search

terraform-google-modules / terraform-google-org-policy

Manages Google Cloud organization policies
https://registry.terraform.io/modules/terraform-google-modules/org-policy/google
Apache License 2.0
79 stars 79 forks source link

Bad request 400 trying to set boolen policy on a folder #55

Closed natarajmb closed 2 years ago

natarajmb commented 2 years ago

TL;DR

Setting org_cloudsql_external_ip_access on a folder with enforce to false fails with bad request. Is this not supported on the folder.

Expected behavior

Applies the policy at the folder and while creating an individual resource can enforce it.

Observed behavior

Get an error while applying org-policy from CFT

Error: Error when reading or editing Organization policy for folders/nordcloud: googleapi: Error 400: Request contains an invalid argument., badRequest

with module.org_cloudsql_external_ip_access.google_folder_organization_policy.folder_policy_boolean[0], on .terraform/modules/org_cloudsql_external_ip_access/boolean_constraints.tf line 34, in resource "google_folder_organization_policy" "folder_policy_boolean": 34: resource "google_folder_organization_policy" "folder_policy_boolean" {

Terraform Configuration

module "org_cloudsql_external_ip_access" {
  source          = "terraform-google-modules/org-policy/google"
  version         = "~> 5.1.0"
  organization_id = local.organization_id
  folder_id       = local.folder_id
  policy_for      = local.policy_for
  policy_type     = "boolean"
  enforce         = "false"
  constraint      = "constraints/sql.restrictPublicIp"
}

Terraform Version

Terraform v1.1.0

Additional information

https://cloud.google.com/resource-manager/docs/organization-policy/understanding-hierarchy

Quote from above link

Organization policies that are derived from boolean constraints do not merge and reconcile policies. If a policy is specified on a resource node, that TRUE or FALSE value is used to determine the effective policy. For example:

A folder sets enforced: true for constraints/compute.disableSerialPortAccess.

A project underneath that folder sets enforced: false for constraints/compute.disableSerialPortAccess.

The enforced: true value set on the folder is ignored because enforced: false is defined on the project itself. The organization policy will not enforce the constraint for that project.

If a boolean policy is set to enforce=false, and if a resource is created under the folder that violates the constraints does it get notified anywhere in SCS or audit log?

morgante commented 2 years ago

If a boolean policy is set to enforce=false, and if a resource is created under the folder that violates the constraints does it get notified anywhere in SCS or audit log?

No. The point of enforce = false is to disable the policy—so resources are not in violation.