diff --git a/blueprints/apigee/bigquery-analytics/README.md b/blueprints/apigee/bigquery-analytics/README.md index 027f28ead8..817c39bb24 100644 --- a/blueprints/apigee/bigquery-analytics/README.md +++ b/blueprints/apigee/bigquery-analytics/README.md @@ -76,3 +76,35 @@ Do the following to verify that everything works as expected. | [ip_address](outputs.tf#L17) | IP address. | | +## Test + +```hcl +module "test" { + source = "./fabric/blueprints/apigee/bigquery-analytics" + project_create = { + billing_account_id = "12345-12345-12345" + parent = "folders/123456789" + } + project_id = "my-project" + envgroups = { + test = ["test.cool-demos.space"] + } + environments = { + apis-test = { + envgroups = ["test"] + } + } + instances = { + instance-ew1 = { + region = "europe-west1" + environments = ["apis-test"] + runtime_ip_cidr_range = "10.0.4.0/22" + troubleshooting_ip_cidr_range = "10.1.0.0/28" + } + } + psc_config = { + europe-west1 = "10.0.0.0/28" + } +} +# tftest modules=10 resources=62 +``` diff --git a/blueprints/apigee/hybrid-gke/README.md b/blueprints/apigee/hybrid-gke/README.md index ae5c03648b..05614fac30 100644 --- a/blueprints/apigee/hybrid-gke/README.md +++ b/blueprints/apigee/hybrid-gke/README.md @@ -25,11 +25,11 @@ The diagram below depicts the architecture. terraform apply ``` - Create an A record in your DNS registrar to point the environment group hostname to the public IP address returned after the terraform configuration was applied. You might need to wait some time until the certificate is provisioned. - + Create an A record in your DNS registrar to point the environment group hostname to the public IP address returned after the terraform configuration was applied. You might need to wait some time until the certificate is provisioned. + 5. Install Apigee hybrid using de ansible playbook that is in the ansible folder by running this command - ansible-playbook playbook.yaml -vvvß + ansible-playbook playbook.yaml -vvv ## Testing the blueprint @@ -67,3 +67,18 @@ The diagram below depicts the architecture. | [ip_address](outputs.tf#L17) | GLB IP address. | | + +## Test + +```hcl +module "test" { + source = "./fabric/blueprints/apigee/hybrid-gke" + project_create = { + billing_account_id = "12345-12345-12345" + parent = "folders/123456789" + } + project_id = "my-project" + hostname = "test.myorg.org" +} +# tftest modules=18 resources=59 +``` diff --git a/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/README.md b/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/README.md index 690458f03c..0ec240b0f2 100644 --- a/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/README.md +++ b/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/README.md @@ -67,3 +67,17 @@ Do the following to verify that everything works as expected. | [ip_address](outputs.tf#L17) | GLB IP address. | | + +## Test + +```hcl +module "test" { + source = "./fabric/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg" + billing_account_id = "12345-12345-12345" + parent = "folders/123456789" + apigee_project_id = "my-apigee-project" + onprem_project_id = "my-onprem-project" + hostname = "test.myorg.org" +} +# tftest modules=14 resources=73 +``` diff --git a/blueprints/data-solutions/vertex-mlops/README.md b/blueprints/data-solutions/vertex-mlops/README.md index dc2c74cd71..8bb3043ed6 100644 --- a/blueprints/data-solutions/vertex-mlops/README.md +++ b/blueprints/data-solutions/vertex-mlops/README.md @@ -74,6 +74,7 @@ This blueprint can be used as a building block for setting up an end2end ML Ops | [project_id](outputs.tf#L49) | Project ID. | | + ## TODO - Add support for User Managed Notebooks, SA permission option and non default SA for Single User mode. - Improve default naming for local VPC and Cloud NAT diff --git a/blueprints/factories/bigquery-factory/README.md b/blueprints/factories/bigquery-factory/README.md index 2cba6e01f9..1e3015ed6d 100644 --- a/blueprints/factories/bigquery-factory/README.md +++ b/blueprints/factories/bigquery-factory/README.md @@ -71,6 +71,7 @@ module "bq" { | [views_path](variables.tf#L27) | Relative path for the folder storing view data. | string | ✓ | | + ## TODO - [ ] add external table support diff --git a/blueprints/factories/cloud-identity-group-factory/README.md b/blueprints/factories/cloud-identity-group-factory/README.md index b833304eb2..318eea2578 100644 --- a/blueprints/factories/cloud-identity-group-factory/README.md +++ b/blueprints/factories/cloud-identity-group-factory/README.md @@ -9,13 +9,22 @@ Yaml abstraction for Groups can simplify groups creation and members management. ### Terraform code ```hcl -module "prod-firewall" { - source = "./fabric/blueprints/factories/cloud-identity-group-factory" - +module "groups" { + source = "./fabric/blueprints/factories/cloud-identity-group-factory" customer_id = "customers/C0xxxxxxx" data_dir = "data" } -# tftest skip +# tftest modules=2 resources=3 files=group1 inventory=example.yaml +``` + +```yaml +# tftest-file id=group1 path=data/group1@example.com.yaml +display_name: Group 1 +description: Group 1 +members: + - user1@example.com +managers: + - user2@example.com ``` ### Configuration Structure diff --git a/blueprints/factories/net-vpc-firewall-yaml/README.md b/blueprints/factories/net-vpc-firewall-yaml/README.md index 5e7260e942..42cd6fad9f 100644 --- a/blueprints/factories/net-vpc-firewall-yaml/README.md +++ b/blueprints/factories/net-vpc-firewall-yaml/README.md @@ -17,8 +17,8 @@ module "prod-firewall" { project_id = "my-prod-project" network = "my-prod-network" config_directories = [ - "./prod", - "./common" + "./firewall/prod", + "./firewall/common" ] log_config = { @@ -32,13 +32,86 @@ module "dev-firewall" { project_id = "my-dev-project" network = "my-dev-network" config_directories = [ - "./dev", - "./common" + "./firewall/dev", + "./firewall/common" ] } -# tftest skip +# tftest modules=2 resources=16 files=common,dev,prod inventory=example.yaml ``` +```yaml +# tftest-file id=common path=firewall/common/common.yaml +# allow ingress from GCLB to all instances in the network +lb-health-checks: + allow: + - ports: [] + protocol: tcp + direction: INGRESS + priority: 1001 + source_ranges: + - 35.191.0.0/16 + - 130.211.0.0/22 + +# deny all egress +deny-all: + deny: + - ports: [] + protocol: all + direction: EGRESS + priority: 65535 + destination_ranges: + - 0.0.0.0/0 +``` + +```yaml +# tftest-file id=dev path=firewall/dev/app.yaml +# Myapp egress +web-app-dev-egress: + allow: + - ports: [443] + protocol: tcp + direction: EGRESS + destination_ranges: + - 192.168.0.0/24 + target_service_accounts: + - myapp@myproject-dev.iam.gserviceaccount.com +# Myapp ingress +web-app-dev-ingress: + allow: + - ports: [1234] + protocol: tcp + direction: INGRESS + source_service_accounts: + - frontend-sa@myproject-dev.iam.gserviceaccount.com + target_service_accounts: + - web-app-a@myproject-dev.iam.gserviceaccount.com +``` + +```yaml +# tftest-file id=prod path=firewall/prod/app.yaml +# Myapp egress +web-app-prod-egress: + allow: + - ports: [443] + protocol: tcp + direction: EGRESS + destination_ranges: + - 192.168.10.0/24 + target_service_accounts: + - myapp@myproject-prod.iam.gserviceaccount.com +# Myapp ingress +web-app-prod-ingress: + allow: + - ports: [1234] + protocol: tcp + direction: INGRESS + source_service_accounts: + - frontend-sa@myproject-prod.iam.gserviceaccount.com + target_service_accounts: + - web-app-a@myproject-prod.iam.gserviceaccount.com +``` + + ### Configuration Structure ```bash @@ -86,54 +159,6 @@ rule-name: # descriptive name, naming convention is adjusted by the module - myapp@myproject-id.iam.gserviceaccount.com ``` - -Firewall rules example yaml configuration - -```bash -cat ./prod/core-network/common-rules.yaml -# allow ingress from GCLB to all instances in the network -lb-health-checks: - allow: - - ports: [] - protocol: tcp - direction: INGRESS - priority: 1001 - source_ranges: - - 35.191.0.0/16 - - 130.211.0.0/22 - -# deny all egress -deny-all: - deny: - - ports: [] - protocol: all - direction: EGRESS - priority: 65535 - destination_ranges: - - 0.0.0.0/0 - -cat ./dev/team-a/web-app-a.yaml -# Myapp egress -web-app-a-egress: - allow: - - ports: [443] - protocol: tcp - direction: EGRESS - destination_ranges: - - 192.168.0.0/24 - target_service_accounts: - - myapp@myproject-id.iam.gserviceaccount.com -# Myapp ingress -web-app-a-ingress: - allow: - - ports: [1234] - protocol: tcp - direction: INGRESS - source_service_accounts: - - frontend-sa@myproject-id.iam.gserviceaccount.com - target_service_accounts: - - web-app-a@myproject-id.iam.gserviceaccount.com -``` ## Variables diff --git a/blueprints/factories/project-factory/README.md b/blueprints/factories/project-factory/README.md index 2b8c3874e6..18c0b2f407 100644 --- a/blueprints/factories/project-factory/README.md +++ b/blueprints/factories/project-factory/README.md @@ -76,7 +76,7 @@ module "projects" { service_identities_iam = try(each.value.service_identities_iam, {}) vpc = try(each.value.vpc, null) } -# tftest modules=7 resources=29 +# tftest modules=7 resources=30 inventory=example.yaml ``` ### Projects configuration diff --git a/blueprints/factories/project-factory/main.tf b/blueprints/factories/project-factory/main.tf index 518d5a69c4..9dbe1721f5 100644 --- a/blueprints/factories/project-factory/main.tf +++ b/blueprints/factories/project-factory/main.tf @@ -1,5 +1,5 @@ /** - * Copyright 2022 Google LLC + * Copyright 2023 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/blueprints/factories/project-factory/sample-data/projects/project.yaml b/blueprints/factories/project-factory/sample-data/projects/project.yaml index 0344991380..8c86d98953 100644 --- a/blueprints/factories/project-factory/sample-data/projects/project.yaml +++ b/blueprints/factories/project-factory/sample-data/projects/project.yaml @@ -44,7 +44,8 @@ kms_service_agents: # [opt] Labels for the project - merged with the ones defined in defaults labels: - environment: dev + environment: dev2 + costcenter: apps # [opt] Org policy overrides defined at project level org_policies: @@ -67,7 +68,7 @@ service_accounts: another-service-account: - roles/compute.admin my-service-account: - - roles/compute.admin + - roles/compute.adminv1 # [opt] APIs to enable on the project. services: @@ -100,4 +101,4 @@ vpc: subnets_iam: europe-west1/dev-default-ew1: - user:foobar@example.com - - serviceAccount:service-account1 + - serviceAccount:my-service-account diff --git a/tests/blueprints/apigee/bigquery-analytics/__init__.py b/tests/blueprints/apigee/bigquery-analytics/__init__.py deleted file mode 100644 index 6d6d1266c3..0000000000 --- a/tests/blueprints/apigee/bigquery-analytics/__init__.py +++ /dev/null @@ -1,13 +0,0 @@ -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. diff --git a/tests/blueprints/apigee/bigquery-analytics/basic.tfvars b/tests/blueprints/apigee/bigquery-analytics/basic.tfvars deleted file mode 100644 index 2f9315a439..0000000000 --- a/tests/blueprints/apigee/bigquery-analytics/basic.tfvars +++ /dev/null @@ -1,24 +0,0 @@ -project_create = { - billing_account_id = "12345-12345-12345" - parent = "folders/123456789" -} -project_id = "my-project" -envgroups = { - test = ["test.cool-demos.space"] -} -environments = { - apis-test = { - envgroups = ["test"] - } -} -instances = { - instance-ew1 = { - region = "europe-west1" - environments = ["apis-test"] - runtime_ip_cidr_range = "10.0.4.0/22" - troubleshooting_ip_cidr_range = "10.1.0.0/28" - } -} -psc_config = { - europe-west1 = "10.0.0.0/28" -} diff --git a/tests/blueprints/apigee/bigquery-analytics/basic.yaml b/tests/blueprints/apigee/bigquery-analytics/basic.yaml deleted file mode 100644 index 691af456b1..0000000000 --- a/tests/blueprints/apigee/bigquery-analytics/basic.yaml +++ /dev/null @@ -1,17 +0,0 @@ -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -counts: - modules: 9 - resources: 62 diff --git a/tests/blueprints/apigee/bigquery-analytics/tftest.yaml b/tests/blueprints/apigee/bigquery-analytics/tftest.yaml deleted file mode 100644 index a3441f5596..0000000000 --- a/tests/blueprints/apigee/bigquery-analytics/tftest.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -module: blueprints/apigee/bigquery-analytics - -tests: - basic: diff --git a/tests/blueprints/apigee/hybrid-gke/__init__.py b/tests/blueprints/apigee/hybrid-gke/__init__.py deleted file mode 100644 index 6d6d1266c3..0000000000 --- a/tests/blueprints/apigee/hybrid-gke/__init__.py +++ /dev/null @@ -1,13 +0,0 @@ -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. diff --git a/tests/blueprints/apigee/hybrid-gke/basic.tfvars b/tests/blueprints/apigee/hybrid-gke/basic.tfvars deleted file mode 100644 index 5b2cb4ccf6..0000000000 --- a/tests/blueprints/apigee/hybrid-gke/basic.tfvars +++ /dev/null @@ -1,6 +0,0 @@ -project_create = { - billing_account_id = "12345-12345-12345" - parent = "folders/123456789" -} -project_id = "my-project" -hostname = "test.myorg.org" \ No newline at end of file diff --git a/tests/blueprints/apigee/hybrid-gke/basic.yaml b/tests/blueprints/apigee/hybrid-gke/basic.yaml deleted file mode 100644 index 0bab564189..0000000000 --- a/tests/blueprints/apigee/hybrid-gke/basic.yaml +++ /dev/null @@ -1,17 +0,0 @@ -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -counts: - modules: 17 - resources: 59 diff --git a/tests/blueprints/apigee/hybrid-gke/tftest.yaml b/tests/blueprints/apigee/hybrid-gke/tftest.yaml deleted file mode 100644 index ebe16e577e..0000000000 --- a/tests/blueprints/apigee/hybrid-gke/tftest.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -module: blueprints/apigee/hybrid-gke - -tests: - basic: diff --git a/tests/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/__init__.py b/tests/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/__init__.py deleted file mode 100644 index 6d6d1266c3..0000000000 --- a/tests/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/__init__.py +++ /dev/null @@ -1,13 +0,0 @@ -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. diff --git a/tests/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/basic.tfvars b/tests/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/basic.tfvars deleted file mode 100644 index ae07c514fd..0000000000 --- a/tests/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/basic.tfvars +++ /dev/null @@ -1,5 +0,0 @@ -billing_account_id = "12345-12345-12345" -parent = "folders/123456789" -apigee_project_id = "my-apigee-project" -onprem_project_id = "my-onprem-project" -hostname = "test.myorg.org" diff --git a/tests/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/basic.yaml b/tests/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/basic.yaml deleted file mode 100644 index de461ff2ea..0000000000 --- a/tests/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/basic.yaml +++ /dev/null @@ -1,17 +0,0 @@ -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -counts: - modules: 13 - resources: 73 diff --git a/tests/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/tftest.yaml b/tests/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/tftest.yaml deleted file mode 100644 index 5c92fb82ae..0000000000 --- a/tests/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/tftest.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -module: blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg - -tests: - basic: diff --git a/tests/blueprints/factories/cloud_identity_group_factory/__init__.py b/tests/blueprints/factories/cloud_identity_group_factory/__init__.py deleted file mode 100644 index 6d6d1266c3..0000000000 --- a/tests/blueprints/factories/cloud_identity_group_factory/__init__.py +++ /dev/null @@ -1,13 +0,0 @@ -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. diff --git a/tests/blueprints/factories/cloud_identity_group_factory/examples/example.yaml b/tests/blueprints/factories/cloud_identity_group_factory/examples/example.yaml new file mode 100644 index 0000000000..1a8db1b593 --- /dev/null +++ b/tests/blueprints/factories/cloud_identity_group_factory/examples/example.yaml @@ -0,0 +1,42 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +values: + module.groups.module.group["group1@example.com"].google_cloud_identity_group.group: + description: Group 1 + display_name: Group 1 + group_key: + - id: group1@example.com + namespace: null + initial_group_config: EMPTY + labels: + cloudidentity.googleapis.com/groups.discussion_forum: '' + parent: customers/C0xxxxxxx + module.groups.module.group["group1@example.com"].google_cloud_identity_group_membership.managers["user2@example.com"]: + preferred_member_key: + - id: user2@example.com + namespace: null + roles: + - name: MANAGER + - name: MEMBER + module.groups.module.group["group1@example.com"].google_cloud_identity_group_membership.members["user1@example.com"]: + preferred_member_key: + - id: user1@example.com + namespace: null + roles: + - name: MEMBER + +counts: + google_cloud_identity_group: 1 + google_cloud_identity_group_membership: 2 diff --git a/tests/blueprints/factories/cloud_identity_group_factory/fixture/data/group1@example.com.yaml b/tests/blueprints/factories/cloud_identity_group_factory/fixture/data/group1@example.com.yaml deleted file mode 100644 index 98bdcb8e1e..0000000000 --- a/tests/blueprints/factories/cloud_identity_group_factory/fixture/data/group1@example.com.