Fix E2E tests

GoogleCloudPlatform · Sep 3, 2024 · 398f73e · 398f73e
1 parent d47a6fd
commit 398f73e
Show file tree

Hide file tree

Showing 30 changed files with 592 additions and 265 deletions.
diff --git a/modules/alloydb/README.md b/modules/alloydb/README.md
@@ -147,23 +147,71 @@ module "alloydb" {
 ### CMEK encryption
 
 ```hcl
+module "project" {
+  source          = "./fabric/modules/project"
+  name            = "alloycmek"
+  billing_account = var.billing_account_id
+  prefix          = var.prefix
+  parent          = var.folder_id
+  services = [
+    "alloydb.googleapis.com",
+    "cloudkms.googleapis.com",
+    "servicenetworking.googleapis.com"
+  ]
+}
+
+module "kms" {
+  source     = "./fabric/modules/kms"
+  project_id = module.project.project_id
+  keyring = {
+    location = var.region
+    name     = "keyring"
+  }
+  keys = {
+    "key-regional" = {
+    }
+  }
+  iam = {
+    "roles/cloudkms.cryptoKeyEncrypterDecrypter" = [
+      module.project.service_agents.alloydb.iam_email
+    ]
+  }
+}
+
+module "vpc" {
+  source     = "./fabric/modules/net-vpc"
+  project_id = module.project.project_id
+  name       = "my-network"
+  subnets = [
+    {
+      ip_cidr_range = "10.0.0.0/24"
+      name          = "production"
+      region        = var.region
+    },
+  ]
+  psa_configs = [{
+    ranges = { myrange = "10.0.1.0/24" }
+  }]
+}
+
+
 module "alloydb" {
   source       = "./fabric/modules/alloydb"
-  project_id   = var.project_id
+  project_id   = module.project.project_id
   cluster_name = "primary"
   location     = var.region
   name         = "primary"
   network_config = {
     psa_config = {
-      network = var.vpc.id
+      network = module.vpc.id
     }
   }
   encryption_config = {
-    primary_kms_key_name = var.kms_key.id
+    primary_kms_key_name = module.kms.keys.key-regional.id
   }
 }
 
-# tftest modules=1 resources=3 fixtures=fixtures/alloydb-kms-iam-grant.tf inventory=cmek.yaml e2e
+# tftest inventory=cmek.yaml e2e
 ```
 
