Merge pull request #64 from terraform-google-modules/adrienthebo/lien…

…-resource Add lien support to project-factory
terraform-google-modules · Dec 11, 2018 · 696a5a2 · 696a5a2
2 parents 5791b76 + 730bf88
commit 696a5a2
Show file tree

Hide file tree

Showing 5 changed files with 64 additions and 0 deletions.
diff --git a/main.tf b/main.tf
@@ -99,6 +99,17 @@ resource "google_project" "project" {
   app_engine = "${local.app_engine_config["${local.app_engine_enabled ? "enabled" : "disabled"}"]}"
 }
 
+/******************************************
+  Project lien
+ *****************************************/
+resource "google_resource_manager_lien" "lien" {
+  count        = "${var.lien ? 1 : 0}"
+  parent       = "projects/${google_project.project.number}"
+  restrictions = ["resourcemanager.projects.delete"]
+  origin       = "project-factory"
+  reason       = "Project Factory lien"
+}
+
 /******************************************
   APIs configuration
  *****************************************/

diff --git a/test/fixtures/full/main.tf b/test/fixtures/full/main.tf
@@ -47,6 +47,7 @@ module "project-factory" {
   sa_role             = "${var.sa_role}"
   sa_group            = "${var.sa_group}"
   credentials_path    = "${var.credentials_path}"
+  lien                = "true"
 
   activate_apis = [
     "compute.googleapis.com",

diff --git a/test/integration/full/controls/project-factory.rb b/test/integration/full/controls/project-factory.rb
@@ -64,6 +64,35 @@
       expect(service_accounts).to include extra_service_account_email
     end
   end
+
+  describe command("gcloud alpha resource-manager liens list --project #{project_id} --format=json") do
+    its('exit_status') { should be 0 }
+    its('stderr') { should eq '' }
+
+    let(:liens) do
+      if subject.exit_status == 0
+        JSON.parse(subject.stdout, symbolize_names: true)
+      else
+        []
+      end
+    end
+
+    it "has one lien" do
+      expect(liens.count).to eq 1
+    end
+
+    it "sets the lien origin" do
+      expect(liens.first).to include(origin: 'project-factory')
+    end
+
+    it "sets the lien reason" do
+      expect(liens.first).to include(reason: 'Project Factory lien')
+    end
+
+    it "restricts the delete permission on the project" do
+      expect(liens.first).to include(restrictions: ['resourcemanager.projects.delete'])
+    end
+  end
 end
 
 control 'project-factory-sa-role' do

diff --git a/test/integration/minimal/controls/minimal.rb b/test/integration/minimal/controls/minimal.rb
@@ -50,4 +50,21 @@
 
     it { expect(service_accounts).to include service_account_email }
   end
+
+  describe command("gcloud alpha resource-manager liens list --project #{project_id} --format=json") do
+    its('exit_status') { should be 0 }
+    its('stderr') { should eq '' }
+
+    let(:liens) do
+      if subject.exit_status == 0
+        JSON.parse(subject.stdout, symbolize_names: true)
+      else
+        []
+      end
+    end
+
+    it "has no liens" do
+      expect(liens).to be_empty
+    end
+  end
 end
diff --git a/variables.tf b/variables.tf
@@ -129,3 +129,9 @@ variable "app_engine" {
   type        = "map"
   default     = {}
 }
+
+variable "lien" {
+  description = "Add a lien on the project to prevent accidental deletion"
+  default     = "false"
+  type        = "string"
+}