Skip to content

Commit

Permalink
Update tests to use bootstrapped crypto permissions for compute servi…
Browse files Browse the repository at this point in the history
…ce agent (hashicorp#7617)

* Update tests to use bootstrapped crypto permissions for compute service agent

* Fix templates

* Fix one more template

Signed-off-by: Modular Magician <[email protected]>
  • Loading branch information
modular-magician committed Apr 6, 2023
1 parent 036c11c commit f3431e5
Show file tree
Hide file tree
Showing 7 changed files with 42 additions and 96 deletions.
3 changes: 3 additions & 0 deletions .changelog/7617.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:none

```
22 changes: 7 additions & 15 deletions google/resource_compute_disk_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -414,13 +414,17 @@ func TestAccComputeDisk_encryptionKMS(t *testing.T) {
importID := fmt.Sprintf("%s/%s/%s", pid, "us-central1-a", diskName)
var disk compute.Disk

if BootstrapPSARole(t, "service-", "compute-system", "roles/cloudkms.cryptoKeyEncrypterDecrypter") {
t.Fatal("Stopping the test because a role was added to the policy.")
}

VcrTest(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
ProtoV5ProviderFactories: ProtoV5ProviderFactories(t),
CheckDestroy: testAccCheckComputeDiskDestroyProducer(t),
Steps: []resource.TestStep{
{
Config: testAccComputeDisk_encryptionKMS(pid, diskName, kms.CryptoKey.Name),
Config: testAccComputeDisk_encryptionKMS(diskName, kms.CryptoKey.Name),
Check: resource.ComposeTestCheckFunc(
testAccCheckComputeDiskExists(
t, "google_compute_disk.foobar", pid, &disk),
Expand Down Expand Up @@ -719,26 +723,14 @@ resource "google_compute_disk" "foobar" {
`, diskName)
}

func testAccComputeDisk_encryptionKMS(pid, diskName, kmsKey string) string {
func testAccComputeDisk_encryptionKMS(diskName, kmsKey string) string {
return fmt.Sprintf(`
data "google_project" "project" {
project_id = "%s"
}
data "google_compute_image" "my_image" {
family = "debian-11"
project = "debian-cloud"
}
resource "google_project_iam_member" "kms-project-binding" {
project = data.google_project.project.project_id
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:service-${data.google_project.project.number}@compute-system.iam.gserviceaccount.com"
}
resource "google_compute_disk" "foobar" {
depends_on = [google_project_iam_member.kms-project-binding]
name = "%s"
image = data.google_compute_image.my_image.self_link
size = 10
Expand All @@ -749,7 +741,7 @@ resource "google_compute_disk" "foobar" {
kms_key_self_link = "%s"
}
}
`, pid, diskName, kmsKey)
`, diskName, kmsKey)
}

func testAccComputeDisk_deleteDetach(instanceName, diskName string) string {
Expand Down
28 changes: 7 additions & 21 deletions google/resource_compute_instance_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -431,13 +431,17 @@ func TestAccComputeInstance_kmsDiskEncryption(t *testing.T) {
},
}

if BootstrapPSARole(t, "service-", "compute-system", "roles/cloudkms.cryptoKeyEncrypterDecrypter") {
t.Fatal("Stopping the test because a role was added to the policy.")
}

VcrTest(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
ProtoV5ProviderFactories: ProtoV5ProviderFactories(t),
CheckDestroy: testAccCheckComputeInstanceDestroyProducer(t),
Steps: []resource.TestStep{
{
Config: testAccComputeInstance_disks_kms(GetTestProjectFromEnv(), bootKmsKeyName, diskNameToEncryptionKey, instanceName, RandString(t, 10)),
Config: testAccComputeInstance_disks_kms(bootKmsKeyName, diskNameToEncryptionKey, instanceName, RandString(t, 10)),
