Merge pull request #15316 from nikhil-goenka/f/aws_organizations_policy

f/aws_organizations_policy:support for tags

aws/resource_aws_organizations_policy.go

@@ -10,6 +10,7 @@ import (
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
+	"github.com/terraform-providers/terraform-provider-aws/aws/internal/keyvaluetags"
 )
 
 func resourceAwsOrganizationsPolicy() *schema.Resource {
@@ -53,6 +54,7 @@ func resourceAwsOrganizationsPolicy() *schema.Resource {
 					organizations.PolicyTypeTagPolicy,
 				}, false),
 			},
+			"tags": tagsSchema(),
 		},
 	}
 }
@@ -68,6 +70,7 @@ func resourceAwsOrganizationsPolicyCreate(d *schema.ResourceData, meta interface
 		Description: aws.String(d.Get("description").(string)),
 		Name:        aws.String(d.Get("name").(string)),
 		Type:        aws.String(d.Get("type").(string)),
+		Tags:        keyvaluetags.New(d.Get("tags").(map[string]interface{})).IgnoreAws().OrganizationsTags(),
 	}
 
 	log.Printf("[DEBUG] Creating Organizations Policy: %s", input)
@@ -103,6 +106,7 @@ func resourceAwsOrganizationsPolicyCreate(d *schema.ResourceData, meta interface
 
 func resourceAwsOrganizationsPolicyRead(d *schema.ResourceData, meta interface{}) error {
 	conn := meta.(*AWSClient).organizationsconn
+	ignoreTagsConfig := meta.(*AWSClient).IgnoreTagsConfig
 
 	input := &organizations.DescribePolicyInput{
 		PolicyId: aws.String(d.Id()),
@@ -130,6 +134,16 @@ func resourceAwsOrganizationsPolicyRead(d *schema.ResourceData, meta interface{}
 	d.Set("description", resp.Policy.PolicySummary.Description)
 	d.Set("name", resp.Policy.PolicySummary.Name)
 	d.Set("type", resp.Policy.PolicySummary.Type)
+
+	tags, err := keyvaluetags.OrganizationsListTags(conn, d.Id())
+	if err != nil {
+		return fmt.Errorf("error listing tags: %s", err)
+	}
+
+	if err := d.Set("tags", tags.IgnoreAws().IgnoreConfig(ignoreTagsConfig).Map()); err != nil {
+		return fmt.Errorf("error setting tags: %s", err)
+	}
+
 	return nil
 }
 
@@ -158,6 +172,13 @@ func resourceAwsOrganizationsPolicyUpdate(d *schema.ResourceData, meta interface
 		return fmt.Errorf("error updating Organizations Policy: %s", err)
 	}
 
+	if d.HasChange("tags") {
+		o, n := d.GetChange("tags")
+		if err := keyvaluetags.OrganizationsUpdateTags(conn, d.Id(), o, n); err != nil {
+			return fmt.Errorf("error updating tags: %s", err)
+		}
+	}
+
 	return resourceAwsOrganizationsPolicyRead(d, meta)
 }
 

aws/resource_aws_organizations_policy_test.go

@@ -113,6 +113,58 @@ func testAccAwsOrganizationsPolicy_description(t *testing.T) {
 	})
 }
 
+func testAccAwsOrganizationsPolicy_tags(t *testing.T) {
+	var p1, p2, p3, p4 organizations.Policy
+	rName := acctest.RandomWithPrefix("tf-acc-test")
+	resourceName := "aws_organizations_policy.test"
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t); testAccOrganizationsAccountPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAwsOrganizationsPolicyDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAwsOrganizationsPolicyConfig_TagA(rName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAwsOrganizationsPolicyExists(resourceName, &p1),
+					resource.TestCheckResourceAttr(resourceName, "tags.%", "2"),
+					resource.TestCheckResourceAttr(resourceName, "tags.TerraformProviderAwsTest", "true"),
+					resource.TestCheckResourceAttr(resourceName, "tags.Alpha", "1"),
+				),
+			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+			{
+				Config: testAccAwsOrganizationsPolicyConfig_TagB(rName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAwsOrganizationsPolicyExists(resourceName, &p2),
+					resource.TestCheckResourceAttr(resourceName, "tags.%", "2"),
+					resource.TestCheckResourceAttr(resourceName, "tags.TerraformProviderAwsTest", "true"),
+					resource.TestCheckResourceAttr(resourceName, "tags.Beta", "1"),
+				),
+			},
+			{
+				Config: testAccAwsOrganizationsPolicyConfig_TagC(rName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAwsOrganizationsPolicyExists(resourceName, &p3),
+					resource.TestCheckResourceAttr(resourceName, "tags.%", "1"),
+					resource.TestCheckResourceAttr(resourceName, "tags.TerraformProviderAwsTest", "true"),
+				),
+			},
+			{
+				Config: testAccAwsOrganizationsPolicyConfig_NoTag(rName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAwsOrganizationsPolicyExists(resourceName, &p4),
+					resource.TestCheckResourceAttr(resourceName, "tags.%", "0"),
+				),
+			},
+		},
+	})
+}
+
 func testAccAwsOrganizationsPolicy_type_AI_OPT_OUT(t *testing.T) {
 	var policy organizations.Policy
 	rName := acctest.RandomWithPrefix("tf-acc-test")
@@ -383,6 +435,112 @@ EOF
 `, description, rName)
 }
 
