Skip to content

Commit

Permalink
Merge pull request #1870 from GoogleCloudPlatform/wiktorn-cloudrun-vp…
Browse files Browse the repository at this point in the history
…c-connector

* End to end tests for Cloud Run
* fix reporting non-empty plan after apply in E2E tests
* fix non-empty plan in Cloud Run in subnet and annotations

Closes: #1867
  • Loading branch information
wiktorn authored Nov 18, 2023
2 parents 1f344b6 + 9577ac5 commit c642c13
Show file tree
Hide file tree
Showing 14 changed files with 242 additions and 221 deletions.
171 changes: 103 additions & 68 deletions modules/cloud-run/README.md

Large diffs are not rendered by default.

29 changes: 22 additions & 7 deletions modules/cloud-run/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -17,9 +17,19 @@
locals {
_vpcaccess_annotation = (
local.vpc_connector_create
? {
? merge({
"run.googleapis.com/vpc-access-connector" = google_vpc_access_connector.connector.0.id
}
},
var.revision_annotations.vpcaccess_egress == null ? {
# if creating a vpc connector and no explicit annotation is given,
# add "private-ranges-only" annotation to prevent permanent diff
"run.googleapis.com/vpc-access-egress" = "private-ranges-only"
} : {
"run.googleapis.com/vpc-access-egress" = (
var.revision_annotations.vpcaccess_egress
)
},
)
: (
var.revision_annotations.vpcaccess_connector == null
? {}
Expand Down Expand Up @@ -82,8 +92,10 @@ locals {
trigger_sa_create = try(
var.eventarc_triggers.service_account_create, false
)
trigger_sa_email = try(
google_service_account.trigger_service_account[0].email, null
trigger_sa_email = (
local.trigger_sa_create ?
google_service_account.trigger_service_account[0].email
: try(var.eventarc_triggers.service_account_email, null)
)
vpc_connector_create = var.vpc_connector_create != null
}
Expand All @@ -104,9 +116,12 @@ resource "google_vpc_access_connector" "connector" {
max_throughput = var.vpc_connector_create.throughput.max
min_instances = var.vpc_connector_create.instances.min
min_throughput = var.vpc_connector_create.throughput.min
subnet {
name = var.vpc_connector_create.subnet.name
project_id = var.vpc_connector_create.subnet.project_id
dynamic "subnet" {
for_each = alltrue([for k, v in var.vpc_connector_create.subnet : (v == null)]) ? [] : [""]
content {
name = var.vpc_connector_create.subnet.name
project_id = var.vpc_connector_create.subnet.project_id
}
}
}

Expand Down
8 changes: 8 additions & 0 deletions modules/cloud-run/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -100,6 +100,14 @@ variable "eventarc_triggers" {
service_account_create = optional(bool, false)
})
default = {}
validation {
condition = (
var.eventarc_triggers.service_account_email == null && length(var.eventarc_triggers.audit_log) == 0
) || (
var.eventarc_triggers.service_account_email != null
)
error_message = "service_account_email is required if providing audit_log"
}
}

variable "gen2_execution_environment" {
Expand Down
3 changes: 3 additions & 0 deletions tests/examples_e2e/setup_module/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -26,12 +26,15 @@ locals {
"cloudkms.googleapis.com",
"cloudresourcemanager.googleapis.com",
"compute.googleapis.com",
"eventarc.googleapis.com",
"iam.googleapis.com",
"run.googleapis.com",
"secretmanager.googleapis.com",
"serviceusage.googleapis.com",
"stackdriver.googleapis.com",
"storage-component.googleapis.com",
"storage.googleapis.com",
"vpcaccess.googleapis.com",
]
}

Expand Down
10 changes: 5 additions & 5 deletions tests/fixtures.py
Original file line number Diff line number Diff line change
Expand Up @@ -307,20 +307,20 @@ def e2e_validator(module_path, extra_files, tf_var_files, basedir=None):
changes = {}
for resource_name, value in plan.resource_changes.items():
if value.get('change', {}).get('actions') != ['no-op']:
changes[resource_name] = value
changes[resource_name] = value['change']

# compare before with after to raise more meaningful failure to the user, i.e one
# that shows how resource will change
plan_before_state = {k: v['before'] for k, v in changes.items()}
plan_after_state = {k: v['after'] for k, v in changes.items()}
plan_before_state = {k: v.get('before') for k, v in changes.items()}
plan_after_state = {k: v.get('after') for k, v in changes.items()}

assert plan_before_state == plan_after_state, f'Plan not empty after apply for values'

plan_before_sensitive_state = {
k: v['before_sensitive'] for k, v in changes.items()
k: v.get('before_sensitive') for k, v in changes.items()
}
plan_after_sensitive_state = {
k: v['after_sensitive'] for k, v in changes.items()
k: v.get('after_sensitive') for k, v in changes.items()
}
assert plan_before_sensitive_state == plan_after_sensitive_state, f'Plan not empty after apply for sensitive values'

Expand Down
32 changes: 30 additions & 2 deletions tests/modules/cloud_run/examples/audit-logs.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,23 @@
# limitations under the License.

