From 2d70bb8db279837db4c528aeca99d88846d0065e Mon Sep 17 00:00:00 2001 From: dibaskar-google <131877501+dibaskar-google@users.noreply.github.com> Date: Wed, 22 Nov 2023 10:25:11 +0100 Subject: [PATCH] E2E tests for folder module (#1876) E2E tests for folder module --- modules/folder/README.md | 105 +++++++++++++----- tests/modules/folder/examples/iam.yaml | 12 +- .../folder/examples/logging-data-access.yaml | 4 +- tests/modules/folder/examples/logging.yaml | 4 +- .../modules/folder/examples/org-policies.yaml | 2 +- tests/modules/folder/examples/tags.yaml | 6 +- 6 files changed, 93 insertions(+), 40 deletions(-) diff --git a/modules/folder/README.md b/modules/folder/README.md index 8c75cadd5e..81f21b01d1 100644 --- a/modules/folder/README.md +++ b/modules/folder/README.md @@ -21,26 +21,26 @@ This module allows the creation and management of folders, including support for ```hcl module "folder" { source = "./fabric/modules/folder" - parent = "organizations/1234567890" + parent = var.folder_id name = "Folder name" group_iam = { - "cloud-owners@example.org" = [ + "${var.group_email}" = [ "roles/owner", "roles/resourcemanager.folderAdmin", "roles/resourcemanager.projectCreator" ] } iam = { - "roles/owner" = ["user:one@example.org"] + "roles/owner" = ["serviceAccount:${var.service_account.email}"] } iam_bindings_additive = { am1-storage-admin = { - member = "user:am1@example.org" + member = "serviceAccount:${var.service_account.email}" role = "roles/storage.admin" } } } -# tftest modules=1 resources=5 inventory=iam.yaml +# tftest modules=1 resources=5 inventory=iam.yaml e2e ``` ## IAM @@ -62,7 +62,7 @@ To manage organization policies, the `orgpolicy.googleapis.com` service should b ```hcl module "folder" { source = "./fabric/modules/folder" - parent = "organizations/1234567890" + parent = var.folder_id name = "Folder name" org_policies = { "compute.disableGuestAttributesAccess" = { @@ -109,12 +109,67 @@ module "folder" { } } } -# tftest modules=1 resources=8 inventory=org-policies.yaml +# tftest modules=1 resources=8 inventory=org-policies.yaml e2e ``` ### Organization Policy Factory -See the [organization policy factory in the project module](../project#organization-policy-factory). +Organization policies can be loaded from a directory containing YAML files where each file defines one or more constraints. The structure of the YAML files is exactly the same as the org_policies variable. + +Note that constraints defined via org_policies take precedence over those in org_policies_data_path. In other words, if you specify the same constraint in a YAML file and in the org_policies variable, the latter will take priority. + +The example below deploys a few organization policies split between two YAML files. + +```hcl +module "folder" { + source = "./fabric/modules/folder" + parent = var.folder_id + name = "Folder name" + org_policies_data_path = "configs/org-policies/" +} +# tftest modules=1 resources=8 files=boolean,list inventory=org-policies.yaml e2e +``` + +```yaml +# tftest-file id=boolean path=configs/org-policies/boolean.yaml +compute.disableGuestAttributesAccess: + rules: + - enforce: true +compute.skipDefaultNetworkCreation: + rules: + - enforce: true +iam.disableServiceAccountKeyCreation: + rules: + - enforce: true +iam.disableServiceAccountKeyUpload: + rules: + - condition: + description: test condition + expression: resource.matchTagId('tagKeys/1234', 'tagValues/1234') + location: somewhere + title: condition + enforce: true + - enforce: false +``` + +```yaml +# tftest-file id=list path=configs/org-policies/list.yaml +compute.trustedImageProjects: + rules: + - allow: + values: + - projects/my-project +compute.vmExternalIpAccess: + rules: + - deny: + all: true +iam.allowedPolicyMemberDomains: + rules: + - allow: + values: + - C0xxxxxxx + - C0yyyyyyy +``` ## Hierarchical Firewall Policy Attachments @@ -133,7 +188,7 @@ module "firewall-policy" { module "folder" { source = "./fabric/modules/folder" - parent = "organizations/1234567890" + parent = var.folder_id name = "Folder name" # attachment via the organization module firewall_policy = { @@ -141,42 +196,41 @@ module "folder" { policy = module.firewall-policy.id } } -# tftest modules=2 resources=3 +# tftest modules=2 resources=3 e2e ``` - ## Log Sinks ```hcl module "gcs" { source = "./fabric/modules/gcs" - project_id = "my-project" + project_id = var.project_id name = "gcs_sink" force_destroy = true } module "dataset" { source = "./fabric/modules/bigquery-dataset" - project_id = "my-project" + project_id = var.project_id id = "bq_sink" } module "pubsub" { source = "./fabric/modules/pubsub" - project_id = "my-project" + project_id = var.project_id name = "pubsub_sink" } module "bucket" { source = "./fabric/modules/logging-bucket" parent_type = "project" - parent = "my-project" + parent = var.project_id id = "bucket" } module "folder-sink" { source = "./fabric/modules/folder" - parent = "folders/657104291943" - name = "my-folder" + name = "Folder name" + parent = var.folder_id logging_sinks = { warnings = { destination = module.gcs.id @@ -206,7 +260,7 @@ module "folder-sink" { no-gce-instances = "resource.type=gce_instance" } } -# tftest modules=5 resources=14 inventory=logging.yaml +# tftest modules=5 resources=14 