terraform-google-org-policy icon indicating copy to clipboard operation
terraform-google-org-policy copied to clipboard

Published 20 hours ago verified publisher icon terraform-google-modules

Support of GCP Custom Org Policy via Module

Open Gauravkumargupta opened this issue 1 year ago • 1 comments

TL;DR

Google cloud supports the creation of custom organisation policy but we're not able to enforce the custom org policy via terraform module. I tried different versions of module i.e 5.4.0, 4.0.0, 3.0.2 but none works.

Expected behavior

It should be enforced as prebuilt policies enforcement are working fine via above module code.

Observed behavior

module.orgPolicy-RestrictOwnerEditorRole.google_organization_policy.org_policy_boolean[0]: Creating... ╷ │ Error: googleapi: Error 404: Requested entity was not found., notFound │ │ with module.orgPolicy-RestrictOwnerEditorRole.google_organization_policy.org_policy_boolean[0], │ on .terraform/modules/RestrictOwnerEditorRole/boolean_constraints.tf line 20, in resource "google_organization_policy" "org_policy_boolean": │ 20: resource "google_organization_policy" "org_policy_boolean" {

Terraform Configuration

module "orgPolicy-RestrictOwnerEditorRole" {
 
  source = "git::https://github.com/terraform-google-modules/terraform-google-org-policy.git?ref=v5.4.0"
  organization_id = "org-id"
  constraint      = "constraints/custom.CusPolicyRestrictOwnerRole"
  policy_type     = "boolean"
  policy_for      = "organization"
  enforce         = true

}

Terraform Version

v3.2.3

Additional information

No response

Gauravkumargupta avatar Oct 14 '24 08:10 Gauravkumargupta

@Gauravkumargupta you need to use org policy module v2 for custom constraint.

imrannayer avatar Oct 22 '24 21:10 imrannayer

@imrannayer I'm getting below error while running the plan to create the custom org policy, using below backend.tf & main.tf

#backend.tf

provider "google" {
}

terraform { required_version = ">=0.13.0" }

#main.tf

resource "google_org_policy_custom_constraint" "constraint" { #some code }

#ERROR

The provider hashicorp/google does not support resource type "google_org_policy_custom_constraint"

Gauravkumargupta avatar Nov 04 '24 11:11 Gauravkumargupta

Make sure you are using provider version 5.3+ as it was GA in version 5.3

imrannayer avatar Nov 04 '24 16:11 imrannayer

@imrannayer we don’t set any specific version of google provider in our code, that means it takes the latest one. I shared the backend.tf code in above response. Does it require any change in backend.tf?

I'm also using below module to enforce the custom org policy once it's created via google_org_policy_custom_constraint resource block, can it be any dependency issue?

module "gcp_org_policy_v2" { source = "terraform-google-modules/org-policy/google//modules/org_policy_v2" version = "~> 5.2.0" policy_root = "organization" , , , }

Gauravkumargupta avatar Nov 05 '24 06:11 Gauravkumargupta

Also when I'm defining the specific version of google provider in backend.tf - it also throws error - not sure why it's checking for this condition at 12:56:42 "Finding hashicorp/google versions matching ">= 3.53.0, < 5.0.0, 5.34.0"..."

backend.tf

provider "google" {

} provider "google-beta" {

}

terraform { required_version = ">=0.13.0"

required_providers { google = { version = "5.34.0" } google-beta ={ version = "5.34.0" } } }

Jenkins Job while running terraform init & plan:

12:56:42 Initializing the backend... 12:56:42
12:56:42 Successfully configured the backend "gcs"! Terraform will automatically 12:56:42 use this backend unless the backend configuration changes. 12:56:42
12:56:42 Initializing provider plugins... 12:56:42 - Finding hashicorp/google versions matching ">= 3.53.0, < 5.0.0, 5.34.0"... 12:56:42 - Finding hashicorp/google-beta versions matching "5.34.0"... 12:56:46 - Finding latest version of hashicorp/null... 12:56:49 - Installing hashicorp/google-beta v5.34.0... 12:56:50 - Installed hashicorp/google-beta v5.34.0 (signed by HashiCorp) 12:56:53 - Installing hashicorp/null v3.2.3... 12:56:54 - Installed hashicorp/null v3.2.3 (signed by HashiCorp) 12:56:54 ╷ 12:56:54 │ Error: Failed to query available provider packages 12:56:54 │ 12:56:54 │ Could not retrieve the list of available versions for provider 12:56:54 │ hashicorp/google: no available releases match the given constraints >= 12:56:54 │ 3.53.0, < 5.0.0, 5.34.0

Gauravkumargupta avatar Nov 05 '24 07:11 Gauravkumargupta

@imrannayer I fixed the issue, the error was because the module version which I was using

source = "terraform-google-modules/org-policy/google//modules/org_policy_v2" version = "~> 5.2.0"

when I switched to version 5.3.0 of module, I don't see no more error for resource type "google_org_policy_custom_constraint"

Is there any dependency on both?

Gauravkumargupta avatar Nov 05 '24 09:11 Gauravkumargupta

You code was failing for 5.2 has max provider version 4.X allowed. 5.3 relaxed the requirement Usually when u call module you allow minor version upgrade to keep up with new feature but avoid major upgrade which can be a breaking change. Your module version should as follows. This will allow automatic upgrade to any latest version 5.X and block 6.X version.

version = "~> 5.2"

imrannayer avatar Nov 05 '24 21:11 imrannayer