update examples and tests for project and folder modules variable changes
This commit is contained in:
parent
0e1fb9bf9e
commit
25e1b8ac46
|
@ -41,7 +41,7 @@ module "project" {
|
||||||
"compute.zoneOperations.list"
|
"compute.zoneOperations.list"
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
iam_members = {
|
iam = {
|
||||||
(local.role_id) = [module.service-account.iam_email]
|
(local.role_id) = [module.service-account.iam_email]
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -34,7 +34,7 @@ module "project" {
|
||||||
disable_on_destroy = false,
|
disable_on_destroy = false,
|
||||||
disable_dependent_services = false
|
disable_dependent_services = false
|
||||||
}
|
}
|
||||||
iam_members = {
|
iam = {
|
||||||
"roles/monitoring.metricWriter" = [module.cf.service_account_iam_email]
|
"roles/monitoring.metricWriter" = [module.cf.service_account_iam_email]
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -21,9 +21,9 @@
|
||||||
# Shared folder
|
# Shared folder
|
||||||
|
|
||||||
module "shared-folder" {
|
module "shared-folder" {
|
||||||
source = "../../modules/folders"
|
source = "../../modules/folder"
|
||||||
parent = var.root_node
|
parent = var.root_node
|
||||||
names = ["shared"]
|
name = "shared"
|
||||||
}
|
}
|
||||||
|
|
||||||
# Terraform project
|
# Terraform project
|
||||||
|
@ -34,7 +34,7 @@ module "tf-project" {
|
||||||
parent = module.shared-folder.id
|
parent = module.shared-folder.id
|
||||||
prefix = var.prefix
|
prefix = var.prefix
|
||||||
billing_account = var.billing_account_id
|
billing_account = var.billing_account_id
|
||||||
iam_additive_bindings = {
|
iam_additive = {
|
||||||
for name in var.iam_terraform_owners : (name) => ["roles/owner"]
|
for name in var.iam_terraform_owners : (name) => ["roles/owner"]
|
||||||
}
|
}
|
||||||
services = var.project_services
|
services = var.project_services
|
||||||
|
@ -45,7 +45,7 @@ module "tf-project" {
|
||||||
module "tf-gcs-bootstrap" {
|
module "tf-gcs-bootstrap" {
|
||||||
source = "../../modules/gcs"
|
source = "../../modules/gcs"
|
||||||
project_id = module.tf-project.project_id
|
project_id = module.tf-project.project_id
|
||||||
names = ["tf-bootstrap"]
|
name = "tf-bootstrap"
|
||||||
prefix = "${var.prefix}-tf"
|
prefix = "${var.prefix}-tf"
|
||||||
location = var.gcs_defaults.location
|
location = var.gcs_defaults.location
|
||||||
}
|
}
|
||||||
|
@ -96,14 +96,10 @@ module "audit-project" {
|
||||||
parent = var.root_node
|
parent = var.root_node
|
||||||
prefix = var.prefix
|
prefix = var.prefix
|
||||||
billing_account = var.billing_account_id
|
billing_account = var.billing_account_id
|
||||||
iam_members = {
|
iam = {
|
||||||
"roles/bigquery.dataEditor" = [module.audit-log-sinks.writer_identities[0]]
|
"roles/bigquery.dataEditor" = [module.audit-log-sinks.writer_identities[0]]
|
||||||
"roles/viewer" = var.iam_audit_viewers
|
"roles/viewer" = var.iam_audit_viewers
|
||||||
}
|
}
|
||||||
iam_roles = [
|
|
||||||
"roles/bigquery.dataEditor",
|
|
||||||
"roles/viewer"
|
|
||||||
]
|
|
||||||
services = concat(var.project_services, [
|
services = concat(var.project_services, [
|
||||||
"bigquery.googleapis.com",
|
"bigquery.googleapis.com",
|
||||||
])
|
])
|
||||||
|
@ -147,7 +143,7 @@ module "shared-project" {
|
||||||
parent = module.shared-folder.id
|
parent = module.shared-folder.id
|
||||||
prefix = var.prefix
|
prefix = var.prefix
|
||||||
billing_account = var.billing_account_id
|
billing_account = var.billing_account_id
|
||||||
iam_additive_bindings = {
|
iam_additive = {
|
||||||
for name in var.iam_shared_owners : (name) => ["roles/owner"]
|
for name in var.iam_shared_owners : (name) => ["roles/owner"]
|
||||||
}
|
}
|
||||||
services = var.project_services
|
services = var.project_services
|
||||||
|
|
|