Check: resource.ComposeTestCheckFunc(
testAccCheckComputeInstanceExists(t, "google_compute_instance.foobar", &instance),
testAccCheckComputeInstanceDiskKmsEncryptionKey("google_compute_instance.foobar", &instance, bootKmsKeyName, diskNameToEncryptionKey),
Expand Down Expand Up @@ -3759,31 +3763,19 @@ resource "google_compute_instance" "foobar" {
diskNameToEncryptionKey[diskNames[0]].RawKey)
}

func testAccComputeInstance_disks_kms(pid string, bootEncryptionKey string, diskNameToEncryptionKey map[string]*compute.CustomerEncryptionKey, instance, suffix string) string {
func testAccComputeInstance_disks_kms(bootEncryptionKey string, diskNameToEncryptionKey map[string]*compute.CustomerEncryptionKey, instance, suffix string) string {
diskNames := []string{}
for k := range diskNameToEncryptionKey {
diskNames = append(diskNames, k)
}
sort.Strings(diskNames)
return fmt.Sprintf(`
data "google_project" "project" {
project_id = "%s"
}
data "google_compute_image" "my_image" {
family = "debian-11"
project = "debian-cloud"
}
resource "google_project_iam_member" "kms-project-binding" {
project = data.google_project.project.project_id
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:service-${data.google_project.project.number}@compute-system.iam.gserviceaccount.com"
}
resource "google_compute_disk" "foobar" {
depends_on = [google_project_iam_member.kms-project-binding]
name = "%s"
size = 10
type = "pd-ssd"
Expand All @@ -3795,8 +3787,6 @@ resource "google_compute_disk" "foobar" {
}
resource "google_compute_disk" "foobar2" {
depends_on = [google_project_iam_member.kms-project-binding]
name = "%s"
size = 10
type = "pd-ssd"
Expand All @@ -3808,8 +3798,6 @@ resource "google_compute_disk" "foobar2" {
}
resource "google_compute_disk" "foobar3" {
depends_on = [google_project_iam_member.kms-project-binding]
name = "%s"
size = 10
type = "pd-ssd"
Expand All @@ -3828,8 +3816,6 @@ resource "google_compute_disk" "foobar4" {
}
resource "google_compute_instance" "foobar" {
depends_on = [google_project_iam_member.kms-project-binding]
name = "%s"
machine_type = "e2-medium"
zone = "us-central1-a"
Expand Down Expand Up @@ -3867,7 +3853,7 @@ resource "google_compute_instance" "foobar" {
foo = "bar"
}
}
`, pid, diskNames[0], diskNameToEncryptionKey[diskNames[0]].KmsKeyName,
`, diskNames[0], diskNameToEncryptionKey[diskNames[0]].KmsKeyName,
diskNames[1], diskNameToEncryptionKey[diskNames[1]].KmsKeyName,
diskNames[2], diskNameToEncryptionKey[diskNames[2]].KmsKeyName,
"tf-testd-"+suffix,
Expand Down
40 changes: 14 additions & 26 deletions google/resource_container_cluster_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -1231,13 +1231,17 @@ func TestAccContainerCluster_withBootDiskKmsKey(t *testing.T) {
clusterName := fmt.Sprintf("tf-test-cluster-%s", RandString(t, 10))
kms := BootstrapKMSKeyInLocation(t, "us-central1")

if BootstrapPSARole(t, "service-", "compute-system", "roles/cloudkms.cryptoKeyEncrypterDecrypter") {
t.Fatal("Stopping the test because a role was added to the policy.")
}

VcrTest(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
ProtoV5ProviderFactories: ProtoV5ProviderFactories(t),
CheckDestroy: testAccCheckContainerClusterDestroyProducer(t),
Steps: []resource.TestStep{
{
Config: testAccContainerCluster_withBootDiskKmsKey(GetTestProjectFromEnv(), clusterName, kms.CryptoKey.Name),
Config: testAccContainerCluster_withBootDiskKmsKey(clusterName, kms.CryptoKey.Name),
},
{
