-
Notifications
You must be signed in to change notification settings - Fork 1.8k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add new provider google_organization_iam_audit_config.
Signed-off-by: Modular Magician <[email protected]>
- Loading branch information
1 parent
b278a0a
commit c189bb1
Showing
2 changed files
with
316 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
315 changes: 315 additions & 0 deletions
315
google/resource_google_organization_iam_audit_config_test.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,315 @@ | ||
package google | ||
|
||
import ( | ||
"fmt" | ||
"strings" | ||
"testing" | ||
|
||
"github.com/hashicorp/terraform-plugin-sdk/helper/resource" | ||
) | ||
|
||
func organizationIamAuditConfigImportStep(resourceName, org, service string) resource.TestStep { | ||
return resource.TestStep{ | ||
ResourceName: resourceName, | ||
ImportStateId: fmt.Sprintf("%s %s", org, service), | ||
ImportState: true, | ||
ImportStateVerify: true, | ||
} | ||
} | ||
|
||
// Test that an IAM audit config can be applied to an organization | ||
func TestAccOrganizationIamAuditConfig_basic(t *testing.T) { | ||
org := getTestOrgFromEnv(t) | ||
service := "cloudkms.googleapis.com" | ||
resource.Test(t, resource.TestCase{ | ||
PreCheck: func() { testAccPreCheck(t) }, | ||
Providers: testAccProviders, | ||
Steps: []resource.TestStep{ | ||
// Apply an IAM audit config | ||
{ | ||
Config: testAccOrganizationAssociateAuditConfigBasic(org, service), | ||
}, | ||
organizationIamAuditConfigImportStep("google_organization_iam_audit_config.acceptance", org, service), | ||
}, | ||
}) | ||
} | ||
|
||
// Test that multiple IAM audit configs can be applied to an organization, one at a time | ||
func TestAccOrganizationIamAuditConfig_multiple(t *testing.T) { | ||
org := getTestOrgFromEnv(t) | ||
service := "cloudkms.googleapis.com" | ||
service2 := "cloudsql.googleapis.com" | ||
|
||
resource.Test(t, resource.TestCase{ | ||
PreCheck: func() { testAccPreCheck(t) }, | ||
Providers: testAccProviders, | ||
Steps: []resource.TestStep{ | ||
// Apply an IAM audit config | ||
{ | ||
Config: testAccOrganizationAssociateAuditConfigBasic(org, service), | ||
}, | ||
// Apply another IAM audit config | ||
{ | ||
Config: testAccOrganizationAssociateAuditConfigMultiple(org, service, service2), | ||
}, | ||
organizationIamAuditConfigImportStep("google_organization_iam_audit_config.acceptance", org, service), | ||
organizationIamAuditConfigImportStep("google_organization_iam_audit_config.multiple", org, service2), | ||
}, | ||
}) | ||
} | ||
|
||
// Test that multiple IAM audit configs can be applied to an organization all at once | ||
func TestAccOrganizationIamAuditConfig_multipleAtOnce(t *testing.T) { | ||
org := getTestOrgFromEnv(t) | ||
service := "cloudkms.googleapis.com" | ||
service2 := "cloudsql.googleapis.com" | ||
|
||
resource.Test(t, resource.TestCase{ | ||
PreCheck: func() { testAccPreCheck(t) }, | ||
Providers: testAccProviders, | ||
Steps: []resource.TestStep{ | ||
// Apply an IAM audit config | ||
{ | ||
Config: testAccOrganizationAssociateAuditConfigMultiple(org, service, service2), | ||
}, | ||
organizationIamAuditConfigImportStep("google_organization_iam_audit_config.acceptance", org, service), | ||
organizationIamAuditConfigImportStep("google_organization_iam_audit_config.multiple", org, service2), | ||
}, | ||
}) | ||
} | ||
|
||
// Test that an IAM audit config can be updated once applied to an organization | ||
func TestAccOrganizationIamAuditConfig_update(t *testing.T) { | ||
org := getTestOrgFromEnv(t) | ||
service := "cloudkms.googleapis.com" | ||
|
||
resource.Test(t, resource.TestCase{ | ||
PreCheck: func() { testAccPreCheck(t) }, | ||
Providers: testAccProviders, | ||
