From 1c2f0c6b14b27885b720712b422847c9be7e3563 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Wiktor=20Niesiob=C4=99dzki?= Date: Mon, 25 Sep 2023 14:15:22 +0000 Subject: [PATCH] Tests for secrets for CF --- modules/cloud-function-v1/README.md | 56 +++++++++++++++++++ modules/cloud-function-v2/README.md | 41 ++++++++++++++ .../cloud_function_v1/examples/secrets.yaml | 39 +++++++++++++ .../cloud_function_v2/examples/secrets.yaml | 50 +++++++++++++++++ 4 files changed, 186 insertions(+) create mode 100644 tests/modules/cloud_function_v1/examples/secrets.yaml create mode 100644 tests/modules/cloud_function_v2/examples/secrets.yaml diff --git a/modules/cloud-function-v1/README.md b/modules/cloud-function-v1/README.md index 5fc72ca3b5..20f44ce5aa 100644 --- a/modules/cloud-function-v1/README.md +++ b/modules/cloud-function-v1/README.md @@ -4,6 +4,22 @@ Cloud Function management, with support for IAM roles and optional bucket creati The GCS object used for deployment uses a hash of the bundle zip contents in its name, which ensures change tracking and avoids recreating the function if the GCS object is deleted and needs recreating. + +- [TODO](#todo) +- [Examples](#examples) + - [HTTP trigger](#http-trigger) + - [PubSub and non-HTTP triggers](#pubsub-and-non-http-triggers) + - [Controlling HTTP access](#controlling-http-access) + - [GCS bucket creation](#gcs-bucket-creation) + - [Service account management](#service-account-management) + - [Custom bundle config](#custom-bundle-config) + - [Private Cloud Build Pool](#private-cloud-build-pool) + - [Multiple Cloud Functions within project](#multiple-cloud-functions-within-project) + - [Mounting secrets from Secret Manager](#mounting-secrets-from-secret-manager) +- [Variables](#variables) +- [Outputs](#outputs) + + ## TODO - [ ] add support for `source_repository` @@ -192,6 +208,46 @@ module "cf-http-two" { # tftest modules=2 resources=4 inventory=multiple_functions.yaml ``` +### Mounting secrets from Secret Manager +This provides the latest value of the secret `var_secret` as `VARIABLE_SECRET` environment variable and three values of `path_secret` mounted in filesystem: +* `/app/secret/first` contains version 1 +* `/app/secret/second` contains version 2 +* `/app/secret/latest` contains latest version of the secret +```hcl +module "cf-http" { + source = "./fabric/modules/cloud-function-v1" + project_id = "my-project" + name = "test-cf-http" + bucket_name = "test-cf-bundles" + bundle_config = { + source_dir = "fabric/assets" + output_path = "bundle.zip" + } + secrets = { + VARIABLE_SECRET = { + is_volume = false + project_id = 1234567890 + secret = "var_secret" + versions = [ + "latest" + ] + } + "/app/secret" = { + is_volume = true + project_id = 1234567890 + secret = "path_secret" + versions = [ + "1:first", + "2:second", + "latest:latest" + ] + } + } +} +# tftest modules=1 resources=2 inventory=secrets.yaml +``` + + ## Variables diff --git a/modules/cloud-function-v2/README.md b/modules/cloud-function-v2/README.md index fa56fa10cb..4f8bcb148b 100644 --- a/modules/cloud-function-v2/README.md +++ b/modules/cloud-function-v2/README.md @@ -15,6 +15,7 @@ The GCS object used for deployment uses a hash of the bundle zip contents in its - [Custom bundle config](#custom-bundle-config) - [Private Cloud Build Pool](#private-cloud-build-pool) - [Multiple Cloud Functions within project](#multiple-cloud-functions-within-project) + - [Mounting secrets from Secret Manager](#mounting-secrets-from-secret-manager) - [Variables](#variables) - [Outputs](#outputs) @@ -221,6 +222,46 @@ module "cf-http-two" { } # tftest modules=2 resources=4 inventory=multiple_functions.yaml ``` + +### Mounting secrets from Secret Manager +This provides the latest value of the secret `var_secret` as `VARIABLE_SECRET` environment variable and three values of `path_secret` mounted in filesystem: +* `/app/secret/first` contains version 1 +* `/app/secret/second` contains version 2 +* `/app/secret/latest` contains latest version of the secret +```hcl +module "cf-http" { + source = "./fabric/modules/cloud-function-v2" + project_id = "my-project" + name = "test-cf-http" + bucket_name = "test-cf-bundles" + bundle_config = { + source_dir = "fabric/assets" + output_path = "bundle.zip" + } + secrets = { + VARIABLE_SECRET = { + is_volume = false + project_id = 1234567890 + secret = "var_secret" + versions = [ + "latest" + ] + } + "/app/secret" = { + is_volume = true + project_id = 1234567890 + secret = "path_secret" + versions = [ + "1:first", + "2:second", + "latest:latest" + ] + } + } +} + +# tftest modules=1 resources=2 inventory=secrets.yaml +``` ## Variables diff --git a/tests/modules/cloud_function_v1/examples/secrets.yaml b/tests/modules/cloud_function_v1/examples/secrets.yaml new file mode 100644 index 0000000000..47447a62fd --- /dev/null +++ b/tests/modules/cloud_function_v1/examples/secrets.yaml @@ -0,0 +1,39 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +values: + module.cf-http.google_cloudfunctions_function.function: + secret_environment_variables: + - key: VARIABLE_SECRET + project_id: '1234567890' + secret: var_secret + version: latest + secret_volumes: + - mount_path: /app/secret + project_id: '1234567890' + secret: path_secret + versions: + - path: first + version: '1' + - path: second + version: '2' + - path: latest + version: latest + + +counts: + google_cloudfunctions_function: 1 + google_storage_bucket_object: 1 + modules: 1 + resources: 2 diff --git a/tests/modules/cloud_function_v2/examples/secrets.yaml b/tests/modules/cloud_function_v2/examples/secrets.yaml new file mode 100644 index 0000000000..1443e4be5f --- /dev/null +++ b/tests/modules/cloud_function_v2/examples/secrets.yaml @@ -0,0 +1,50 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +values: + module.cf-http.google_cloudfunctions2_function.function: + name: test-cf-http + service_config: + - all_traffic_on_latest_revision: true + available_cpu: '0.166' + available_memory: 256M + environment_variables: null + ingress_settings: ALLOW_ALL + max_instance_count: 1 + min_instance_count: 0 + secret_environment_variables: + - key: VARIABLE_SECRET + project_id: '1234567890' + secret: var_secret + version: latest + secret_volumes: + - mount_path: /app/secret + project_id: '1234567890' + secret: path_secret + versions: + - path: first + version: '1' + - path: second + version: '2' + - path: latest + version: latest + timeout_seconds: 180 + vpc_connector: null + vpc_connector_egress_settings: null +counts: + google_cloudfunctions2_function: 1 + google_storage_bucket_object: 1 + modules: 1 + resources: 2 +