@ -33,7 +33,7 @@ If no shared services are needed, the shared service project module can of cours
|
||||||
| name | description | type | required | default |
|
| name | description | type | required | default |
|
||||||
|---|---|:---: |:---:|:---:|
|
|---|---|:---: |:---:|:---:|
|
||||||
| billing_account_id | Billing account id used as to create projects. | <code title="">string</code> | ✓ | |
|
| billing_account_id | Billing account id used as to create projects. | <code title="">string</code> | ✓ | |
|
||||||
| environments | Environment short names. | <code title="list(string)">list(string)</code> | ✓ | |
|
| environments | Environment short names. | <code title="set(string)">set(string)</code> | ✓ | |
|
||||||
| organization_id | Organization id in organizations/nnnnnnnn format. | <code title="">string</code> | ✓ | |
|
| organization_id | Organization id in organizations/nnnnnnnn format. | <code title="">string</code> | ✓ | |
|
||||||
| prefix | Prefix used for resources that need unique names. | <code title="">string</code> | ✓ | |
|
| prefix | Prefix used for resources that need unique names. | <code title="">string</code> | ✓ | |
|
||||||
| root_node | Root node for the new hierarchy, either 'organizations/org_id' or 'folders/folder_id'. | <code title="">string</code> | ✓ | |
|
| root_node | Root node for the new hierarchy, either 'organizations/org_id' or 'folders/folder_id'. | <code title="">string</code> | ✓ | |
|
||||||
|
|
|
@ -24,7 +24,7 @@ module "tf-project" {
|
||||||
parent = var.root_node
|
parent = var.root_node
|
||||||
prefix = var.prefix
|
prefix = var.prefix
|
||||||
billing_account = var.billing_account_id
|
billing_account = var.billing_account_id
|
||||||
iam_additive_bindings = {
|
iam_additive = {
|
||||||
for name in var.iam_terraform_owners : (name) => ["roles/owner"]
|
for name in var.iam_terraform_owners : (name) => ["roles/owner"]
|
||||||
}
|
}
|
||||||
services = var.project_services
|
services = var.project_services
|
||||||
|
@ -34,8 +34,8 @@ module "tf-project" {
|
||||||
|
|
||||||
module "tf-service-accounts" {
|
module "tf-service-accounts" {
|
||||||
source = "../../modules/iam-service-account"
|
source = "../../modules/iam-service-account"
|
||||||
project_id = module.tf-project.project_id
|
|
||||||
for_each = var.environments
|
for_each = var.environments
|
||||||
|
project_id = module.tf-project.project_id
|
||||||
name = each.value
|
name = each.value
|
||||||
prefix = var.prefix
|
prefix = var.prefix
|
||||||
iam_billing_roles = {
|
iam_billing_roles = {
|
||||||
|
@ -67,8 +67,8 @@ module "tf-gcs-bootstrap" {
|
||||||
|
|
||||||
module "tf-gcs-environments" {
|
module "tf-gcs-environments" {
|
||||||
source = "../../modules/gcs"
|
source = "../../modules/gcs"
|
||||||
project_id = module.tf-project.project_id
|
|
||||||
for_each = var.environments
|
for_each = var.environments
|
||||||
|
project_id = module.tf-project.project_id
|
||||||
name = each.value
|
name = each.value
|
||||||
prefix = "${var.prefix}-tf"
|
prefix = "${var.prefix}-tf"
|
||||||
location = var.gcs_location
|
location = var.gcs_location
|
||||||
|
@ -86,7 +86,7 @@ module "environment-folders" {
|
||||||
for_each = var.environments
|
for_each = var.environments
|
||||||
parent = var.root_node
|
parent = var.root_node
|
||||||
name = each.value
|
name = each.value
|
||||||
iam_members = {
|
iam = {
|
||||||
for role in local.folder_roles :
|
for role in local.folder_roles :
|
||||||
(role) => [module.tf-service-accounts[each.value].iam_email]
|
(role) => [module.tf-service-accounts[each.value].iam_email]
|
||||||
}
|
}
|
||||||
|
@ -104,7 +104,7 @@ module "audit-project" {
|
||||||
parent = var.root_node
|
parent = var.root_node
|
||||||
prefix = var.prefix
|
prefix = var.prefix
|
||||||
billing_account = var.billing_account_id
|
billing_account = var.billing_account_id
|
