search

terraform-google-modules / terraform-google-org-policy

Manages Google Cloud organization policies
https://registry.terraform.io/modules/terraform-google-modules/org-policy/google
Apache License 2.0
80 stars 80 forks source link

[v2 policies] Excluding a project from an org policy turns off the org policy instead #70

Closed jpedro closed 1 year ago

jpedro commented 1 year ago

TL;DR

When adding an exclude_projects list for an organization policy it turns off the org-wide policy instead.

The issue seems to be that resource "google_org_policy_policy" "policy_boolean_exclude_projects" { in https://github.com/terraform-google-modules/terraform-google-org-policy/blob/master/modules/org_policy_v2/boolean_constraints.tf#L119-L130 uses the same parent_root type and ID not the project itself.

Expected behavior

Just turn off the policy for project itself, not the whole org.

Observed behavior

When I set the exclude_projects list this happens:

  # module.policies.module.organization["iam.automaticIamGrantsForDefaultServiceAccounts"].google_org_policy_policy.policy_boolean_exclude_projects["my-project-id"] will be created
  + resource "google_org_policy_policy" "policy_boolean_exclude_projects" {
      + id     = (known after apply)
      + name   = "organizations/xxx/policies/iam.automaticIamGrantsForDefaultServiceAccounts"
      + parent = "organizations/xxx"

      + spec {
          + etag        = (known after apply)
          + update_time = (known after apply)

          + rules {
              + enforce = "FALSE"
            }
        }
    }

Note how the parent for the policy is organizations/xxx, not the exclude project.

Terraform Configuration

module "test" {
  source  = "terraform-google-modules/org-policy/google//modules/org_policy_v2"
  version = "~> 5.2"

  policy_root      = "organization"
  policy_root_id   = "xxx"
  constraint       = "iam.automaticIamGrantsForDefaultServiceAccounts"
  policy_type      = "boolean"
  exclude_folders  = []
  exclude_projects = ["my-project-id"]
  rules            = [
    {
      enforcement = true
      expression = ""
      location = ""
      title = ""
    }
  ]
}

Terraform Version

$ terraform --version
Terraform v1.3.2
on darwin_amd64
+ provider registry.terraform.io/hashicorp/google v4.41.0
+ provider registry.terraform.io/hashicorp/google-beta v4.41.0

Your version of Terraform is out of date! The latest version
is 1.3.6. You can update by downloading from https://www.terraform.io/downloads.html

Additional information

No response