ResourceName: "google_container_cluster.with_boot_disk_kms_key",
Expand Down Expand Up @@ -2547,13 +2551,17 @@ func TestAccContainerCluster_nodeAutoprovisioningDefaultsBootDiskKmsKey(t *testi
clusterName := fmt.Sprintf("tf-test-cluster-%s", RandString(t, 10))
kms := BootstrapKMSKeyInLocation(t, "us-central1")

if BootstrapPSARole(t, "service-", "compute-system", "roles/cloudkms.cryptoKeyEncrypterDecrypter") {
t.Fatal("Stopping the test because a role was added to the policy.")
}

VcrTest(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
ProtoV5ProviderFactories: ProtoV5ProviderFactories(t),
CheckDestroy: testAccCheckContainerClusterDestroyProducer(t),
Steps: []resource.TestStep{
{
Config: testAccContainerCluster_autoprovisioningDefaultsBootDiskKmsKey(GetTestProjectFromEnv(), clusterName, kms.CryptoKey.Name),
Config: testAccContainerCluster_autoprovisioningDefaultsBootDiskKmsKey(clusterName, kms.CryptoKey.Name),
},
{
ResourceName: "google_container_cluster.nap_boot_disk_kms_key",
Expand Down Expand Up @@ -4398,18 +4406,8 @@ resource "google_container_cluster" "with_workload_metadata_config" {
`, clusterName)
}

func testAccContainerCluster_withBootDiskKmsKey(project, clusterName, kmsKeyName string) string {
func testAccContainerCluster_withBootDiskKmsKey(clusterName, kmsKeyName string) string {
return fmt.Sprintf(`
data "google_project" "project" {
project_id = "%s"
}
resource "google_project_iam_member" "kms-project-binding" {
project = data.google_project.project.project_id
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:service-${data.google_project.project.number}@compute-system.iam.gserviceaccount.com"
}
resource "google_container_cluster" "with_boot_disk_kms_key" {
name = "%s"
location = "us-central1-a"
Expand All @@ -4427,7 +4425,7 @@ resource "google_container_cluster" "with_boot_disk_kms_key" {
boot_disk_kms_key = "%s"
}
}
`, project, clusterName, kmsKeyName)
`, clusterName, kmsKeyName)
}

func testAccContainerCluster_networkRef(cluster, network string) string {
Expand Down Expand Up @@ -4928,18 +4926,8 @@ resource "google_container_cluster" "with_autoprovisioning" {
}`, cluster, imageTypeCfg)
}

func testAccContainerCluster_autoprovisioningDefaultsBootDiskKmsKey(project, clusterName, kmsKeyName string) string {
func testAccContainerCluster_autoprovisioningDefaultsBootDiskKmsKey(clusterName, kmsKeyName string) string {
return fmt.Sprintf(`
data "google_project" "project" {
project_id = "%s"
}
resource "google_project_iam_member" "kms-project-binding" {
project = data.google_project.project.project_id
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:service-${data.google_project.project.number}@compute-system.iam.gserviceaccount.com"
}
resource "google_container_cluster" "nap_boot_disk_kms_key" {
name = "%s"
location = "us-central1-a"
Expand All @@ -4962,7 +4950,7 @@ resource "google_container_cluster" "nap_boot_disk_kms_key" {
}
}
}
`, project, clusterName, kmsKeyName)
`, clusterName, kmsKeyName)
}

func testAccContainerCluster_autoprovisioningDefaultsShieldedInstance(cluster string) string {
Expand Down
10 changes: 4 additions & 6 deletions google/resource_dataflow_job_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -292,6 +292,10 @@ func TestAccDataflowJob_withKmsKey(t *testing.T) {
job := "tf-test-dataflow-job-" + randStr
zone := "us-central1-f"

if BootstrapPSARole(t, "service-", "compute-system", "roles/cloudkms.cryptoKeyEncrypterDecrypter") {
t.Fatal("Stopping the test because a role was added to the policy.")
}