||||||
iam_members = {
|
iam = {
|
||||||
"roles/bigquery.dataEditor" = [module.audit-log-sinks.writer_identities[0]]
|
"roles/bigquery.dataEditor" = [module.audit-log-sinks.writer_identities[0]]
|
||||||
"roles/viewer" = var.iam_audit_viewers
|
"roles/viewer" = var.iam_audit_viewers
|
||||||
}
|
}
|
||||||
|
@ -152,7 +152,7 @@ module "sharedsvc-project" {
|
||||||
parent = var.root_node
|
parent = var.root_node
|
||||||
prefix = var.prefix
|
prefix = var.prefix
|
||||||
billing_account = var.billing_account_id
|
billing_account = var.billing_account_id
|
||||||
iam_additive_bindings = {
|
iam_additive = {
|
||||||
for name in var.iam_shared_owners : (name) => ["roles/owner"]
|
for name in var.iam_shared_owners : (name) => ["roles/owner"]
|
||||||
}
|
}
|
||||||
services = var.project_services
|
services = var.project_services
|
||||||
|
|
|
@ -30,7 +30,7 @@ module "project-host" {
|
||||||
enabled = true
|
enabled = true
|
||||||
service_projects = [] # defined later
|
service_projects = [] # defined later
|
||||||
}
|
}
|
||||||
iam_members = {
|
iam = {
|
||||||
"roles/container.hostServiceAgentUser" = [
|
"roles/container.hostServiceAgentUser" = [
|
||||||
"serviceAccount:${module.project-svc-gke.service_accounts.robots.container-engine}"
|
"serviceAccount:${module.project-svc-gke.service_accounts.robots.container-engine}"
|
||||||
]
|
]
|
||||||
|
@ -51,7 +51,7 @@ module "project-svc-gce" {
|
||||||
attach = true
|
attach = true
|
||||||
host_project = module.project-host.project_id
|
host_project = module.project-host.project_id
|
||||||
}
|
}
|
||||||
iam_members = {
|
iam = {
|
||||||
"roles/logging.logWriter" = [module.vm-bastion.service_account_iam_email],
|
"roles/logging.logWriter" = [module.vm-bastion.service_account_iam_email],
|
||||||
"roles/monitoring.metricWriter" = [module.vm-bastion.service_account_iam_email],
|
"roles/monitoring.metricWriter" = [module.vm-bastion.service_account_iam_email],
|
||||||
"roles/owner" = var.owners_gce,
|
"roles/owner" = var.owners_gce,
|
||||||
|
@ -72,7 +72,7 @@ module "project-svc-gke" {
|
||||||
attach = true
|
attach = true
|
||||||
host_project = module.project-host.project_id
|
host_project = module.project-host.project_id
|
||||||
}
|
}
|
||||||
iam_members = {
|
iam = {
|
||||||
"roles/container.developer" = [module.vm-bastion.service_account_iam_email],
|
"roles/container.developer" = [module.vm-bastion.service_account_iam_email],
|
||||||
"roles/logging.logWriter" = [module.service-account-gke-node.iam_email],
|
"roles/logging.logWriter" = [module.service-account-gke-node.iam_email],
|
||||||
"roles/monitoring.metricWriter" = [module.service-account-gke-node.iam_email],
|
"roles/monitoring.metricWriter" = [module.service-account-gke-node.iam_email],
|
||||||
|
|
|
@ -0,0 +1,13 @@
|
||||||
|
# Copyright 2020 Google LLC
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
|
@ -0,0 +1,23 @@
|
||||||
|
/**
|
||||||
|
* Copyright 2020 Google LLC
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
module "test" {
|
||||||
|
source = "../../../../foundations/business-units"
|
||||||
|
billing_account_id = var.billing_account_id
|
||||||
|
organization_id = var.organization_id
|
||||||
|
prefix = var.prefix
|
||||||
|
root_node = var.root_node
|
||||||
|
}
|
|
@ -0,0 +1,35 @@
|
||||||
|
# Copyright 2020 Google LLC
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# https://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
variable "billing_account_id" {
|
||||||
|
type = string
|
||||||
|
default = "1234-5678-9012"
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "organization_id" {
|
||||||
|
type = string
|
||||||
|
default = "organizations/1234567890"
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "prefix" {
|
||||||
|
description = "Prefix used for resources that need unique names."