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# skip boilerplate check - -display_name: Group 1 -description: Group 1 -members: - - user1@example.com -managers: - - user2@example.com \ No newline at end of file diff --git a/tests/blueprints/factories/cloud_identity_group_factory/fixture/main.tf b/tests/blueprints/factories/cloud_identity_group_factory/fixture/main.tf deleted file mode 100644 index 4f56c63c22..0000000000 --- a/tests/blueprints/factories/cloud_identity_group_factory/fixture/main.tf +++ /dev/null @@ -1,21 +0,0 @@ -/** - * Copyright 2022 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -module "test" { - source = "../../../../../blueprints/factories/cloud-identity-group-factory/" - customer_id = "customers/C01234567" - data_dir = "data" -} diff --git a/tests/blueprints/factories/cloud_identity_group_factory/test_plan.py b/tests/blueprints/factories/cloud_identity_group_factory/test_plan.py deleted file mode 100644 index 7de10b1a5f..0000000000 --- a/tests/blueprints/factories/cloud_identity_group_factory/test_plan.py +++ /dev/null @@ -1,19 +0,0 @@ -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -def test_resources(e2e_plan_runner): - "Test that plan works and the numbers of resources is as expected." - modules, resources = e2e_plan_runner() - assert len(modules) == 1 - assert len(resources) == 3 diff --git a/tests/blueprints/factories/net_vpc_firewall_yaml/__init__.py b/tests/blueprints/factories/net_vpc_firewall_yaml/__init__.py deleted file mode 100644 index 6d6d1266c3..0000000000 --- a/tests/blueprints/factories/net_vpc_firewall_yaml/__init__.py +++ /dev/null @@ -1,13 +0,0 @@ -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. diff --git a/tests/blueprints/factories/net_vpc_firewall_yaml/examples/example.yaml b/tests/blueprints/factories/net_vpc_firewall_yaml/examples/example.yaml new file mode 100644 index 0000000000..c2375ae574 --- /dev/null +++ b/tests/blueprints/factories/net_vpc_firewall_yaml/examples/example.yaml @@ -0,0 +1,188 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +values: + module.dev-firewall.google_compute_firewall.rules["deny-all"]: + allow: [] + deny: + - ports: [] + protocol: all + destination_ranges: + - 0.0.0.0/0 + direction: EGRESS + disabled: null + log_config: [] + name: fwr-my-dev-network-all-e-deny-all + network: my-dev-network + priority: 65535 + project: my-dev-project + source_ranges: null + source_service_accounts: null + source_tags: null + target_service_accounts: null + target_tags: null + timeouts: null + module.dev-firewall.google_compute_firewall.rules["lb-health-checks"]: + allow: + - ports: [] + protocol: tcp + deny: [] + direction: INGRESS + disabled: null + log_config: [] + name: fwr-my-dev-network-all-i-lb-health-checks + network: my-dev-network + priority: 1001 + project: my-dev-project + source_ranges: + - 130.211.0.0/22 + - 35.191.0.0/16 + source_service_accounts: null + source_tags: null + target_service_accounts: null + target_tags: null + timeouts: null + module.dev-firewall.google_compute_firewall.rules["web-app-dev-egress"]: + allow: + - ports: + - '443' + protocol: tcp + deny: [] + destination_ranges: + - 192.168.0.0/24 + direction: EGRESS + disabled: null + log_config: [] + name: fwr-my-dev-network-sac-e-web-app-dev-egress + network: my-dev-network + priority: 1000 + project: my-dev-project + source_ranges: null + source_service_accounts: null + source_tags: null + target_service_accounts: + - myapp@myproject-dev.iam.gserviceaccount.com + target_tags: null + timeouts: null + module.dev-firewall.google_compute_firewall.rules["web-app-dev-ingress"]: + allow: + - ports: + - '1234' + protocol: tcp + deny: [] + direction: INGRESS + disabled: null + log_config: [] + name: fwr-my-dev-network-sac-i-web-app-dev-ingress + network: my-dev-network + priority: 1000 + project: my-dev-project + source_ranges: null + source_service_accounts: + - frontend-sa@myproject-dev.iam.gserviceaccount.com + source_tags: null + target_service_accounts: + - web-app-a@myproject-dev.iam.gserviceaccount.com + target_tags: null + timeouts: null + module.prod-firewall.google_compute_firewall.rules["deny-all"]: + allow: [] + deny: + - ports: [] + protocol: all + destination_ranges: + - 0.0.0.0/0 + direction: EGRESS + disabled: null + log_config: + - metadata: INCLUDE_ALL_METADATA + name: fwr-my-prod-network-all-e-deny-all + network: my-prod-network + priority: 65535 + project: my-prod-project + source_ranges: null + source_service_accounts: null + source_tags: null + target_service_accounts: null + target_tags: null + timeouts: null + module.prod-firewall.google_compute_firewall.rules["lb-health-checks"]: + allow: + - ports: [] + protocol: tcp + deny: [] + direction: INGRESS + disabled: null + log_config: + - metadata: INCLUDE_ALL_METADATA + name: fwr-my-prod-network-all-i-lb-health-checks + network: my-prod-network + priority: 1001 + project: my-prod-project + source_ranges: + - 130.211.0.0/22 + - 35.191.0.0/16 + source_service_accounts: null + source_tags: null + target_service_accounts: null + target_tags: null + timeouts: null + module.prod-firewall.google_compute_firewall.rules["web-app-prod-egress"]: + allow: + - ports: + - '443' + protocol: tcp + deny: [] + destination_ranges: + - 192.168.10.0/24 + direction: EGRESS + disabled: null + log_config: + - metadata: INCLUDE_ALL_METADATA + name: fwr-my-prod-network-sac-e-web-app-prod-egress + network: my-prod-network + priority: 1000 + project: my-prod-project + source_ranges: null + source_service_accounts: null + source_tags: null + target_service_accounts: + - myapp@myproject-prod.iam.gserviceaccount.com + target_tags: null + timeouts: null + module.prod-firewall.google_compute_firewall.rules["web-app-prod-ingress"]: + allow: + - ports: + - '1234' + protocol: tcp + deny: [] + direction: INGRESS + disabled: null + log_config: + - metadata: INCLUDE_ALL_METADATA + name: fwr-my-prod-network-sac-i-web-app-prod-ingress + network: my-prod-network + priority: 1000 + project: my-prod-project + source_ranges: null + source_service_accounts: + - frontend-sa@myproject-prod.iam.gserviceaccount.com + source_tags: null + target_service_accounts: + - web-app-a@myproject-prod.iam.gserviceaccount.com + target_tags: null + timeouts: null + +counts: + google_compute_firewall: 8 diff --git a/tests/blueprints/factories/net_vpc_firewall_yaml/fixture/main.tf b/tests/blueprints/factories/net_vpc_firewall_yaml/fixture/main.tf deleted file mode 100644 index 22956f4018..0000000000 --- a/tests/blueprints/factories/net_vpc_firewall_yaml/fixture/main.tf +++ /dev/null @@ -1,25 +0,0 @@ -/** - * Copyright 2022 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -module "firewall" { - source = "../../../../../blueprints/factories/net-vpc-firewall-yaml" - project_id = "my-project" - network = "my-network" - config_directories = [ - "./rules" - ] - log_config = var.log_config -} diff --git a/tests/blueprints/factories/net_vpc_firewall_yaml/fixture/rules/common.yaml b/tests/blueprints/factories/net_vpc_firewall_yaml/fixture/rules/common.yaml deleted file mode 100644 index cbe8466f01..0000000000 --- a/tests/blueprints/factories/net_vpc_firewall_yaml/fixture/rules/common.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# allow ingress from GCLB to all instances in the network -lb-health-checks: - allow: - - ports: [] - protocol: tcp - direction: INGRESS - priority: 1001 - source_ranges: - - 35.191.0.0/16 - - 130.211.0.0/22 - -# deny all egress -deny-all: - deny: - - ports: [] - protocol: all - direction: EGRESS - priority: 65535 - destination_ranges: - - 0.0.0.0/0 diff --git a/tests/blueprints/factories/net_vpc_firewall_yaml/fixture/variables.tf b/tests/blueprints/factories/net_vpc_firewall_yaml/fixture/variables.tf deleted file mode 100644 index 018289febb..0000000000 --- a/tests/blueprints/factories/net_vpc_firewall_yaml/fixture/variables.tf +++ /dev/null @@ -1,23 +0,0 @@ -/** - * Copyright 2022 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -variable "log_config" { - description = "Log configuration. Possible values for `metadata` are `EXCLUDE_ALL_METADATA` and `INCLUDE_ALL_METADATA`. Set to `null` for disabling firewall logging." - type = object({ - metadata = string - }) - default = null -} diff --git a/tests/blueprints/factories/net_vpc_firewall_yaml/test_plan.py b/tests/blueprints/factories/net_vpc_firewall_yaml/test_plan.py deleted file mode 100644 index 80205e57fc..0000000000 --- a/tests/blueprints/factories/net_vpc_firewall_yaml/test_plan.py +++ /dev/null @@ -1,42 +0,0 @@ -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -def test_firewall_simple(plan_runner): - "Test firewall rules from rules/common.yaml with no extra options." - _, resources = plan_runner() - assert len(resources) == 4 - assert set(r['type'] for r in resources) == set([ - 'google_compute_firewall', 'time_static' - ]) - firewall_values = [r['values'] for r in resources if r['type'] - == 'google_compute_firewall'] - assert set([f['project'] for f in firewall_values]) == set(['my-project']) - assert set([f['network'] for f in firewall_values]) == set(['my-network']) - - -def test_firewall_log_config(plan_runner): - "Test firewall rules log configuration." - log_config = """ { - metadata = "INCLUDE_ALL_METADATA" - } - """ - log_config_value = [{"metadata": "INCLUDE_ALL_METADATA"}] - _, resources = plan_runner(log_config=log_config) - assert len(resources) == 4 - assert set(r['type'] for r in resources) == set([ - 'google_compute_firewall', 'time_static' - ]) - firewall_values = [r['values'] for r in resources if r['type'] - == 'google_compute_firewall'] - assert all(f['log_config'] == log_config_value for f in firewall_values) diff --git a/tests/blueprints/factories/project_factory/__init__.py b/tests/blueprints/factories/project_factory/__init__.py deleted file mode 100644 index 6d6d1266c3..0000000000 --- a/tests/blueprints/factories/project_factory/__init__.py +++ /dev/null @@ -1,13 +0,0 @@ -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. diff --git a/tests/blueprints/factories/project_factory/fixture/defaults.yaml b/tests/blueprints/factories/project_factory/fixture/defaults.yaml deleted file mode 100644 index 61837818f1..0000000000 --- a/tests/blueprints/factories/project_factory/fixture/defaults.yaml +++ /dev/null @@ -1,25 +0,0 @@ -# skip boilerplate check - -billing_account_id: 012345-67890A-BCDEF0 - -# [opt] Setup for billing alerts -billing_alert: - amount: 1000 - thresholds: - current: [0.5, 0.8] - forecasted: [0.5, 0.8] - credit_treatment: INCLUDE_ALL_CREDITS - -# [opt] Contacts for billing alerts and important notifications -essential_contacts: ["team-contacts@example.com"] - -# [opt] Labels set for all projects -labels: - environment: prod - department: accounting - application: example-app - foo: bar - -# [opt] Additional notification channels for billing -notification_channels: [] -prefix: test diff --git a/tests/blueprints/factories/project_factory/fixture/main.tf b/tests/blueprints/factories/project_factory/fixture/main.tf deleted file mode 100644 index ae686b9350..0000000000 --- a/tests/blueprints/factories/project_factory/fixture/main.tf +++ /dev/null @@ -1,52 +0,0 @@ -/** - * Copyright 2022 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -locals { - _defaults = yamldecode(file(var.defaults_file)) - _defaults_net = { - billing_account_id = var.billing_account_id - environment_dns_zone = var.environment_dns_zone - shared_vpc_self_link = var.shared_vpc_self_link - vpc_host_project = var.vpc_host_project - } - defaults = merge(local._defaults, local._defaults_net) - projects = { - for f in fileset("${var.data_dir}", "**/*.yaml") : - trimsuffix(f, ".yaml") => yamldecode(file("${var.data_dir}/${f}")) - } -} - -module "projects" { - source = "../../../../../blueprints/factories/project-factory" - for_each = local.projects - defaults = local.defaults - project_id = each.key - billing_account_id = try(each.value.billing_account_id, null) - billing_alert = try(each.value.billing_alert, null) - dns_zones = try(each.value.dns_zones, []) - essential_contacts = try(each.value.essential_contacts, []) - folder_id = each.value.folder_id - group_iam = try(each.value.group_iam, {}) - iam = try(each.value.iam, {}) - kms_service_agents = try(each.value.kms, {}) - labels = try(each.value.labels, {}) - org_policies = try(each.value.org_policies, null) - prefix = each.value.prefix - service_accounts = try(each.value.service_accounts, {}) - services = try(each.value.services, []) - service_identities_iam = try(each.value.service_identities_iam, {}) - vpc = try(each.value.vpc, null) -} diff --git a/tests/blueprints/factories/project_factory/fixture/projects/project.yaml b/tests/blueprints/factories/project_factory/fixture/projects/project.yaml deleted file mode 100644 index a158198484..0000000000 --- a/tests/blueprints/factories/project_factory/fixture/projects/project.yaml +++ /dev/null @@ -1,104 +0,0 @@ -# skip boilerplate check - -# [opt] Billing account id - overrides default if set -billing_account_id: 012345-67890A-BCDEF0 - -# [opt] Billing alerts config - overrides default if set -billing_alert: - amount: 10 - thresholds: - current: - - 0.5 - - 0.8 - forecasted: [] - credit_treatment: INCLUDE_ALL_CREDITS - -# [opt] DNS zones to be created as children of the environment_dns_zone defined in defaults -dns_zones: - - lorem - - ipsum - -# [opt] Contacts for billing alerts and important notifications -essential_contacts: - - team-a-contacts@example.com - -# Folder the project will be created as children of -folder_id: folders/012345678901 - -# [opt] Authoritative IAM bindings in group => [roles] format -group_iam: - test-team-foobar@fast-lab-0.gcp-pso-italy.net: - - roles/compute.admin - -# [opt] Authoritative IAM bindings in role => [principals] format -# Generally used to grant roles to service accounts external to the project -iam: - roles/compute.admin: - - serviceAccount:service-account - -# [opt] Service robots and keys they will be assigned as cryptoKeyEncrypterDecrypter -# in service => [keys] format -kms_service_agents: - compute: [key1, key2] - storage: [key1, key2] - -# [opt] Labels for the project - merged with the ones defined in defaults -labels: - environment: prod - -# [opt] Org policy overrides defined at project level -org_policies: - policy_boolean: - constraints/compute.disableGuestAttributesAccess: true - policy_list: - constraints/compute.trustedImageProjects: - inherit_from_parent: null - status: true - suggested_value: null - values: - - projects/fast-prod-iac-core-0 - -# [opt] Prefix - overrides default if set -prefix: test1 - -# [opt] Service account to create for the project and their roles on the project -# in name => [roles] format -service_accounts: - another-service-account: - - roles/compute.admin - my-service-account: - - roles/compute.admin - -# [opt] APIs to enable on the project. -services: - - storage.googleapis.com - - stackdriver.googleapis.com - - compute.googleapis.com - -# [opt] Roles to assign to the service identities in service => [roles] format -service_identities_iam: - compute: - - roles/storage.objectViewer - - # [opt] VPC setup. - # If set enables the `compute.googleapis.com` service and configures - # service project attachment -vpc: - # [opt] If set, enables the container API - gke_setup: - # Grants "roles/container.hostServiceAgentUser" to the container robot if set - enable_host_service_agent: false - - # Grants "roles/compute.securityAdmin" to the container robot if set - enable_security_admin: true - - # Host project the project will be service project of - host_project: fast-prod-net-spoke-0 - - # [opt] Subnets in the host project where principals will be granted networkUser - # in region/subnet-name => [principals] - subnets_iam: - europe-west1/prod-default-ew1: - - user:foobar@example.com - - serviceAccount:service-account1@example.com - - my-service-account diff --git a/tests/blueprints/factories/project_factory/fixture/variables.tf b/tests/blueprints/factories/project_factory/fixture/variables.tf deleted file mode 100644 index d0d6759bad..0000000000 --- a/tests/blueprints/factories/project_factory/fixture/variables.tf +++ /dev/null @@ -1,64 +0,0 @@ -/** - * Copyright 2022 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -variable "billing_account_id" { - description = "Billing account id." - type = string - default = "012345-67890A-BCDEF0" -} - -variable "data_dir" { - description = "Relative path for the folder storing configuration data." - type = string - default = "./projects/" -} - -variable "environment_dns_zone" { - description = "DNS zone suffix for environment." - type = string - default = "prod.gcp.example.com" -} - -variable "defaults_file" { - description = "Relative path for the file storing the project factory configuration." - type = string - default = "./defaults.yaml" -} - -variable "service_accounts" { - description = "Service accounts to be created, and roles assigned them on the project." - type = map(list(string)) - default = {} -} - -variable "service_accounts_iam" { - description = "IAM bindings on service account resources. Format is KEY => {ROLE => [MEMBERS]}" - type = map(map(list(string))) - default = {} - nullable = false -} - -variable "shared_vpc_self_link" { - description = "Self link for the shared VPC." - type = string - default = "self-link" -} - -variable "vpc_host_project" { - description = "Host project for the shared VPC." - type = string - default = "host-project" -} diff --git a/tests/blueprints/factories/project_factory/test_plan.py b/tests/blueprints/factories/project_factory/test_plan.py deleted file mode 100644 index 4c8e86412c..0000000000 --- a/tests/blueprints/factories/project_factory/test_plan.py +++ /dev/null @@ -1,36 +0,0 @@ -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - - -def test_plan(e2e_plan_runner): - "Check for a clean plan" - modules, resources = e2e_plan_runner() - assert len(modules) > 0 and len(resources) > 0 - - -def test_plan_service_accounts(e2e_plan_runner): - "Check for a clean plan" - service_accounts = '''{ - sa-001 = [] - sa-002 = ["roles/owner"] - }''' - service_accounts_iam = '''{ - sa-002 = { - "roles/iam.serviceAccountTokenCreator" = ["group:team-1@example.com"] - } - }''' - modules, resources = e2e_plan_runner( - service_accounts=service_accounts, - service_accounts_iam=service_accounts_iam) - assert len(modules) > 0 and len(resources) > 0 diff --git a/tests/examples/test_plan.py b/tests/examples/test_plan.py index 261276f737..b12d82fcef 100644 --- a/tests/examples/test_plan.py +++ b/tests/examples/test_plan.py @@ -18,7 +18,7 @@ BASE_PATH = Path(__file__).parent COUNT_TEST_RE = re.compile(r'# tftest +modules=(\d+) +resources=(\d+)' + - r'(?: +files=([\w,_-]+))?' + + r'(?: +files=([\w@,_-]+))?' + r'(?: +inventory=([\w\-.]+))?') diff --git a/tests/modules/project_factory/examples/example.yaml b/tests/modules/project_factory/examples/example.yaml new file mode 100644 index 0000000000..fc166a0e68 --- /dev/null +++ b/tests/modules/project_factory/examples/example.yaml @@ -0,0 +1,235 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# This is one of the few modules where it actually makes sense to be +# very verbose with values + +values: + module.projects["project"].google_compute_subnetwork_iam_member.default["dev-default-ew1:serviceAccount:my-service-account"]: + condition: [] + member: serviceAccount:my-service-account + project: fast-dev-net-spoke-0 + region: europe-west1 + role: roles/compute.networkUser + subnetwork: projects/fast-dev-net-spoke-0/regions/europe-west1/subnetworks/dev-default-ew1 + module.projects["project"].google_compute_subnetwork_iam_member.default["dev-default-ew1:user:foobar@example.com"]: + condition: [] + member: user:foobar@example.com + project: fast-dev-net-spoke-0 + region: europe-west1 + role: roles/compute.networkUser + subnetwork: projects/fast-dev-net-spoke-0/regions/europe-west1/subnetworks/dev-default-ew1 + module.projects["project"].module.billing-alert["1"].google_billing_budget.budget: + all_updates_rule: + - disable_default_iam_recipients: false + pubsub_topic: null + schema_version: '1.0' + amount: + - last_period_amount: null + specified_amount: + - nanos: null + units: '10' + billing_account: 012345-67890A-BCDEF0 + budget_filter: + - calendar_period: null + credit_types_treatment: INCLUDE_ALL_CREDITS + custom_period: [] + display_name: test1-project budget + threshold_rules: + - spend_basis: CURRENT_SPEND + threshold_percent: 0.5 + - spend_basis: CURRENT_SPEND + threshold_percent: 0.8 + module.projects["project"].module.billing-alert["1"].google_monitoring_notification_channel.email_channels["team-a-contacts@example.com"]: + display_name: test1-project budget budget email notification (team-a-contacts@example.com) + labels: + email_address: team-a-contacts@example.com + project: test1-project + sensitive_labels: [] + type: email + module.projects["project"].module.billing-alert["1"].google_monitoring_notification_channel.email_channels["team-contacts@example.com"]: + display_name: test1-project budget budget email notification (team-contacts@example.com) + labels: + email_address: team-contacts@example.com + project: test1-project + sensitive_labels: [] + type: email + module.projects["project"].module.dns["ipsum"].google_dns_managed_zone.non-public[0]: + dns_name: ipsum.dev.example.org + name: ipsum + private_visibility_config: + - gke_clusters: [] + networks: + - network_url: projects/foo/networks/bar + project: fast-dev-net-spoke-0 + visibility: private + module.projects["project"].module.dns["lorem"].google_dns_managed_zone.non-public[0]: + dns_name: lorem.dev.example.org + name: lorem + private_visibility_config: + - gke_clusters: [] + networks: + - network_url: projects/foo/networks/bar + project: fast-dev-net-spoke-0 + module.projects["project"].module.project.google_compute_shared_vpc_service_project.shared_vpc_service[0]: + host_project: fast-dev-net-spoke-0 + service_project: test1-project + module.projects["project"].module.project.google_essential_contacts_contact.contact["team-a-contacts@example.com"]: + email: team-a-contacts@example.com + language_tag: en + notification_category_subscriptions: + - ALL + parent: projects/test1-project + module.projects["project"].module.project.google_essential_contacts_contact.contact["team-contacts@example.com"]: + email: team-contacts@example.com + language_tag: en + notification_category_subscriptions: + - ALL + parent: projects/test1-project + module.projects["project"].module.project.google_org_policy_policy.default["constraints/compute.disableGuestAttributesAccess"]: + name: projects/test1-project/policies/constraints/compute.disableGuestAttributesAccess + parent: projects/test1-project + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + values: [] + module.projects["project"].module.project.google_org_policy_policy.default["constraints/compute.trustedImageProjects"]: + name: projects/test1-project/policies/constraints/compute.trustedImageProjects + parent: projects/test1-project + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: null + values: + - allowed_values: + - projects/fast-dev-iac-core-0 + denied_values: null + module.projects["project"].module.project.google_org_policy_policy.default["constraints/compute.vmExternalIpAccess"]: + name: projects/test1-project/policies/constraints/compute.vmExternalIpAccess + parent: projects/test1-project + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: 'TRUE' + enforce: null + values: [] + module.projects["project"].module.project.google_project.project[0]: + auto_create_network: false + billing_account: 012345-67890A-BCDEF0 + folder_id: 012345678901 + labels: + application: example-app + costcenter: apps + department: accounting + environment: dev + foo: bar + name: test1-project + org_id: null + project_id: test1-project + skip_delete: false + module.projects["project"].module.project.google_project_iam_binding.authoritative["roles/compute.admin"]: + condition: [] + project: test1-project + role: roles/compute.admin + module.projects["project"].module.project.google_project_iam_binding.authoritative["roles/compute.adminv1"]: + condition: [] + project: test1-project + role: roles/compute.adminv1 + module.projects["project"].module.project.google_project_iam_binding.authoritative["roles/storage.objectViewer"]: + condition: [] + project: test1-project + role: roles/storage.objectViewer + module.projects["project"].module.project.google_project_iam_member.shared_vpc_host_robots["roles/compute.networkUser:cloudservices"]: + condition: [] + project: fast-dev-net-spoke-0 + role: roles/compute.networkUser + module.projects["project"].module.project.google_project_iam_member.shared_vpc_host_robots["roles/compute.securityAdmin:container-engine"]: + condition: [] + project: fast-dev-net-spoke-0 + role: roles/compute.securityAdmin + module.projects["project"].module.project.google_project_service.project_services["billingbudgets.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: test1-project + service: billingbudgets.googleapis.com + module.projects["project"].module.project.google_project_service.project_services["compute.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: test1-project + service: compute.googleapis.com + module.projects["project"].module.project.google_project_service.project_services["container.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: test1-project + service: container.googleapis.com + module.projects["project"].module.project.google_project_service.project_services["dns.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: test1-project + service: dns.googleapis.com + module.projects["project"].module.project.google_project_service.project_services["essentialcontacts.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: test1-project + service: essentialcontacts.googleapis.com + module.projects["project"].module.project.google_project_service.project_services["orgpolicy.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: test1-project + service: orgpolicy.googleapis.com + module.projects["project"].module.project.google_project_service.project_services["stackdriver.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: test1-project + service: stackdriver.googleapis.com + module.projects["project"].module.project.google_project_service.project_services["storage.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: test1-project + service: storage.googleapis.com + module.projects["project"].module.service-accounts["another-service-account"].google_service_account.service_account[0]: + account_id: another-service-account + display_name: Terraform-managed. + project: test1-project + module.projects["project"].module.service-accounts["my-service-account"].google_service_account.service_account[0]: + account_id: my-service-account + display_name: Terraform-managed. + project: test1-project + +counts: + google_billing_budget: 1 + google_compute_shared_vpc_service_project: 1 + google_compute_subnetwork_iam_member: 2 + google_dns_managed_zone: 2 + google_essential_contacts_contact: 2 + google_monitoring_notification_channel: 2 + google_org_policy_policy: 3 + google_project: 1 + google_project_iam_binding: 3 + google_project_iam_member: 2 + google_project_service: 8 + google_service_account: 2 + google_storage_project_service_account: 1