+func testAccAwsOrganizationsPolicyConfig_TagA(rName string) string {
+	return fmt.Sprintf(`
+resource "aws_organizations_organization" "test" {}
+
+resource "aws_organizations_policy" "test" {
+  content = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": {
+    "Effect": "Allow",
+    "Action": "*",
+    "Resource": "*"
+  }
+}
+EOF
+
+  name        = "%s"
+
+  depends_on = [aws_organizations_organization.test]
+
+  tags = {
+    TerraformProviderAwsTest = true
+    Alpha                    = 1
+  }
+}
+`, rName)
+}
+
+func testAccAwsOrganizationsPolicyConfig_TagB(rName string) string {
+	return fmt.Sprintf(`
+resource "aws_organizations_organization" "test" {}
+
+resource "aws_organizations_policy" "test" {
+  content = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": {
+    "Effect": "Allow",
+    "Action": "*",
+    "Resource": "*"
+  }
+}
+EOF
+
+  name        = "%s"
+
+  depends_on = [aws_organizations_organization.test]
+
+  tags = {
+    TerraformProviderAwsTest = true
+    Beta                     = 1
+  }
+}
+`, rName)
+}
+
+func testAccAwsOrganizationsPolicyConfig_TagC(rName string) string {
+	return fmt.Sprintf(`
+resource "aws_organizations_organization" "test" {}
+
+resource "aws_organizations_policy" "test" {
+  content = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": {
+    "Effect": "Allow",
+    "Action": "*",
+    "Resource": "*"
+  }
+}
+EOF
+
+  name        = "%s"
+
+  depends_on = [aws_organizations_organization.test]
+
+  tags = {
+    TerraformProviderAwsTest = true
+  }
+}
+`, rName)
+}
+
+func testAccAwsOrganizationsPolicyConfig_NoTag(rName string) string {
+	return fmt.Sprintf(`
+resource "aws_organizations_organization" "test" {}
+
+resource "aws_organizations_policy" "test" {
+  content = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": {
+    "Effect": "Allow",
+    "Action": "*",
+    "Resource": "*"
+  }
+}
+EOF
+
+  name        = "%s"
+
+  depends_on = [aws_organizations_organization.test]
+}
+`, rName)
+}
+
 func testAccAwsOrganizationsPolicyConfig_Required(rName, content string) string {
 	return fmt.Sprintf(`
 resource "aws_organizations_organization" "test" {}

aws/resource_aws_organizations_test.go

@@ -29,6 +29,7 @@ func TestAccAWSOrganizations_serial(t *testing.T) {
 			"basic":           testAccAwsOrganizationsPolicy_basic,
 			"concurrent":      testAccAwsOrganizationsPolicy_concurrent,
 			"Description":     testAccAwsOrganizationsPolicy_description,
+			"Tags":            testAccAwsOrganizationsPolicy_tags,
 			"Type_AI_OPT_OUT": testAccAwsOrganizationsPolicy_type_AI_OPT_OUT,
 			"Type_Backup":     testAccAwsOrganizationsPolicy_type_Backup,
 			"Type_SCP":        testAccAwsOrganizationsPolicy_type_SCP,

website/docs/r/organizations_policy.html.markdown

@@ -37,6 +37,7 @@ The following arguments are supported:
 * `name` - (Required) The friendly name to assign to the policy.
 * `description` - (Optional) A description to assign to the policy.
 * `type` - (Optional) The type of policy to create. Valid values are `AISERVICES_OPT_OUT_POLICY`, `BACKUP_POLICY`, `SERVICE_CONTROL_POLICY` (SCP), and `TAG_POLICY`. Defaults to `SERVICE_CONTROL_POLICY`.
+* `tags` - (Optional) Key-value map of resource tags.
 
 ## Attribute Reference