Steps: []resource.TestStep{ | ||
// Apply an IAM audit config | ||
{ | ||
Config: testAccOrganizationAssociateAuditConfigBasic(org, service), | ||
}, | ||
organizationIamAuditConfigImportStep("google_organization_iam_audit_config.acceptance", org, service), | ||
|
||
// Apply an updated IAM audit config | ||
{ | ||
Config: testAccOrganizationAssociateAuditConfigUpdated(org, service), | ||
}, | ||
organizationIamAuditConfigImportStep("google_organization_iam_audit_config.acceptance", org, service), | ||
|
||
// Drop the original member | ||
{ | ||
Config: testAccOrganizationAssociateAuditConfigDropMemberFromBasic(org, service), | ||
}, | ||
organizationIamAuditConfigImportStep("google_organization_iam_audit_config.acceptance", org, service), | ||
}, | ||
}) | ||
} | ||
|
||
// Test that an IAM audit config can be removed from an organization | ||
func TestAccOrganizationIamAuditConfig_remove(t *testing.T) { | ||
org := getTestOrgFromEnv(t) | ||
service := "cloudkms.googleapis.com" | ||
service2 := "cloudsql.googleapis.com" | ||
|
||
resource.Test(t, resource.TestCase{ | ||
PreCheck: func() { testAccPreCheck(t) }, | ||
Providers: testAccProviders, | ||
Steps: []resource.TestStep{ | ||
// Apply multiple IAM audit configs | ||
{ | ||
Config: testAccOrganizationAssociateAuditConfigMultiple(org, service, service2), | ||
}, | ||
organizationIamAuditConfigImportStep("google_organization_iam_audit_config.acceptance", org, service), | ||
organizationIamAuditConfigImportStep("google_organization_iam_audit_config.multiple", org, service2), | ||
|
||
// Remove one IAM audit config | ||
{ | ||
Config: testAccOrganizationAssociateAuditConfigBasic(org, service), | ||
}, | ||
organizationIamAuditConfigImportStep("google_organization_iam_audit_config.acceptance", org, service), | ||
}, | ||
}) | ||
} | ||
|
||
// Test adding exempt first exempt member | ||
func TestAccOrganizationIamAuditConfig_addFirstExemptMember(t *testing.T) { | ||
org := getTestOrgFromEnv(t) | ||
service := "cloudkms.googleapis.com" | ||
members := []string{} | ||
members2 := []string{"user:[email protected]"} | ||
|
||
resource.Test(t, resource.TestCase{ | ||
PreCheck: func() { testAccPreCheck(t) }, | ||
Providers: testAccProviders, | ||
Steps: []resource.TestStep{ | ||
// Apply IAM audit config with no members | ||
{ | ||
Config: testAccOrganizationAssociateAuditConfigMembers(org, service, members), | ||
}, | ||
organizationIamAuditConfigImportStep("google_organization_iam_audit_config.acceptance", org, service), | ||
|
||
// Apply IAM audit config with one member | ||
{ | ||
Config: testAccOrganizationAssociateAuditConfigMembers(org, service, members2), | ||
}, | ||
organizationIamAuditConfigImportStep("google_organization_iam_audit_config.acceptance", org, service), | ||
}, | ||
}) | ||
} | ||
|
||
// test removing last exempt member | ||
func TestAccOrganizationIamAuditConfig_removeLastExemptMember(t *testing.T) { | ||
org := getTestOrgFromEnv(t) | ||
service := "cloudkms.googleapis.com" | ||
members := []string{"user:[email protected]"} | ||
members2 := []string{} | ||
|
||
resource.Test(t, resource.TestCase{ | ||
PreCheck: func() { testAccPreCheck(t) }, | ||
Providers: testAccProviders, | ||
Steps: []resource.TestStep{ | ||
// Apply IAM audit config with member | ||
{ | ||
Config: testAccOrganizationAssociateAuditConfigMembers(org, service, members), | ||
}, | ||
organizationIamAuditConfigImportStep("google_organization_iam_audit_config.acceptance", org, service), | ||
|
||
// Apply IAM audit config with no members | ||
{ | ||
Config: testAccOrganizationAssociateAuditConfigMembers(org, service, members2), | ||
}, | ||
organizationIamAuditConfigImportStep("google_organization_iam_audit_config.acceptance", org, service), | ||
