Tests for secrets for CF

GoogleCloudPlatform · Sep 26, 2023 · 1c2f0c6 · 1c2f0c6
1 parent e295a5e
commit 1c2f0c6
Show file tree

Hide file tree

Showing 4 changed files with 186 additions and 0 deletions.
diff --git a/modules/cloud-function-v1/README.md b/modules/cloud-function-v1/README.md
@@ -4,6 +4,22 @@ Cloud Function management, with support for IAM roles and optional bucket creati
 
 The GCS object used for deployment uses a hash of the bundle zip contents in its name, which ensures change tracking and avoids recreating the function if the GCS object is deleted and needs recreating.
 
+<!-- BEGIN TOC -->
+- [TODO](#todo)
+- [Examples](#examples)
+  - [HTTP trigger](#http-trigger)
+  - [PubSub and non-HTTP triggers](#pubsub-and-non-http-triggers)
+  - [Controlling HTTP access](#controlling-http-access)
+  - [GCS bucket creation](#gcs-bucket-creation)
+  - [Service account management](#service-account-management)
+  - [Custom bundle config](#custom-bundle-config)
+  - [Private Cloud Build Pool](#private-cloud-build-pool)
+  - [Multiple Cloud Functions within project](#multiple-cloud-functions-within-project)
+  - [Mounting secrets from Secret Manager](#mounting-secrets-from-secret-manager)
+- [Variables](#variables)
+- [Outputs](#outputs)
+<!-- END TOC -->
+
 ## TODO
 
 - [ ] add support for `source_repository`
@@ -192,6 +208,46 @@ module "cf-http-two" {
 # tftest modules=2 resources=4 inventory=multiple_functions.yaml
 ```
 
+### Mounting secrets from Secret Manager
+This provides the latest value of the secret `var_secret` as `VARIABLE_SECRET` environment variable and three values of `path_secret` mounted in filesystem:
+* `/app/secret/first` contains version 1
+* `/app/secret/second` contains version 2
+* `/app/secret/latest` contains latest version of the secret
+```hcl
+module "cf-http" {
+  source      = "./fabric/modules/cloud-function-v1"
+  project_id  = "my-project"
+  name        = "test-cf-http"
+  bucket_name = "test-cf-bundles"
+  bundle_config = {
+    source_dir  = "fabric/assets"
+    output_path = "bundle.zip"
+  }
+  secrets = {
+    VARIABLE_SECRET = {
+      is_volume  = false
+      project_id = 1234567890
+      secret     = "var_secret"
+      versions = [
+        "latest"
+      ]
+    }
+    "/app/secret" = {
+      is_volume  = true
+      project_id = 1234567890
+      secret     = "path_secret"
+      versions = [
+        "1:first",
+        "2:second",
+        "latest:latest"
+      ]
+    }
+  }
+}
+# tftest modules=1 resources=2  inventory=secrets.yaml
+```
+
+
 <!-- BEGIN TFDOC -->
 
 ## Variables

diff --git a/modules/cloud-function-v2/README.md b/modules/cloud-function-v2/README.md
@@ -15,6 +15,7 @@ The GCS object used for deployment uses a hash of the bundle zip contents in its
   - [Custom bundle config](#custom-bundle-config)
   - [Private Cloud Build Pool](#private-cloud-build-pool)
   - [Multiple Cloud Functions within project](#multiple-cloud-functions-within-project)
+  - [Mounting secrets from Secret Manager](#mounting-secrets-from-secret-manager)
 - [Variables](#variables)
 - [Outputs](#outputs)
 <!-- END TOC -->
@@ -221,6 +222,46 @@ module "cf-http-two" {
 }
 # tftest modules=2 resources=4 inventory=multiple_functions.yaml
 ```
+
+### Mounting secrets from Secret Manager
+This provides the latest value of the secret `var_secret` as `VARIABLE_SECRET` environment variable and three values of `path_secret` mounted in filesystem:
+* `/app/secret/first` contains version 1
+* `/app/secret/second` contains version 2
+* `/app/secret/latest` contains latest version of the secret
+```hcl
+module "cf-http" {
+  source      = "./fabric/modules/cloud-function-v2"
+  project_id  = "my-project"
+  name        = "test-cf-http"
+  bucket_name = "test-cf-bundles"
+  bundle_config = {
+    source_dir  = "fabric/assets"
+    output_path = "bundle.zip"
+  }
+  secrets = {
+    VARIABLE_SECRET = {
+      is_volume  = false
+      project_id = 1234567890
+      secret     = "var_secret"
+      versions = [
+        "latest"
+      ]
+    }
+    "/app/secret" = {
+      is_volume  = true
+      project_id = 1234567890
+      secret     = "path_secret"
+      versions = [
+        "1:first",
+        "2:second",
+        "latest:latest"
+      ]
+    }
+  }
+}
+
+# tftest modules=1 resources=2 inventory=secrets.yaml
+```
 <!-- BEGIN TFDOC -->
 
 ## Variables

diff --git a/tests/modules/cloud_function_v1/examples/secrets.yaml b/tests/modules/cloud_function_v1/examples/secrets.yaml
@@ -0,0 +1,39 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+  module.cf-http.google_cloudfunctions_function.function:
+    secret_environment_variables:
+      - key: VARIABLE_SECRET
+        project_id: '1234567890'
+        secret: var_secret
+        version: latest
+    secret_volumes:
+      - mount_path: /app/secret
+        project_id: '1234567890'
+        secret: path_secret
+        versions:
+          - path: first
+            version: '1'
+          - path: second
+            version: '2'
+          - path: latest
+            version: latest
+
+
+counts:
+  google_cloudfunctions_function: 1
+  google_storage_bucket_object: 1
+  modules: 1
+  resources: 2
diff --git a/tests/modules/cloud_function_v2/examples/secrets.yaml b/tests/modules/cloud_function_v2/examples/secrets.yaml
@@ -0,0 +1,50 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+  module.cf-http.google_cloudfunctions2_function.function:
+    name: test-cf-http
+    service_config:
+      - all_traffic_on_latest_revision: true
+        available_cpu: '0.166'
+        available_memory: 256M
+        environment_variables: null
+        ingress_settings: ALLOW_ALL
+        max_instance_count: 1
+        min_instance_count: 0
+        secret_environment_variables:
+          - key: VARIABLE_SECRET
+            project_id: '1234567890'
+            secret: var_secret
+            version: latest
+        secret_volumes:
+          - mount_path: /app/secret
+            project_id: '1234567890'
+            secret: path_secret
+            versions:
+              - path: first
+                version: '1'
+              - path: second
+                version: '2'
+              - path: latest
+                version: latest
+        timeout_seconds: 180
+        vpc_connector: null
+        vpc_connector_egress_settings: null
+counts:
+  google_cloudfunctions2_function: 1
+  google_storage_bucket_object: 1
+  modules: 1
+  resources: 2
+