VcrTest(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
ProtoV5ProviderFactories: ProtoV5ProviderFactories(t),
Expand Down Expand Up @@ -973,12 +977,6 @@ resource "google_project_iam_member" "kms-project-dataflow-binding" {
member = "serviceAccount:service-${data.google_project.project.number}@dataflow-service-producer-prod.iam.gserviceaccount.com"
}
resource "google_project_iam_member" "kms-project-compute-binding" {
project = data.google_project.project.project_id
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:service-${data.google_project.project.number}@compute-system.iam.gserviceaccount.com"
}
resource "google_kms_key_ring" "keyring" {
name = "%s"
location = "global"
Expand Down
23 changes: 7 additions & 16 deletions google/resource_dataproc_cluster_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -859,7 +859,10 @@ func TestAccDataprocCluster_KMS(t *testing.T) {

rnd := RandString(t, 10)
kms := BootstrapKMSKey(t)
pid := GetTestProjectFromEnv()

if BootstrapPSARole(t, "service-", "compute-system", "roles/cloudkms.cryptoKeyEncrypterDecrypter") {
t.Fatal("Stopping the test because a role was added to the policy.")
}

var cluster dataproc.Cluster
VcrTest(t, resource.TestCase{
Expand All @@ -868,7 +871,7 @@ func TestAccDataprocCluster_KMS(t *testing.T) {
CheckDestroy: testAccCheckDataprocClusterDestroy(t),
Steps: []resource.TestStep{
{
Config: testAccDataprocCluster_KMS(pid, rnd, kms.CryptoKey.Name),
Config: testAccDataprocCluster_KMS(rnd, kms.CryptoKey.Name),
Check: resource.ComposeTestCheckFunc(
testAccCheckDataprocClusterExists(t, "google_dataproc_cluster.kms", &cluster),
),
Expand Down Expand Up @@ -2043,21 +2046,9 @@ resource "google_dataproc_cluster" "with_net_ref_by_url" {
`, netName, rnd, rnd, rnd)
}

func testAccDataprocCluster_KMS(pid, rnd, kmsKey string) string {
func testAccDataprocCluster_KMS(rnd, kmsKey string) string {
return fmt.Sprintf(`
data "google_project" "project" {
project_id = "%s"
}
resource "google_project_iam_member" "kms-project-binding" {
project = data.google_project.project.project_id
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:service-${data.google_project.project.number}@compute-system.iam.gserviceaccount.com"
}
resource "google_dataproc_cluster" "kms" {
depends_on = [google_project_iam_member.kms-project-binding]
name = "tf-test-dproc-%s"
region = "us-central1"
Expand All @@ -2067,7 +2058,7 @@ resource "google_dataproc_cluster" "kms" {
}
}
}
`, pid, rnd, kmsKey)
`, rnd, kmsKey)
}

func testAccDataprocCluster_withKerberos(rnd, kmsKey string) string {
Expand Down
12 changes: 0 additions & 12 deletions website/docs/r/compute_machine_image.html.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -95,7 +95,6 @@ resource "google_compute_machine_image" "image" {
machine_image_encryption_key {
kms_key_name = google_kms_crypto_key.crypto_key.id
}
depends_on = [google_project_iam_member.kms-project-binding]
}
resource "google_kms_crypto_key" "crypto_key" {
Expand All @@ -109,17 +108,6 @@ resource "google_kms_key_ring" "key_ring" {
name = "keyring"
location = "us"
}
data "google_project" "project" {
provider = google-beta
}
resource "google_project_iam_member" "kms-project-binding" {
provider = google-beta
project = data.google_project.project.project_id
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:service-${data.google_project.project.number}@compute-system.iam.gserviceaccount.com"
}
```

## Argument Reference
Expand Down

0 comments on commit f3431e5

Please sign in to comment.