Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
* Add org_policy_custom_constraint resource * Update resource config to reflect beta version * Update handwritten test to reflect beta version * Update example to use beta version of the provider * Remove unnecessary TestCheckResourceAttr calls * Update name attribute to be specified as a shortname * Add full example * Tweak config and documentation per final PR comments Signed-off-by: Modular Magician <magic-modules@google.com> Signed-off-by: Modular Magician <magic-modules@google.com>
- Loading branch information
1 parent
7787e27
commit 23b7bce
Showing
3 changed files
with
156 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
```release-note:new-resource | ||
google_org_policy_custom_constraint | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
package google |
152 changes: 152 additions & 0 deletions
152
website/docs/r/org_policy_custom_constraint.html.markdown
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,152 @@ | ||
--- | ||
# ---------------------------------------------------------------------------- | ||
# | ||
# *** AUTO GENERATED CODE *** Type: MMv1 *** | ||
# | ||
# ---------------------------------------------------------------------------- | ||
# | ||
# This file is automatically generated by Magic Modules and manual | ||
# changes will be clobbered when the file is regenerated. | ||
# | ||
# Please read more about how to change this file in | ||
# .github/CONTRIBUTING.md. | ||
# | ||
# ---------------------------------------------------------------------------- | ||
subcategory: "Organization Policy" | ||
page_title: "Google: google_org_policy_custom_constraint" | ||
description: |- | ||
Custom constraints are created by administrators to provide more granular and customizable control over the specific fields that are restricted by your organization policies. | ||
--- | ||
|
||
# google\_org\_policy\_custom\_constraint | ||
|
||
Custom constraints are created by administrators to provide more granular and customizable control over the specific fields that are restricted by your organization policies. | ||
|
||
~> **Warning:** This resource is in beta, and should be used with the terraform-provider-google-beta provider. | ||
See [Provider Versions](https://terraform.io/docs/providers/google/guides/provider_versions.html) for more details on beta resources. | ||
|
||
To get more information about CustomConstraint, see: | ||
|
||
* [API documentation](https://cloud.google.com/resource-manager/docs/reference/orgpolicy/rest/v2/organizations.constraints) | ||
* How-to Guides | ||
* [Official Documentation](https://cloud.google.com/resource-manager/docs/organization-policy/creating-managing-custom-constraints) | ||
* [Supported Services](https://cloud.google.com/resource-manager/docs/organization-policy/custom-constraint-supported-services) | ||
|
||
## Example Usage - Org Policy Custom Constraint Basic | ||
|
||
|
||
```hcl | ||
resource "google_org_policy_custom_constraint" "constraint" { | ||
provider = google-beta | ||
name = "custom.disableGkeAutoUpgrade" | ||
parent = "organizations/123456789" | ||
action_type = "ALLOW" | ||
condition = "resource.management.autoUpgrade == false" | ||
method_types = ["CREATE", "UPDATE"] | ||
resource_types = ["container.googleapis.com/NodePool"] | ||
} | ||
``` | ||
## Example Usage - Org Policy Custom Constraint Full | ||
|
||
|
||
```hcl | ||
resource "google_org_policy_custom_constraint" "constraint" { | ||
provider = google-beta | ||
name = "custom.disableGkeAutoUpgrade" | ||
parent = "organizations/123456789" | ||
display_name = "Disable GKE auto upgrade" | ||
description = "Only allow GKE NodePool resource to be created or updated if AutoUpgrade is not enabled where this custom constraint is enforced." | ||
action_type = "ALLOW" | ||
condition = "resource.management.autoUpgrade == false" | ||
method_types = ["CREATE", "UPDATE"] | ||
resource_types = ["container.googleapis.com/NodePool"] | ||
} | ||
resource "google_org_policy_policy" "bool" { | ||
provider = google-beta | ||
name = "organizations/123456789/policies/${google_org_policy_custom_constraint.constraint.name}" | ||
parent = "organizations/123456789" | ||
spec { | ||
rules { | ||
enforce = "TRUE" | ||
} | ||
} | ||
} | ||
``` | ||
|
||
## Argument Reference | ||
|
||
The following arguments are supported: | ||
|
||
|
||
* `name` - | ||
(Required) | ||
Immutable. The name of the custom constraint. This is unique within the organization. | ||
|
||
* `condition` - | ||
(Required) | ||
A CEL condition that refers to a supported service resource, for example `resource.management.autoUpgrade == false`. For details about CEL usage, see [Common Expression Language](https://cloud.google.com/resource-manager/docs/organization-policy/creating-managing-custom-constraints#common_expression_language). | ||
|
||
* `action_type` - | ||
(Required) | ||
The action to take if the condition is met. | ||
Possible values are `ALLOW` and `DENY`. | ||
|
||
* `method_types` - | ||
(Required) | ||
A list of RESTful methods for which to enforce the constraint. Can be `CREATE`, `UPDATE`, or both. Not all Google Cloud services support both methods. To see supported methods for each service, find the service in [Supported services](https://cloud.google.com/resource-manager/docs/organization-policy/custom-constraint-supported-services). | ||
|
||
* `resource_types` - | ||
(Required) | ||
Immutable. The fully qualified name of the Google Cloud REST resource containing the object and field you want to restrict. For example, `container.googleapis.com/NodePool`. | ||
|
||
* `parent` - | ||
(Required) | ||
The parent of the resource, an organization. Format should be `organizations/{organization_id}`. | ||
|
||
|
||
- - - | ||
|
||
|
||
* `display_name` - | ||
(Optional) | ||
A human-friendly name for the constraint. | ||
|
||
* `description` - | ||
(Optional) | ||
A human-friendly description of the constraint to display as an error message when the policy is violated. | ||
|
||
|
||
## Attributes Reference | ||
|
||
In addition to the arguments listed above, the following computed attributes are exported: | ||
|
||
* `id` - an identifier for the resource with format `{{parent}}/customConstraints/{{name}}` | ||
|
||
* `update_time` - | ||
Output only. The timestamp representing when the constraint was last updated. | ||
|
||
|
||
## Timeouts | ||
|
||
This resource provides the following | ||
[Timeouts](/docs/configuration/resources.html#timeouts) configuration options: | ||
|
||
- `create` - Default is 20 minutes. | ||
- `update` - Default is 20 minutes. | ||
- `delete` - Default is 20 minutes. | ||
|
||
## Import | ||
|
||
|
||
CustomConstraint can be imported using any of these accepted formats: | ||
|
||
``` | ||
$ terraform import google_org_policy_custom_constraint.default {{parent}}/customConstraints/{{name}} | ||
``` |