 ## Tag bindings
@@ -257,8 +305,4 @@ module "alloydb" {
 | [service_attachment](outputs.tf#L90) | AlloyDB Primary instance service attachment. |  |
 | [service_attachments](outputs.tf#L95) | AlloyDB instances service attachment. |  |
 | [user_passwords](outputs.tf#L102) | Map of containing the password of all users created through terraform. | ✓ |
-
-## Fixtures
-
-- [alloydb-kms-iam-grant.tf](../../tests/fixtures/alloydb-kms-iam-grant.tf)
 <!-- END TFDOC -->
diff --git a/modules/artifact-registry/README.md b/modules/artifact-registry/README.md
@@ -231,7 +231,7 @@ module "registry-docker" {
 | name | description | sensitive |
 |---|---|:---:|
 | [id](outputs.tf#L17) | Fully qualified repository id. |  |
-| [name](outputs.tf#L22) | Repository name. |  |
-| [repository](outputs.tf#L27) | Repository object. |  |
-| [url](outputs.tf#L32) | Repository URL. |  |
+| [name](outputs.tf#L25) | Repository name. |  |
+| [repository](outputs.tf#L33) | Repository object. |  |
+| [url](outputs.tf#L41) | Repository URL. |  |
 <!-- END TFDOC -->
diff --git a/modules/bigquery-dataset/README.md b/modules/bigquery-dataset/README.md
@@ -347,12 +347,12 @@ module "bigquery-dataset" {
 |---|---|:---:|
 | [dataset](outputs.tf#L17) | Dataset resource. |  |
 | [dataset_id](outputs.tf#L22) | Dataset id. |  |
-| [id](outputs.tf#L36) | Fully qualified dataset id. |  |
-| [materialized_view_ids](outputs.tf#L50) | Map of fully qualified materialized view ids keyed by view ids. |  |
-| [materialized_views](outputs.tf#L55) | Materialized view resources. |  |
-| [self_link](outputs.tf#L60) | Dataset self link. |  |
-| [table_ids](outputs.tf#L74) | Map of fully qualified table ids keyed by table ids. |  |
-| [tables](outputs.tf#L79) | Table resources. |  |
-| [view_ids](outputs.tf#L84) | Map of fully qualified view ids keyed by view ids. |  |
-| [views](outputs.tf#L89) | View resources. |  |
+| [id](outputs.tf#L37) | Fully qualified dataset id. |  |
+| [materialized_view_ids](outputs.tf#L52) | Map of fully qualified materialized view ids keyed by view ids. |  |
+| [materialized_views](outputs.tf#L57) | Materialized view resources. |  |
+| [self_link](outputs.tf#L62) | Dataset self link. |  |
+| [table_ids](outputs.tf#L77) | Map of fully qualified table ids keyed by table ids. |  |
+| [tables](outputs.tf#L82) | Table resources. |  |
+| [view_ids](outputs.tf#L87) | Map of fully qualified view ids keyed by view ids. |  |
+| [views](outputs.tf#L92) | View resources. |  |
 <!-- END TFDOC -->
diff --git a/modules/cloud-function-v1/README.md b/modules/cloud-function-v1/README.md
@@ -40,8 +40,11 @@ module "cf-http" {
   bundle_config = {
     path = "assets/sample-function/"
   }
+  depends_on = [
+    google_project_iam_member.bucket_default_compute_account_grant,
+  ]
 }
-# tftest modules=1 resources=5   fixtures=fixtures/functions-default-sa-iam-grants.tf e2e
+# tftest modules=1 resources=5 fixtures=fixtures/functions-default-sa-iam-grants.tf e2e
 ```
 
 ### PubSub and non-HTTP triggers
@@ -62,6 +65,10 @@ module "cf-http" {
     event    = "google.pubsub.topic.publish"
     resource = module.pubsub.topic.name
   }
+  depends_on = [
+    google_project_iam_member.bucket_default_compute_account_grant,
+  ]
+
 }
 # tftest modules=2 resources=7 fixtures=fixtures/pubsub.tf,fixtures/functions-default-sa-iam-grants.tf e2e
 ```
@@ -83,8 +90,11 @@ module "cf-http" {
   iam = {
     "roles/cloudfunctions.invoker" = ["allUsers"]
   }
+  depends_on = [
+    google_project_iam_member.bucket_default_compute_account_grant,
+  ]
 }
-# tftest modules=1 resources=6 fixtures=fixtures/functions-default-sa-iam-grants.tf inventory=iam.yaml e2e
+# tftest fixtures=fixtures/functions-default-sa-iam-grants.tf inventory=iam.yaml e2e
 ```
 
 ### GCS bucket creation
@@ -106,8 +116,11 @@ module "cf-http" {
   bundle_config = {
     path = "assets/sample-function/"
   }
+  depends_on = [
+    google_project_iam_member.bucket_default_compute_account_grant,
+  ]
 }
-# tftest modules=1 resources=6 fixtures=fixtures/functions-default-sa-iam-grants.tf inventory=bucket-creation.yaml e2e
+# tftest fixtures=fixtures/functions-default-sa-iam-grants.tf inventory=bucket-creation.yaml e2e
 ```
 
 ### Service account management
@@ -125,6 +138,9 @@ module "cf-http" {
     path = "assets/sample-function/"
   }
   service_account_create = true
+  depends_on = [
+    google_project_iam_member.bucket_default_compute_account_grant,
+  ]
 }
 # tftest modules=1 resources=6 fixtures=fixtures/functions-default-sa-iam-grants.tf e2e
 ```
@@ -142,6 +158,9 @@ module "cf-http" {
     path = "assets/sample-function/"
   }
   service_account = var.service_account.email
+  depends_on = [
+    google_project_iam_member.bucket_default_compute_account_grant,
+  ]
 }
 # tftest modules=1 resources=5 fixtures=fixtures/functions-default-sa-iam-grants.tf e2e
 ```
@@ -170,6 +189,9 @@ module "cf-http" {
       excludes     = ["__pycache__"]
     }
   }
+  depends_on = [
+    google_project_iam_member.bucket_default_compute_account_grant,
+  ]
 }
 # tftest modules=1 resources=5 fixtures=fixtures/functions-default-sa-iam-grants.tf  e2e
 ```
@@ -189,6 +211,9 @@ module "cf-http" {
   bundle_config = {
     path = "assets/sample-function/"
   }
+  depends_on = [
+    google_project_iam_member.bucket_default_compute_account_grant,
+  ]
 }
 # tftest modules=1 resources=6 fixtures=fixtures/cloudbuild-custom-pool.tf,fixtures/functions-default-sa-iam-grants.tf e2e
 ```
@@ -218,8 +243,11 @@ module "cf-http-two" {
   bundle_config = {
     path = "assets/sample-function/"
   }
+  depends_on = [
+    google_project_iam_member.bucket_default_compute_account_grant,
+  ]
 }
-# tftest modules=2 resources=7 fixtures=fixtures/functions-default-sa-iam-grants.tf inventory=multiple_functions.yaml e2e
+# tftest fixtures=fixtures/functions-default-sa-iam-grants.tf inventory=multiple_functions.yaml e2e
 ```
 
 ### Mounting secrets from Secret Manager
@@ -256,61 +284,92 @@ module "cf-http" {
       ]
     }
   }
+  depends_on = [
+    google_project_iam_member.bucket_default_compute_account_grant,
+  ]
 }
-# tftest modules=2 resources=8 fixtures=fixtures/secret-credentials.tf,fixtures/functions-default-sa-iam-grants.tf  inventory=secrets.yaml e2e
+# tftest fixtures=fixtures/secret-credentials.tf,fixtures/functions-default-sa-iam-grants.tf  inventory=secrets.yaml e2e
 ```
 