}, | ||
}) | ||
} | ||
|
||
// test changing service with no exempt members | ||
func TestAccOrganizationIamAuditConfig_updateNoExemptMembers(t *testing.T) { | ||
org := getTestOrgFromEnv(t) | ||
logType := "DATA_READ" | ||
logType2 := "DATA_WRITE" | ||
service := "cloudkms.googleapis.com" | ||
|
||
resource.Test(t, resource.TestCase{ | ||
PreCheck: func() { testAccPreCheck(t) }, | ||
Providers: testAccProviders, | ||
Steps: []resource.TestStep{ | ||
// Apply IAM audit config with DATA_READ | ||
{ | ||
Config: testAccOrganizationAssociateAuditConfigLogType(org, service, logType), | ||
}, | ||
organizationIamAuditConfigImportStep("google_organization_iam_audit_config.acceptance", org, service), | ||
|
||
// Apply IAM audit config with DATA_WRITe | ||
{ | ||
Config: testAccOrganizationAssociateAuditConfigLogType(org, service, logType2), | ||
}, | ||
organizationIamAuditConfigImportStep("google_organization_iam_audit_config.acceptance", org, service), | ||
}, | ||
}) | ||
} | ||
|
||
func testAccOrganizationAssociateAuditConfigBasic(org, service string) string { | ||
return fmt.Sprintf(` | ||
resource "google_organization_iam_audit_config" "acceptance" { | ||
org_id = "%s" | ||
service = "%s" | ||
audit_log_config { | ||
log_type = "DATA_READ" | ||
exempted_members = [ | ||
"user:[email protected]", | ||
"user:[email protected]", | ||
] | ||
} | ||
} | ||
`, org, service) | ||
} | ||
|
||
func testAccOrganizationAssociateAuditConfigMultiple(org, service, service2 string) string { | ||
return fmt.Sprintf(` | ||
resource "google_organization_iam_audit_config" "acceptance" { | ||
org_id = "%s" | ||
service = "%s" | ||
audit_log_config { | ||
log_type = "DATA_READ" | ||
exempted_members = [ | ||
"user:[email protected]", | ||
"user:[email protected]", | ||
] | ||
} | ||
} | ||
resource "google_organization_iam_audit_config" "multiple" { | ||
org_id = "%s" | ||
service = "%s" | ||
audit_log_config { | ||
log_type = "DATA_WRITE" | ||
} | ||
} | ||
`, org, service, org, service2) | ||
} | ||
|
||
func testAccOrganizationAssociateAuditConfigUpdated(org, service string) string { | ||
return fmt.Sprintf(` | ||
resource "google_organization_iam_audit_config" "acceptance" { | ||
org_id = "%s" | ||
service = "%s" | ||
audit_log_config { | ||
log_type = "DATA_WRITE" | ||
exempted_members = [ | ||
"user:[email protected]", | ||
"user:[email protected]", | ||
] | ||
} | ||
} | ||
`, org, service) | ||
} | ||
|
||
func testAccOrganizationAssociateAuditConfigDropMemberFromBasic(org, service string) string { | ||
return fmt.Sprintf(` | ||
resource "google_organization_iam_audit_config" "acceptance" { | ||
org_id = "%s" | ||
service = "%s" | ||
audit_log_config { | ||
log_type = "DATA_READ" | ||
exempted_members = [ | ||
"user:[email protected]", | ||
] | ||
} | ||
} | ||
`, org, service) | ||
} | ||
|
||
func testAccOrganizationAssociateAuditConfigMembers(org, service string, members []string) string { | ||
var memberStr string | ||
if len(members) > 0 { | ||
for pos, member := range members { | ||
members[pos] = "\"" + member + "\"," | ||
} | ||
memberStr = "\n exempted_members = [" + strings.Join(members, "\n") + "\n ]" | ||
} | ||
return fmt.Sprintf(` | ||
resource "google_organization_iam_audit_config" "acceptance" { | ||
org_id = "%s" | ||
service = "%s" | ||
audit_log_config { | ||
log_type = "DATA_READ"%s | ||
} | ||
} | ||
`, org, service, memberStr) | ||
} | ||
|
||
func testAccOrganizationAssociateAuditConfigLogType(org, service, logType string) string { | ||
return fmt.Sprintf(` | ||
resource "google_organization_iam_audit_config" "acceptance" { | ||
org_id = "%s" | ||
service = "%s" | ||
audit_log_config { | ||
log_type = "%s" | ||
} | ||
} | ||
`, org, service, logType) | ||
} |