cloudsecuritycompliace: replace organization with parent to support PLE#17644
cloudsecuritycompliace: replace organization with parent to support PLE#17644priyankksingh wants to merge 16 commits into
Conversation
modular-magician
added
the
awaiting-approval
|
Googlers: For automatic test runs see go/terraform-auto-test-runs. @slevenick, a repository maintainer, has been assigned to review your changes. If you have not received review feedback within 2 business days, please leave a comment on this PR asking them to take a look. You can help make sure that review is quick by doing a self-review and by running impacted tests locally. |
|
@slevenick Can you please review the PR. |
modular-magician
removed
the
awaiting-approval
slevenick
left a comment
slevenick
left a comment
There was a problem hiding this comment.
We can't remove a field like organization on these resources as it will be a breaking change for users who have current configurations that use it.
We can discuss other options to achieve the goals here
|
Hi there, I'm the Modular magician. I've detected the following information about your changes for commit 96969a5: Diff reportYour PR generated the following diffs in downstream repositories:
Breaking Change(s) DetectedThe following breaking change(s) were detected within your pull request.
If you believe this detection to be incorrect please raise the concern with your reviewer. Missing test reportYour PR includes resource fields which are not covered by any test. Resource: resource "google_cloud_security_compliance_cloud_control" "primary" {
organization = # value needed
}
Resource: resource "google_cloud_security_compliance_framework" "primary" {
organization = # value needed
}
Test reportAnalytics
Affected Service Packages
Step 1: Replaying Mode Action takenFound 10 affected test(s) by replaying old test recordings. Starting RECORDING based on the most recent commit. Click here to see the affected tests
View the replaying VCR build log Step 2: Recording Mode
🟢 All tests passed! View the recording VCR build log or the debug logs folder for detailed results. @priyankksingh VCR tests complete for 96969a5! |
modular-magician
added
the
awaiting-approval
slevenick
left a comment
slevenick
left a comment
There was a problem hiding this comment.
Per offline comms, dismissing review until it's fully implemented
|
@slevenick PR is ready for review. I have tested locally for all the 3 resources with old and new schema changes. 
|
modular-magician
removed
the
awaiting-approval
|
Hi there, I'm the Modular magician. I've detected the following information about your changes for commit 5dc0f55: Diff reportYour PR generated the following diffs in downstream repositories:
Missing test reportYour PR includes resource fields which are not covered by any test. Resource: resource "google_cloud_security_compliance_framework_deployment" "primary" {
organization = # value needed
}
Test reportAnalytics
Affected Service Packages
Step 1: Replaying Mode Action takenFound 5 affected test(s) by replaying old test recordings. Starting RECORDING based on the most recent commit. Click here to see the affected tests
View the replaying VCR build log Step 2: Recording Mode
Caution Issues requiring attention before PR completion 🔴 Initial Recording Failed: Some tests failed during the recording step. See the table above for details. Please address these issues to complete your PR. If you believe these detections are incorrect or unrelated to your change, please raise the concern with your reviewer. View the recording VCR build log or the debug logs folder for detailed results. @priyankksingh, @slevenick VCR tests complete for 5dc0f55! |
| parent = "organizations/%{org_id}" | ||
| location = "global" | ||
| cloud_control_id = "tf-test-%{random_suffix}" | ||
|
|
There was a problem hiding this comment.
Add tests for all of these resources that switch from specifying organization to parent and ensuring there are no changes
| create_url: '{{parent}}/locations/{{location}}/cloudControls?cloudControlId={{cloud_control_id}}' | ||
| update_verb: PATCH | ||
| id_format: organizations/{{organization}}/locations/{{location}}/cloudControls/{{cloud_control_id}} | ||
| id_format: '{{parent}}/locations/{{location}}/cloudControls/{{cloud_control_id}}' |
There was a problem hiding this comment.
How does this work if parent is undefined?
3 participants
Description
This PR introduces Project Level Enablement (PLE) support for Cloud Security Compliance resources. Previously, these resources were strictly bound to the organization level. This change allows users to create and manage controls, frameworks, and deployments at the project level as well.
Key Changes:
parent: Replaced the hardcodedorganizationparameter with a flexibleparentparameter acrossCloudControl,Framework, andFrameworkDeployment.organizationfield is now marked as deprecated, but old configurations remain fully supported.exactly_one_of: [parent, organization]with both fields marked asoptional: trueto allow seamless migration.pre_createcustom code hook (cloudsecuritycompliance_set_parent.go.tmpl) to automatically construct theparentstring for users who only provideorganization.organizations/{{%organization}}/...format as the first entry inimport_format, ensuring no state corruption for existing users.diff_suppress_func: 'tpgresource.CompareResourceNames'totargetResourceConfig.existingTargetResourceinFrameworkDeployment.yamlto prevent state drift when the API normalizes between project IDs and project numbers.Release Note Template for Downstream PRs
See Write release notes for guidance.