Skip to content

Commit

Permalink
E2E tests for folder module (#1876)
Browse files Browse the repository at this point in the history 
E2E tests for folder module
  • Loading branch information
@dibaskar-google
dibaskar-google authored Nov 22, 2023
1 parent 85b18cf commit 2d70bb8
Show file tree
Hide file tree
Showing 6 changed files with 93 additions and 40 deletions.
105 changes: 79 additions & 26 deletions modules/folder/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,26 +21,26 @@ This module allows the creation and management of folders, including support for
```hcl
module "folder" {
source = "./fabric/modules/folder"
parent = "organizations/1234567890"
parent = var.folder_id
name = "Folder name"
group_iam = {
"[email protected]" = [
"${var.group_email}" = [
"roles/owner",
"roles/resourcemanager.folderAdmin",
"roles/resourcemanager.projectCreator"
]
}
iam = {
"roles/owner" = ["user:[email protected]"]
"roles/owner" = ["serviceAccount:${var.service_account.email}"]
}
iam_bindings_additive = {
am1-storage-admin = {
member = "user:[email protected]"
member = "serviceAccount:${var.service_account.email}"
role = "roles/storage.admin"
}
}
}
# tftest modules=1 resources=5 inventory=iam.yaml
# tftest modules=1 resources=5 inventory=iam.yaml e2e
```

## IAM
Expand All @@ -62,7 +62,7 @@ To manage organization policies, the `orgpolicy.googleapis.com` service should b
```hcl
module "folder" {
source = "./fabric/modules/folder"
parent = "organizations/1234567890"
parent = var.folder_id
name = "Folder name"
org_policies = {
"compute.disableGuestAttributesAccess" = {
Expand Down Expand Up @@ -109,12 +109,67 @@ module "folder" {
}
}
}
# tftest modules=1 resources=8 inventory=org-policies.yaml
# tftest modules=1 resources=8 inventory=org-policies.yaml e2e
```

### Organization Policy Factory

See the [organization policy factory in the project module](../project#organization-policy-factory).
Organization policies can be loaded from a directory containing YAML files where each file defines one or more constraints. The structure of the YAML files is exactly the same as the org_policies variable.

Note that constraints defined via org_policies take precedence over those in org_policies_data_path. In other words, if you specify the same constraint in a YAML file and in the org_policies variable, the latter will take priority.

The example below deploys a few organization policies split between two YAML files.

```hcl
module "folder" {
source = "./fabric/modules/folder"
parent = var.folder_id
name = "Folder name"
org_policies_data_path = "configs/org-policies/"
}
# tftest modules=1 resources=8 files=boolean,list inventory=org-policies.yaml e2e
```

```yaml
# tftest-file id=boolean path=configs/org-policies/boolean.yaml
compute.disableGuestAttributesAccess:
rules:
- enforce: true
compute.skipDefaultNetworkCreation:
rules:
- enforce: true
iam.disableServiceAccountKeyCreation:
rules:
- enforce: true
iam.disableServiceAccountKeyUpload:
rules:
- condition:
description: test condition
expression: resource.matchTagId('tagKeys/1234', 'tagValues/1234')
location: somewhere
title: condition
enforce: true
- enforce: false
```
```yaml
# tftest-file id=list path=configs/org-policies/list.yaml
compute.trustedImageProjects:
rules:
- allow:
values:
- projects/my-project
compute.vmExternalIpAccess:
rules:
- deny:
all: true
iam.allowedPolicyMemberDomains:
rules:
- allow:
values:
- C0xxxxxxx
- C0yyyyyyy
```
## Hierarchical Firewall Policy Attachments
Expand All @@ -133,50 +188,49 @@ module "firewall-policy" {
module "folder" {
source = "./fabric/modules/folder"
parent = "organizations/1234567890"
parent = var.folder_id
name = "Folder name"
# attachment via the organization module
firewall_policy = {
name = "test-1"
policy = module.firewall-policy.id
}
}
# tftest modules=2 resources=3
# tftest modules=2 resources=3 e2e
```

## Log Sinks