|
||||||
|
type = string
|
||||||
|
default = "test"
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "root_node" {
|
||||||
|
description = "Root node for the new hierarchy, either 'organizations/org_id' or 'folders/folder_id'."
|
||||||
|
type = string
|
||||||
|
default = "folders/1234567890"
|
||||||
|
}
|
|
@ -0,0 +1,27 @@
|
||||||
|
# Copyright 2020 Google LLC
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
|
||||||
|
import os
|
||||||
|
import pytest
|
||||||
|
|
||||||
|
|
||||||
|
FIXTURES_DIR = os.path.join(os.path.dirname(__file__), 'fixture')
|
||||||
|
|
||||||
|
|
||||||
|
def test_resources(e2e_plan_runner):
|
||||||
|
"Test that plan works and the numbers of resources is as expected."
|
||||||
|
modules, resources = e2e_plan_runner(FIXTURES_DIR)
|
||||||
|
assert len(modules) == 9
|
||||||
|
assert len(resources) == 84
|
|
@ -18,7 +18,7 @@ module "test" {
|
||||||
source = "../../../../modules/folder"
|
source = "../../../../modules/folder"
|
||||||
parent = "organizations/12345678"
|
parent = "organizations/12345678"
|
||||||
name = "folder-a"
|
name = "folder-a"
|
||||||
iam_members = var.iam_members
|
iam = var.iam
|
||||||
policy_boolean = var.policy_boolean
|
policy_boolean = var.policy_boolean
|
||||||
policy_list = var.policy_list
|
policy_list = var.policy_list
|
||||||
}
|
}
|
||||||
|
|
|
@ -14,7 +14,7 @@
|
||||||
* limitations under the License.
|
* limitations under the License.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
variable "iam_members" {
|
variable "iam" {
|
||||||
type = map(list(string))
|
type = map(list(string))
|
||||||
default = {}
|
default = {}
|
||||||
}
|
}
|
||||||
|
|
|
@ -32,26 +32,25 @@ def test_folder(plan_runner):
|
||||||
|
|
||||||
def test_iam(plan_runner):
|
def test_iam(plan_runner):
|
||||||
"Test folder resources with iam roles and members."
|
"Test folder resources with iam roles and members."
|
||||||
iam_members = '{"roles/owner" = ["user:a@b.com"] }'
|
iam = '{"roles/owner" = ["user:a@b.com"] }'
|
||||||
_, resources = plan_runner(FIXTURES_DIR,
|
_, resources = plan_runner(FIXTURES_DIR, iam=iam)
|
||||||
iam_members=iam_members)
|
|
||||||
assert len(resources) == 2
|
assert len(resources) == 2
|
||||||
|
|
||||||
|
|
||||||
def test_iam_multiple_members(plan_runner):
|
def test_iam_multiple_members(plan_runner):
|
||||||
"Test folder resources with multiple iam members."
|
"Test folder resources with multiple iam members."
|
||||||
iam_members = '{"roles/owner" = ["user:a@b.com", "user:c@d.com"] }'
|
iam = '{"roles/owner" = ["user:a@b.com", "user:c@d.com"] }'
|
||||||
_, resources = plan_runner(FIXTURES_DIR,
|
_, resources = plan_runner(FIXTURES_DIR, iam=iam)
|
||||||
iam_members=iam_members)
|
|
||||||
assert len(resources) == 2
|
assert len(resources) == 2
|
||||||
|
|
||||||
|
|
||||||
def test_iam_multiple_roles(plan_runner):
|
def test_iam_multiple_roles(plan_runner):
|
||||||
"Test folder resources with multiple iam roles."
|
"Test folder resources with multiple iam roles."
|
||||||
iam_members = (
|
iam = (
|
||||||
'{ '
|
'{ '
|
||||||
'"roles/owner" = ["user:a@b.com"], '
|
'"roles/owner" = ["user:a@b.com"], '
|
||||||
'"roles/viewer" = ["user:c@d.com"] '
|
'"roles/viewer" = ["user:c@d.com"] '
|
||||||
'} '
|
'} '
|
||||||
)
|
)
|
||||||
_, resources = plan_runner(FIXTURES_DIR,
|
_, resources = plan_runner(FIXTURES_DIR, iam=iam)
|
||||||
iam_members=iam_members)
|
|
||||||
assert len(resources) == 3
|
assert len(resources) == 3
|
||||||
|
|
Loading…
Reference in New Issue