Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Examples and E2e testing for folder module #1876

Merged
merged 5 commits into from
Nov 22, 2023
Merged

Examples and E2e testing for folder module #1876

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
801efbe
Folder module test changes
dibaskar-google Nov 1, 2023
74de43c
Folder module test format changes
dibaskar-google Nov 1, 2023
31a566d
updated yaml for example folder module tests
dibaskar-google Nov 7, 2023
b9f2b09
fixed example testing
dibaskar-google Nov 21, 2023
5917842
fixed gcs_sink name typo
dibaskar-google Nov 21, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
105 changes: 79 additions & 26 deletions modules/folder/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,26 +21,26 @@ This module allows the creation and management of folders, including support for
```hcl
module "folder" {
source = "./fabric/modules/folder"
parent = "organizations/1234567890"
parent = var.folder_id
name = "Folder name"
group_iam = {
"[email protected]" = [
"${var.group_email}" = [
"roles/owner",
"roles/resourcemanager.folderAdmin",
"roles/resourcemanager.projectCreator"
]
}
iam = {
"roles/owner" = ["user:[email protected]"]
"roles/owner" = ["serviceAccount:${var.service_account.email}"]
}
iam_bindings_additive = {
am1-storage-admin = {
member = "user:[email protected]"
member = "serviceAccount:${var.service_account.email}"
role = "roles/storage.admin"
}
}
}
# tftest modules=1 resources=5 inventory=iam.yaml
# tftest modules=1 resources=5 inventory=iam.yaml e2e
```

## IAM
Expand All @@ -62,7 +62,7 @@ To manage organization policies, the `orgpolicy.googleapis.com` service should b
```hcl
module "folder" {
source = "./fabric/modules/folder"
parent = "organizations/1234567890"
parent = var.folder_id
name = "Folder name"
org_policies = {
"compute.disableGuestAttributesAccess" = {
Expand Down Expand Up @@ -109,12 +109,67 @@ module "folder" {
}
}
}
# tftest modules=1 resources=8 inventory=org-policies.yaml
# tftest modules=1 resources=8 inventory=org-policies.yaml e2e
```

### Organization Policy Factory

See the [organization policy factory in the project module](../project#organization-policy-factory).
Organization policies can be loaded from a directory containing YAML files where each file defines one or more constraints. The structure of the YAML files is exactly the same as the org_policies variable.

Note that constraints defined via org_policies take precedence over those in org_policies_data_path. In other words, if you specify the same constraint in a YAML file and in the org_policies variable, the latter will take priority.

The example below deploys a few organization policies split between two YAML files.

```hcl
module "folder" {
source = "./fabric/modules/folder"
parent = var.folder_id
name = "Folder name"
org_policies_data_path = "configs/org-policies/"
}
# tftest modules=1 resources=8 files=boolean,list inventory=org-policies.yaml e2e
```

```yaml
# tftest-file id=boolean path=configs/org-policies/boolean.yaml
compute.disableGuestAttributesAccess:
rules:
- enforce: true
compute.skipDefaultNetworkCreation:
rules:
- enforce: true
iam.disableServiceAccountKeyCreation:
rules:
- enforce: true
iam.disableServiceAccountKeyUpload:
rules:
- condition:
description: test condition
expression: resource.matchTagId('tagKeys/1234', 'tagValues/1234')
location: somewhere
title: condition
enforce: true
- enforce: false
```

```yaml
# tftest-file id=list path=configs/org-policies/list.yaml
compute.trustedImageProjects:
rules:
- allow:
values:
- projects/my-project
compute.vmExternalIpAccess:
rules:
- deny:
all: true
iam.allowedPolicyMemberDomains:
rules:
- allow:
values:
- C0xxxxxxx
- C0yyyyyyy
```

## Hierarchical Firewall Policy Attachments

Expand All @@ -133,50 +188,49 @@ module "firewall-policy" {

module "folder" {
source = "./fabric/modules/folder"
parent = "organizations/1234567890"
parent = var.folder_id
name = "Folder name"
# attachment via the organization module
firewall_policy = {
name = "test-1"
policy = module.firewall-policy.id
}
}
# tftest modules=2 resources=3
# tftest modules=2 resources=3 e2e
```

## Log Sinks

```hcl
module "gcs" {
source = "./fabric/modules/gcs"
project_id = "my-project"
project_id = var.project_id
name = "gcs_sink"
force_destroy = true
}

module "dataset" {
source = "./fabric/modules/bigquery-dataset"
project_id = "my-project"
project_id = var.project_id
id = "bq_sink"
}

module "pubsub" {
source = "./fabric/modules/pubsub"
project_id = "my-project"
project_id = var.project_id
name = "pubsub_sink"
}

module "bucket" {
source = "./fabric/modules/logging-bucket"
parent_type = "project"
parent = "my-project"
parent = var.project_id
id = "bucket"
}

