search

terraform-google-modules / terraform-google-org-policy

Manages Google Cloud organization policies
https://registry.terraform.io/modules/terraform-google-modules/org-policy/google
Apache License 2.0
79 stars 79 forks source link

Terraform Org Policy V2 Dry Run Support #134

Open kevinschmidtG opened 2 months ago

kevinschmidtG commented 2 months ago

TL;DR

The Terraform org_policy_v2 module doesn't support Dry Run Mode.

Terraform Resources

https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/org_policy_policy#example-usage---dry_run_spec

Detailed design

Ideally when creating a policy in org_policy_v2 there would be a boolean variable "dry_run_mode" that would create the policy in dry run mode when set to "TRUE", and have the policy created normally when set to "FALSE". 

Given that there are currently only 3 constraints that support dry run (https://cloud.google.com/resource-manager/docs/organization-policy/dry-run-policy#limitations), an additional design add would be a validation check on the constraint so that dry_run_mode would only be usable if one of those constraints was used in the policy

Additional information

When trying to create a policy with dry run mode enabled in Terraform errors occur. A similar error occurs when trying to use both the org_policy_v2 module with the google_org_policy_policy resource, saying they are conflicting.

I'm guessing there is a conflict in how the org_policy_v2 module handles the spec block VS how google_org_policy_policy does that causes conflicts when trying to use both. Having the org_policy_v2 module support dry_run_mode natively would alleviate this conflict

github-actions[bot] commented 4 days ago

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days