```hcl
module "gcs" {
source = "./fabric/modules/gcs"
project_id = "my-project"
project_id = var.project_id
name = "gcs_sink"
force_destroy = true
}
module "dataset" {
source = "./fabric/modules/bigquery-dataset"
project_id = "my-project"
project_id = var.project_id
id = "bq_sink"
}
module "pubsub" {
source = "./fabric/modules/pubsub"
project_id = "my-project"
project_id = var.project_id
name = "pubsub_sink"
}
module "bucket" {
source = "./fabric/modules/logging-bucket"
parent_type = "project"
parent = "my-project"
parent = var.project_id
id = "bucket"
}
module "folder-sink" {
source = "./fabric/modules/folder"
parent = "folders/657104291943"
name = "my-folder"
name = "Folder name"
parent = var.folder_id
logging_sinks = {
warnings = {
destination = module.gcs.id
Expand Down Expand Up @@ -206,7 +260,7 @@ module "folder-sink" {
no-gce-instances = "resource.type=gce_instance"
}
}
# tftest modules=5 resources=14 inventory=logging.yaml
# tftest modules=5 resources=14 inventory=logging.yaml e2e
```

## Data Access Logs
Expand All @@ -218,20 +272,20 @@ This example shows how to set a non-authoritative access log configuration:
```hcl
module "folder" {
source = "./fabric/modules/folder"
parent = "folders/657104291943"
name = "my-folder"
parent = var.folder_id
name = "Folder name"
logging_data_access = {
allServices = {
# logs for principals listed here will be excluded
ADMIN_READ = ["group:[email protected]"]
ADMIN_READ = ["group:${var.group_email}"]
}
"storage.googleapis.com" = {
DATA_READ = []
DATA_WRITE = []
}
}
}
# tftest modules=1 resources=3 inventory=logging-data-access.yaml
# tftest modules=1 resources=3 inventory=logging-data-access.yaml e2e
```

## Tags
Expand All @@ -256,14 +310,13 @@ module "org" {
module "folder" {
source = "./fabric/modules/folder"
name = "Test"
parent = module.org.organization_id
name = "Folder name"
parent = var.folder_id
tag_bindings = {
env-prod = module.org.tag_values["environment/prod"].id
foo = "tagValues/12345678"
}
}
# tftest modules=2 resources=6 inventory=tags.yaml
# tftest modules=2 resources=5 inventory=tags.yaml e2e
```

<!-- TFDOC OPTS files:1 -->
Expand Down
12 changes: 6 additions & 6 deletions tests/modules/folder/examples/iam.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,27 +15,27 @@
values:
module.folder.google_folder.folder[0]:
display_name: Folder name
parent: organizations/1234567890
parent: folders/1122334455
timeouts: null
module.folder.google_folder_iam_binding.authoritative["roles/owner"]:
condition: []
members:
- group:cloud-owners@example.org
- user:[email protected]
- group:organization-admins@example.org
- serviceAccount:service_account_email
role: roles/owner
module.folder.google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]:
condition: []
members:
- group:cloud-owners@example.org
- group:organization-admins@example.org
role: roles/resourcemanager.folderAdmin
module.folder.google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"]:
condition: []
members:
- group:cloud-owners@example.org
- group:organization-admins@example.org
role: roles/resourcemanager.projectCreator
module.folder.google_folder_iam_member.bindings["am1-storage-admin"]:
condition: []
member: user:[email protected]
member: serviceAccount:service_account_email
role: roles/storage.admin

counts:
Expand Down
4 changes: 2 additions & 2 deletions tests/modules/folder/examples/logging-data-access.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,8 @@

values:
module.folder.google_folder.folder[0]:
display_name: my-folder
parent: folders/657104291943
display_name: Folder name
parent: folders/1122334455
timeouts: null
module.folder.google_folder_iam_audit_config.default["allServices"]:
audit_log_config:
Expand Down
4 changes: 2 additions & 2 deletions tests/modules/folder/examples/logging.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,8 @@ values:
module.folder-sink.google_bigquery_dataset_iam_member.bq-sinks-binding["info"]:
role: roles/bigquery.dataEditor
module.folder-sink.google_folder.folder[0]:
display_name: my-folder
parent: folders/657104291943
display_name: Folder name
parent: folders/1122334455
module.folder-sink.google_logging_folder_exclusion.logging-exclusion["no-gce-instances"]:
description: no-gce-instances (Terraform-managed).
filter: resource.type=gce_instance
Expand Down
2 changes: 1 addition & 1 deletion tests/modules/folder/examples/org-policies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
values:
module.folder.google_folder.folder[0]:
display_name: Folder name
parent: organizations/1234567890
parent: folders/1122334455
module.folder.google_org_policy_policy.default["compute.disableGuestAttributesAccess"]:
spec:
- inherit_from_parent: null
Expand Down
6 changes: 3 additions & 3 deletions tests/modules/folder/examples/tags.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,13 +16,13 @@
tests/examples/test_plan.py::test_example[modules/folder:Tags] values:
module.folder.google_folder.folder[0]:
display_name: Test
parent: organizations/1122334455
parent: folders/1122334455
module.folder.google_tags_tag_binding.binding["env-prod"]: {}
module.folder.google_tags_tag_binding.binding["foo"]:
tag_value: tagValues/12345678
module.org.google_tags_tag_key.default["environment"]:
description: Environment specification.
parent: organizations/1122334455
parent: folders/1122334455
purpose: null
purpose_data: null
short_name: environment
Expand All @@ -36,6 +36,6 @@ tests/examples/test_plan.py::test_example[modules/folder:Tags] values:

counts:
google_folder: 1
google_tags_tag_binding: 2
google_tags_tag_binding: 1
google_tags_tag_key: 1
google_tags_tag_value: 2

0 comments on commit 2d70bb8

Please sign in to comment.