module "folder-sink" {
source = "./fabric/modules/folder"
parent = "folders/657104291943"
name = "my-folder"
name = "Folder name"
parent = var.folder_id
logging_sinks = {
warnings = {
destination = module.gcs.id
Expand Down Expand Up @@ -206,7 +260,7 @@ module "folder-sink" {
no-gce-instances = "resource.type=gce_instance"
}
}
# tftest modules=5 resources=14 inventory=logging.yaml
# tftest modules=5 resources=14 inventory=logging.yaml e2e
```

## Data Access Logs
Expand All @@ -218,20 +272,20 @@ This example shows how to set a non-authoritative access log configuration:
```hcl
module "folder" {
source = "./fabric/modules/folder"
parent = "folders/657104291943"
name = "my-folder"
parent = var.folder_id
name = "Folder name"
logging_data_access = {
allServices = {
# logs for principals listed here will be excluded
ADMIN_READ = ["group:[email protected]"]
ADMIN_READ = ["group:${var.group_email}"]
}
"storage.googleapis.com" = {
DATA_READ = []
DATA_WRITE = []
}
}
}
# tftest modules=1 resources=3 inventory=logging-data-access.yaml
# tftest modules=1 resources=3 inventory=logging-data-access.yaml e2e
```

## Tags
Expand All @@ -256,14 +310,13 @@ module "org" {

module "folder" {
source = "./fabric/modules/folder"
name = "Test"
parent = module.org.organization_id
name = "Folder name"
parent = var.folder_id
tag_bindings = {
env-prod = module.org.tag_values["environment/prod"].id
foo = "tagValues/12345678"
}
}
# tftest modules=2 resources=6 inventory=tags.yaml
# tftest modules=2 resources=5 inventory=tags.yaml e2e
```

<!-- TFDOC OPTS files:1 -->
Expand Down
12 changes: 6 additions & 6 deletions tests/modules/folder/examples/iam.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,27 +15,27 @@
values:
module.folder.google_folder.folder[0]:
display_name: Folder name
parent: organizations/1234567890
parent: folders/1122334455
timeouts: null
module.folder.google_folder_iam_binding.authoritative["roles/owner"]:
condition: []
members:
- group:cloud-owners@example.org
- user:[email protected]
- group:organization-admins@example.org
- serviceAccount:service_account_email
role: roles/owner
module.folder.google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]:
condition: []
members:
- group:cloud-owners@example.org
- group:organization-admins@example.org
role: roles/resourcemanager.folderAdmin
module.folder.google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"]:
condition: []
members:
- group:cloud-owners@example.org
- group:organization-admins@example.org
role: roles/resourcemanager.projectCreator
module.folder.google_folder_iam_member.bindings["am1-storage-admin"]:
condition: []
member: user:[email protected]
member: serviceAccount:service_account_email
role: roles/storage.admin

counts:
Expand Down
4 changes: 2 additions & 2 deletions tests/modules/folder/examples/logging-data-access.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,8 @@

values:
module.folder.google_folder.folder[0]:
display_name: my-folder
parent: folders/657104291943
display_name: Folder name
parent: folders/1122334455
timeouts: null
module.folder.google_folder_iam_audit_config.default["allServices"]:
audit_log_config:
Expand Down
4 changes: 2 additions & 2 deletions tests/modules/folder/examples/logging.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,8 @@ values:
module.folder-sink.google_bigquery_dataset_iam_member.bq-sinks-binding["info"]:
role: roles/bigquery.dataEditor
module.folder-sink.google_folder.folder[0]:
display_name: my-folder
parent: folders/657104291943
display_name: Folder name
parent: folders/1122334455
module.folder-sink.google_logging_folder_exclusion.logging-exclusion["no-gce-instances"]:
description: no-gce-instances (Terraform-managed).
filter: resource.type=gce_instance
Expand Down
2 changes: 1 addition & 1 deletion tests/modules/folder/examples/org-policies.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
values:
module.folder.google_folder.folder[0]:
display_name: Folder name
parent: organizations/1234567890
parent: folders/1122334455
module.folder.google_org_policy_policy.default["compute.disableGuestAttributesAccess"]:
spec:
- inherit_from_parent: null
Expand Down
6 changes: 3 additions & 3 deletions tests/modules/folder/examples/tags.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,13 +16,13 @@
tests/examples/test_plan.py::test_example[modules/folder:Tags] values:
module.folder.google_folder.folder[0]:
display_name: Test
parent: organizations/1122334455
parent: folders/1122334455
module.folder.google_tags_tag_binding.binding["env-prod"]: {}
module.folder.google_tags_tag_binding.binding["foo"]:
tag_value: tagValues/12345678
module.org.google_tags_tag_key.default["environment"]:
description: Environment specification.
parent: organizations/1122334455
parent: folders/1122334455
purpose: null
purpose_data: null
short_name: environment
Expand All @@ -36,6 +36,6 @@ tests/examples/test_plan.py::test_example[modules/folder:Tags] values:

counts:
google_folder: 1
google_tags_tag_binding: 2
google_tags_tag_binding: 1
google_tags_tag_key: 1
google_tags_tag_value: 2