Update CAI example (#274)
* Add Asset Inventory API to project module * Create feed from terraform in CAI example * Fix tests * sort services Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com>
This commit is contained in:
parent
37b19ec330
commit
0ce81743f2
|
@ -33,7 +33,6 @@ Clone this repository or [open it in cloud shell](https://ssh.cloud.google.com/c
|
||||||
|
|
||||||
- `terraform init`
|
- `terraform init`
|
||||||
- `terraform apply -var project_id=my-project-id`
|
- `terraform apply -var project_id=my-project-id`
|
||||||
- copy and paste the `feed_create` output in the console then run it to create the feed
|
|
||||||
|
|
||||||
Once done testing, you can clean up resources by running `terraform destroy`. To persist state, check out the `backend.tf.sample` file.
|
Once done testing, you can clean up resources by running `terraform destroy`. To persist state, check out the `backend.tf.sample` file.
|
||||||
|
|
||||||
|
@ -41,7 +40,6 @@ Once done testing, you can clean up resources by running `terraform destroy`. To
|
||||||
|
|
||||||
The terraform outputs generate preset `gcloud` commands that you can copy and run in the console, to complete configuration and test the example:
|
The terraform outputs generate preset `gcloud` commands that you can copy and run in the console, to complete configuration and test the example:
|
||||||
|
|
||||||
- `feed_create` is run once to create the feed, as there's currently no Terraform resource available for Cloud Asset feeds
|
|
||||||
- `subscription_pull` shows messages in the PubSub queue, to check feed message format if the Cloud Function is disabled
|
- `subscription_pull` shows messages in the PubSub queue, to check feed message format if the Cloud Function is disabled
|
||||||
- `cf_logs` shows Cloud Function logs to check that remediation works
|
- `cf_logs` shows Cloud Function logs to check that remediation works
|
||||||
- `tag_add` adds a non-compliant tag to the test instance, and triggers the Cloud Function remediation process
|
- `tag_add` adds a non-compliant tag to the test instance, and triggers the Cloud Function remediation process
|
||||||
|
@ -70,7 +68,6 @@ Run the `subscription_pull` command until it returns nothing, then run the follo
|
||||||
| name | description | sensitive |
|
| name | description | sensitive |
|
||||||
|---|---|:---:|
|
|---|---|:---:|
|
||||||
| cf_logs | Cloud Function logs read command. | |
|
| cf_logs | Cloud Function logs read command. | |
|
||||||
| feed_create | Feed gcloud command. | |
|
|
||||||
| subscription_pull | Subscription pull command. | |
|
| subscription_pull | Subscription pull command. | |
|
||||||
| tag_add | Instance add tag command. | |
|
| tag_add | Instance add tag command. | |
|
||||||
| tag_show | Instance add tag command. | |
|
| tag_show | Instance add tag command. | |
|
||||||
|
|
|
@ -25,8 +25,9 @@ module "project" {
|
||||||
project_create = var.project_create
|
project_create = var.project_create
|
||||||
services = [
|
services = [
|
||||||
"cloudasset.googleapis.com",
|
"cloudasset.googleapis.com",
|
||||||
"compute.googleapis.com",
|
"cloudbuild.googleapis.com",
|
||||||
"cloudfunctions.googleapis.com"
|
"cloudfunctions.googleapis.com",
|
||||||
|
"compute.googleapis.com"
|
||||||
]
|
]
|
||||||
service_config = {
|
service_config = {
|
||||||
disable_on_destroy = false,
|
disable_on_destroy = false,
|
||||||
|
@ -117,3 +118,17 @@ module "simple-vm-example" {
|
||||||
resource "random_pet" "random" {
|
resource "random_pet" "random" {
|
||||||
length = 1
|
length = 1
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Create a feed that sends notifications about instance updates.
|
||||||
|
resource "google_cloud_asset_project_feed" "project_feed" {
|
||||||
|
project = module.project.project_id
|
||||||
|
feed_id = var.name
|
||||||
|
content_type = "RESOURCE"
|
||||||
|
asset_types = ["compute.googleapis.com/Instance"]
|
||||||
|
|
||||||
|
feed_output_config {
|
||||||
|
pubsub_destination {
|
||||||
|
topic = module.pubsub.topic.id
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
|
@ -26,17 +26,6 @@ gcloud logging read '
|
||||||
END
|
END
|
||||||
}
|
}
|
||||||
|
|
||||||
output "feed_create" {
|
|
||||||
description = "Feed gcloud command."
|
|
||||||
value = <<END
|
|
||||||
gcloud asset feeds create ${var.name} \
|
|
||||||
--pubsub-topic ${module.pubsub.topic.id} \
|
|
||||||
--asset-types compute.googleapis.com/Instance \
|
|
||||||
--content-type resource \
|
|
||||||
--project ${module.project.project_id}
|
|
||||||
END
|
|
||||||
}
|
|
||||||
|
|
||||||
output "subscription_pull" {
|
output "subscription_pull" {
|
||||||
description = "Subscription pull command."
|
description = "Subscription pull command."
|
||||||
value = <<END
|
value = <<END
|
||||||
|
|
|
@ -61,7 +61,8 @@ output "service_accounts" {
|
||||||
}
|
}
|
||||||
depends_on = [
|
depends_on = [
|
||||||
google_project_service.project_services,
|
google_project_service.project_services,
|
||||||
google_kms_crypto_key_iam_member.crypto_key
|
google_kms_crypto_key_iam_member.crypto_key,
|
||||||
|
google_project_service_identity.jit_si
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -41,7 +41,8 @@ locals {
|
||||||
}
|
}
|
||||||
jit_services = [
|
jit_services = [
|
||||||
"secretmanager.googleapis.com",
|
"secretmanager.googleapis.com",
|
||||||
"pubsub.googleapis.com"
|
"pubsub.googleapis.com",
|
||||||
|
"cloudasset.googleapis.com"
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -24,4 +24,4 @@ def test_resources(e2e_plan_runner):
|
||||||
"Test that plan works and the numbers of resources is as expected."
|
"Test that plan works and the numbers of resources is as expected."
|
||||||
modules, resources = e2e_plan_runner(FIXTURES_DIR)
|
modules, resources = e2e_plan_runner(FIXTURES_DIR)
|
||||||
assert len(modules) == 6
|
assert len(modules) == 6
|
||||||
assert len(resources) == 16
|
assert len(resources) == 18
|
||||||
|
|
|
@ -24,4 +24,4 @@ def test_resources(e2e_plan_runner):
|
||||||
"Test that plan works and the numbers of resources is as expected."
|
"Test that plan works and the numbers of resources is as expected."
|
||||||
modules, resources = e2e_plan_runner(FIXTURES_DIR)
|
modules, resources = e2e_plan_runner(FIXTURES_DIR)
|
||||||
assert len(modules) == 5
|
assert len(modules) == 5
|
||||||
assert len(resources) == 19
|
assert len(resources) == 20
|
||||||
|
|
|
@ -24,4 +24,4 @@ def test_resources(e2e_plan_runner):
|
||||||
"Test that plan works and the numbers of resources is as expected."
|
"Test that plan works and the numbers of resources is as expected."
|
||||||
modules, resources = e2e_plan_runner(FIXTURES_DIR)
|
modules, resources = e2e_plan_runner(FIXTURES_DIR)
|
||||||
assert len(modules) == 6
|
assert len(modules) == 6
|
||||||
assert len(resources) == 44
|
assert len(resources) == 45
|
||||||
|
|
Loading…
Reference in New Issue