inventory=logging.yaml e2e ``` ## Data Access Logs @@ -218,12 +272,12 @@ This example shows how to set a non-authoritative access log configuration: ```hcl module "folder" { source = "./fabric/modules/folder" - parent = "folders/657104291943" - name = "my-folder" + parent = var.folder_id + name = "Folder name" logging_data_access = { allServices = { # logs for principals listed here will be excluded - ADMIN_READ = ["group:organization-admins@example.org"] + ADMIN_READ = ["group:${var.group_email}"] } "storage.googleapis.com" = { DATA_READ = [] @@ -231,7 +285,7 @@ module "folder" { } } } -# tftest modules=1 resources=3 inventory=logging-data-access.yaml +# tftest modules=1 resources=3 inventory=logging-data-access.yaml e2e ``` ## Tags @@ -256,14 +310,13 @@ module "org" { module "folder" { source = "./fabric/modules/folder" - name = "Test" - parent = module.org.organization_id + name = "Folder name" + parent = var.folder_id tag_bindings = { env-prod = module.org.tag_values["environment/prod"].id - foo = "tagValues/12345678" } } -# tftest modules=2 resources=6 inventory=tags.yaml +# tftest modules=2 resources=5 inventory=tags.yaml e2e ``` diff --git a/tests/modules/folder/examples/iam.yaml b/tests/modules/folder/examples/iam.yaml index a1c06e4688..09d0e65b02 100644 --- a/tests/modules/folder/examples/iam.yaml +++ b/tests/modules/folder/examples/iam.yaml @@ -15,27 +15,27 @@ values: module.folder.google_folder.folder[0]: display_name: Folder name - parent: organizations/1234567890 + parent: folders/1122334455 timeouts: null module.folder.google_folder_iam_binding.authoritative["roles/owner"]: condition: [] members: - - group:cloud-owners@example.org - - user:one@example.org + - group:organization-admins@example.org + - serviceAccount:service_account_email role: roles/owner module.folder.google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]: condition: [] members: - - group:cloud-owners@example.org + - group:organization-admins@example.org role: roles/resourcemanager.folderAdmin module.folder.google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"]: condition: [] members: - - group:cloud-owners@example.org + - group:organization-admins@example.org role: roles/resourcemanager.projectCreator module.folder.google_folder_iam_member.bindings["am1-storage-admin"]: condition: [] - member: user:am1@example.org + member: serviceAccount:service_account_email role: roles/storage.admin counts: diff --git a/tests/modules/folder/examples/logging-data-access.yaml b/tests/modules/folder/examples/logging-data-access.yaml index 60b387258e..69b66d0648 100644 --- a/tests/modules/folder/examples/logging-data-access.yaml +++ b/tests/modules/folder/examples/logging-data-access.yaml @@ -14,8 +14,8 @@ values: module.folder.google_folder.folder[0]: - display_name: my-folder - parent: folders/657104291943 + display_name: Folder name + parent: folders/1122334455 timeouts: null module.folder.google_folder_iam_audit_config.default["allServices"]: audit_log_config: diff --git a/tests/modules/folder/examples/logging.yaml b/tests/modules/folder/examples/logging.yaml index b55b4bbb63..6b6d8570ea 100644 --- a/tests/modules/folder/examples/logging.yaml +++ b/tests/modules/folder/examples/logging.yaml @@ -16,8 +16,8 @@ values: module.folder-sink.google_bigquery_dataset_iam_member.bq-sinks-binding["info"]: role: roles/bigquery.dataEditor module.folder-sink.google_folder.folder[0]: - display_name: my-folder - parent: folders/657104291943 + display_name: Folder name + parent: folders/1122334455 module.folder-sink.google_logging_folder_exclusion.logging-exclusion["no-gce-instances"]: description: no-gce-instances (Terraform-managed). filter: resource.type=gce_instance diff --git a/tests/modules/folder/examples/org-policies.yaml b/tests/modules/folder/examples/org-policies.yaml index c7bee1239e..6bfe6fcdb1 100644 --- a/tests/modules/folder/examples/org-policies.yaml +++ b/tests/modules/folder/examples/org-policies.yaml @@ -15,7 +15,7 @@ values: module.folder.google_folder.folder[0]: display_name: Folder name - parent: organizations/1234567890 + parent: folders/1122334455 module.folder.google_org_policy_policy.default["compute.disableGuestAttributesAccess"]: spec: - inherit_from_parent: null diff --git a/tests/modules/folder/examples/tags.yaml b/tests/modules/folder/examples/tags.yaml index 1451b6d1c7..11c390eb78 100644 --- a/tests/modules/folder/examples/tags.yaml +++ b/tests/modules/folder/examples/tags.yaml @@ -16,13 +16,13 @@ tests/examples/test_plan.py::test_example[modules/folder:Tags] values: module.folder.google_folder.folder[0]: display_name: Test - parent: organizations/1122334455 + parent: folders/1122334455 module.folder.google_tags_tag_binding.binding["env-prod"]: {} module.folder.google_tags_tag_binding.binding["foo"]: tag_value: tagValues/12345678 module.org.google_tags_tag_key.default["environment"]: description: Environment specification. - parent: organizations/1122334455 + parent: folders/1122334455 purpose: null purpose_data: null short_name: environment @@ -36,6 +36,6 @@ tests/examples/test_plan.py::test_example[modules/folder:Tags] values: counts: google_folder: 1 - google_tags_tag_binding: 2 + google_tags_tag_binding: 1 google_tags_tag_key: 1 google_tags_tag_value: 2