values:
module.cloud_run.google_cloud_run_service.service: {}
module.cloud_run.google_cloud_run_service.service:
name: hello
project: project-id
template:
- spec:
- containers:
- image: us-docker.pkg.dev/cloudrun/container/hello

module.cloud_run.google_cloud_run_service_iam_binding.binding["roles/run.invoker"]:
condition: []
location: europe-west1
members:
- serviceAccount:[email protected]
project: project-id
role: roles/run.invoker
service: hello

module.cloud_run.google_eventarc_trigger.audit_log_triggers["setiampolicy"]:
destination:
- cloud_function: null
Expand All @@ -35,8 +51,20 @@ values:
operator: ''
value: google.cloud.audit.log.v1.written
name: audit-log-setiampolicy
project: my-project
project: project-id

module.sa.google_project_iam_member.project-roles["project-id-roles/eventarc.eventReceiver"]:
condition: []
project: project-id
role: roles/eventarc.eventReceiver

module.sa.google_service_account.service_account[0]:
account_id: eventarc-trigger
project: project-id

counts:
google_cloud_run_service: 1
google_cloud_run_service_iam_binding: 1
google_eventarc_trigger: 1
google_project_iam_member: 1
google_service_account: 1
7 changes: 3 additions & 4 deletions tests/modules/cloud_run/examples/connector.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -35,16 +35,15 @@ values:
working_dir: null
volumes: []
module.cloud_run.google_vpc_access_connector.connector[0]:
ip_cidr_range: 10.10.10.0/24
ip_cidr_range: 10.10.10.0/28
machine_type: e2-micro
max_throughput: 300
min_throughput: 200
name: hello
network: projects/example/host/global/networks/host
network: projects/xxx/global/networks/aaa
project: project-id
region: europe-west1
subnet:
- name: null
subnet: []

counts:
google_cloud_run_service: 1
Expand Down
39 changes: 16 additions & 23 deletions tests/modules/cloud_run/examples/eventarc.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,13 @@
# limitations under the License.

values:
module.cloud_run.google_cloud_run_service.service: {}
module.cloud_run.google_cloud_run_service.service:
name: hello
project: project-id
template:
- spec:
- containers:
- image: us-docker.pkg.dev/cloudrun/container/hello
module.cloud_run.google_eventarc_trigger.pubsub_triggers["topic-1"]:
destination:
- cloud_function: null
Expand All @@ -29,30 +35,17 @@ values:
operator: ''
value: google.cloud.pubsub.topic.v1.messagePublished
name: pubsub-topic-1
project: my-project
project: project-id
transport:
- pubsub:
- topic: topic1
module.cloud_run.google_eventarc_trigger.pubsub_triggers["topic-2"]:
destination:
- cloud_function: null
cloud_run_service:
- path: null
region: europe-west1
service: hello
gke: []
workflow: null
location: europe-west1
matching_criteria:
- attribute: type
operator: ''
value: google.cloud.pubsub.topic.v1.messagePublished
name: pubsub-topic-2
project: my-project
transport:
- pubsub:
- topic: topic2
- topic: projects/project-id/topics/pubsub_sink

module.pubsub.google_pubsub_topic.default:
name: pubsub_sink
project: project-id


counts:
google_cloud_run_service: 1
google_eventarc_trigger: 2
google_eventarc_trigger: 1
google_pubsub_topic: 1
18 changes: 16 additions & 2 deletions tests/modules/cloud_run/examples/secrets.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -41,10 +41,24 @@ values:
secret:
- default_mode: null
items:
- key: v1
- key: latest
mode: null
path: v1.txt
secret_name: credentials

module.cloud_run.google_service_account.service_account[0]:
account_id: tf-cr-hello
project: project-id

module.secret-manager.google_secret_manager_secret.default["credentials"]:
project: project-id
secret_id: credentials

module.secret-manager.google_secret_manager_secret_iam_binding.default["credentials.roles/secretmanager.secretAccessor"]:
condition: []
role: roles/secretmanager.secretAccessor

counts:
google_cloud_run_service: 1
google_secret_manager_secret: 1
google_secret_manager_secret_iam_binding: 1
google_service_account: 1
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ values:
metadata:
- {}
name: hello
project: my-project
project: project-id
template:
- metadata:
- {}
Expand All @@ -33,7 +33,7 @@ values:
liveness_probe: []
volume_mounts: []
working_dir: null
service_account_name: [email protected]
service_account_name: service_account_email
volumes: []

counts:
Expand Down
4 changes: 2 additions & 2 deletions tests/modules/cloud_run/examples/service-account.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ values:
metadata:
- {}
name: hello
project: my-project
project: project-id
template:
- metadata:
- {}
Expand All @@ -39,7 +39,7 @@ values:
description: null
disabled: false
display_name: Terraform Cloud Run hello.
project: my-project
project: project-id

counts:
google_cloud_run_service: 1
Expand Down
15 changes: 15 additions & 0 deletions tests/modules/cloud_run/examples/simple.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,22 @@ values:
project: project-id
role: roles/run.invoker
service: hello
module.cloud_run.google_service_account.service_account[0]:
account_id: tf-cr-hello
disabled: false
display_name: Terraform Cloud Run hello.
project: project-id
module.secret-manager.google_secret_manager_secret.default["credentials"]:
project: project-id
secret_id: credentials
module.secret-manager.google_secret_manager_secret_iam_binding.default["credentials.roles/secretmanager.secretAccessor"]:
condition: []
role: roles/secretmanager.secretAccessor


counts:
google_cloud_run_service: 1
google_cloud_run_service_iam_binding: 1
google_secret_manager_secret: 1
google_secret_manager_secret_iam_binding: 1
google_service_account: 1

This file was deleted.

Loading

0 comments on commit c642c13

Please sign in to comment.