 ### Using CMEK to encrypt function resources
 
 This encrypt bucket _gcf-sources-*_ with the provided kms key. The repository has to be encrypted with the same kms key.
 
 ```hcl
+module "project" {
+  source          = "./fabric/modules/project"
+  name            = "cf-v1"
+  billing_account = var.billing_account_id
+  prefix          = var.prefix
+  parent          = var.folder_id
+  services = [
+    "artifactregistry.googleapis.com",
+    "cloudbuild.googleapis.com",
+    "cloudfunctions.googleapis.com",
+    "cloudkms.googleapis.com",
+    "compute.googleapis.com",
+    "storage.googleapis.com",
+  ]
+  iam = {
+    # grant compute default service account that is used by Cloud Founction
+    # permission to read from the buckets so it can function sources
+    "roles/storage.objectViewer" = [
+      "serviceAccount:${module.project.default_service_accounts.compute}"
+    ]
+  }
+}
+
 module "kms" {
   source     = "./fabric/modules/kms"
-  project_id = var.project_id
+  project_id = module.project.project_id
   keyring = {
     location = var.regions.secondary
-    name     = "function-cmek"
+    name     = "keyring"
   }
   keys = {
-    "key" = {}
+    "key-regional" = {
+    }
   }
   iam = {
     "roles/cloudkms.cryptoKeyEncrypterDecrypter" = [
-      "serviceAccount:service-${var.project_number}@gcf-admin-robot.iam.gserviceaccount.com",
-      "serviceAccount:service-${var.project_number}@gcp-sa-artifactregistry.iam.gserviceaccount.com",
-      "serviceAccount:service-${var.project_number}@gs-project-accounts.iam.gserviceaccount.com",
+      module.project.service_agents["artifactregistry"].iam_email,
+      module.project.service_agents["cloudfunctions"].iam_email,
+      module.project.service_agents["storage"].iam_email,
     ]
   }
 }
 
 module "artifact-registry" {
   source         = "./fabric/modules/artifact-registry"
-  project_id     = var.project_id
+  project_id     = module.project.project_id
   location       = var.regions.secondary
   name           = "registry"
   format         = { docker = { standard = {} } }
-  encryption_key = module.kms.key_ids["key"]
-  depends_on = [
-    module.kms
-  ]
+  encryption_key = module.kms.key_ids["key-regional"]
+  iam = {
+    "roles/artifactregistry.createOnPushWriter" = [
+      # grant compute default service account that is used by Cloud Build
+      # permission to push compiled container into Artifact Registry
+      "serviceAccount:${module.project.default_service_accounts.compute}",
+    ]
+  }
 }
 
 module "cf-http" {
   source      = "./fabric/modules/cloud-function-v1"
-  project_id  = var.project_id
+  project_id  = module.project.project_id
   region      = var.regions.secondary
   name        = "test-cf-http"
   bucket_name = var.bucket
   bundle_config = {
     path = "assets/sample-function/"
   }
-  kms_key = module.kms.key_ids["key"]
+  kms_key = module.kms.key_ids["key-regional"]
   repository_settings = {
     repository = module.artifact-registry.id
   }
 }
-# tftest modules=3 resources=9 fixtures=fixtures/functions-default-sa-iam-grants.tf e2e
+# tftest modules=4 resources=25
 ```
 <!-- BEGIN TFDOC -->
 ## Variables