager/docs/organization-policy/creating-managing-custom-constraints#common_expression_language).
+
+* `action_type` -
+  (Required)
+  The action to take if the condition is met.
+  Possible values are `ALLOW` and `DENY`.
+
+* `method_types` -
+  (Required)
+  A list of RESTful methods for which to enforce the constraint. Can be `CREATE`, `UPDATE`, or both. Not all Google Cloud services support both methods. To see supported methods for each service, find the service in [Supported services](https://cloud.google.com/resource-manager/docs/organization-policy/custom-constraint-supported-services).
+
+* `resource_types` -
+  (Required)
+  Immutable. The fully qualified name of the Google Cloud REST resource containing the object and field you want to restrict. For example, `container.googleapis.com/NodePool`.
+
+* `parent` -
+  (Required)
+  The parent of the resource, an organization. Format should be `organizations/{organization_id}`.
+
+
+- - -
+
+
+* `display_name` -
+  (Optional)
+  A human-friendly name for the constraint.
+
+* `description` -
+  (Optional)
+  A human-friendly description of the constraint to display as an error message when the policy is violated.
+
+
+## Attributes Reference
+
+In addition to the arguments listed above, the following computed attributes are exported:
+
+* `id` - an identifier for the resource with format `{{parent}}/customConstraints/{{name}}`
+
+* `update_time` -
+  Output only. The timestamp representing when the constraint was last updated.
+
+
+## Timeouts
+
+This resource provides the following
+[Timeouts](/docs/configuration/resources.html#timeouts) configuration options:
+
+- `create` - Default is 20 minutes.
+- `update` - Default is 20 minutes.
+- `delete` - Default is 20 minutes.
+
+## Import
+
+
+CustomConstraint can be imported using any of these accepted formats:
+
+```
+$ terraform import google_org_policy_custom_constraint.default {{parent}}/customConstraints/{{name}}
+```