zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into google_gkehub_feature_membership

This commit is contained in:
Julio Castillo 2023-01-23 09:11:49 +01:00 committed by GitHub
parent 0ea769e70f 20826d0ef5
commit 551d45760f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
95 changed files with 2222 additions and 1453 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.github/workflows/linting.yml vendored
View File

@ -69,4 +69,7 @@ jobs:
- name: Check python formatting
id: yapf
run: |
yapf --style="{based_on_style: google, indent_width: 2, SPLIT_BEFORE_NAMED_ASSIGNS: false}" -p -d tools/*.py
yapf --style="{based_on_style: google, indent_width: 2, SPLIT_BEFORE_NAMED_ASSIGNS: false}" -p -d \
tools/*.py \
blueprints/cloud-operations/network-dashboard/src/*py \
blueprints/cloud-operations/network-dashboard/src/plugins/*py

2
CONTRIBUTING.md
View File

@ -754,7 +754,7 @@ def test_name(plan_summary, tfvars_to_yaml, tmp_path):
assert s.values[address]['project'] == 'my-project'
```
For more examples on how to write python tests, the tests for [`organization`](./tests/modules/organization/test_plan_org_policies.py) and [`net-vpc`](./tests/modules/net_vpc/test_routes.py) modules.
For more examples on how to write python tests, check the tests for the [`organization`](./tests/modules/organization/test_plan_org_policies.py) module.
#### Testing documentation examples

20
blueprints/apigee/hybrid-gke/README.md
View File

@ -25,20 +25,24 @@ The diagram below depicts the architecture.
terraform apply
```
Create an A record in your DNS registrar to point the environment group hostname to the public IP address returned after the terraform configuration was applied. You might need to wait some time until the certificate is provisioned.
5. Install Apigee hybrid using de ansible playbook that is in the ansible folder by running this command
ansible-playbook playbook.yaml -vvvß
## Testing the blueprint
2. Deploy an api proxy
```
./deploy-apiproxy.sh
./deploy-apiproxy.sh apis-test
```
3. In the console check the IP address that has been allocated to the Apigee ingress gateway and send some traffic to the deployed API proxy.
3. Send a request
```
curl -k -v -H "Host:HOSTNAME" \
--resolve HOSTNAME:443:IP_ADDRESS \
https://HOSTNAME/httpbin/headers
curl -v https://HOSTNAME/httpbin/headers
```
<!-- BEGIN TFDOC -->
@ -56,4 +60,10 @@ The diagram below depicts the architecture.
| [region](variables.tf#L84) | Region. | <code>string</code> | | <code>&#34;europe-west1&#34;</code> |
| [zone](variables.tf#L90) | Zone. | <code>string</code> | | <code>&#34;europe-west1-c&#34;</code> |
## Outputs
| name | description | sensitive |
|---|---|:---:|
| [ip_address](outputs.tf#L17) | GLB IP address. | |
<!-- END TFDOC -->

13
blueprints/apigee/hybrid-gke/ansible.tf
View File

@ -18,12 +18,13 @@
resource "local_file" "vars_file" {
content = yamlencode({
cluster = module.cluster.name
region = var.region
project_id = module.project.project_id
envgroup = local.envgroup
env = local.environment
hostname = var.hostname
cluster = module.cluster.name
region = var.region
project_id = module.project.project_id
envgroups = local.envgroups
environments = local.environments
service_accounts = local.google_sas
ingress_ip_name = local.ingress_ip_name
})
filename = "${path.module}/ansible/vars/vars.yaml"
file_permission = "0666"

28
blueprints/apigee/hybrid-gke/ansible/roles/apigee-hybrid/tasks/k8s_service_accounts.yaml Normal file
View File

@ -0,0 +1,28 @@
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Create and annotate k8s service account
kubernetes.core.k8s:
state: present
definition:
apiVersion: v1
kind: ServiceAccount
metadata:
name: "{{ k8s_service_account }}"
namespace: apigee
annotations:
iam.gke.io/gcp-service-account: "{{ google_service_account }}@{{ project_id }}.iam.gserviceaccount.com"
with_items: "{{ k8s_service_accounts }}"
loop_control:
loop_var: k8s_service_account

284
blueprints/apigee/hybrid-gke/ansible/roles/apigee-hybrid/tasks/main.yaml
View File

@ -1,11 +1,11 @@
# Copyright 2023 Google LLC
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#
# http://www.apache.org/licenses/LICENSE-2.0
#
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@ -19,18 +19,27 @@
--project {{ project_id }} \
--internal-ip
- name: Install cert-manager
shell: >
kubectl apply \
--validate=false \
-f https://github.com/jetstack/cert-manager/releases/download/v1.7.2/cert-manager.yaml
- name: Download cert-manager
uri:
url: https://github.com/jetstack/cert-manager/releases/download/v1.7.2/cert-manager.yaml
dest: ~/cert-manager.yaml
- name: Wait until pods are ready in cert-manager namespace
shell: >
kubectl wait --for=condition=ready pods \
-l app.kubernetes.io/instance=cert-manager \
-n cert-manager \
--timeout=90s
- name: Apply metrics-server manifest to the cluster.
kubernetes.core.k8s:
state: present
src: ~/cert-manager.yaml
- name:
kubernetes.core.k8s_info:
kind: Pod
wait: yes
label_selectors:
- "app.kubernetes.io/instance=cert-manager"
namespace: cert-manager
wait_timeout: 90
wait_condition:
type: Ready
status: True
- name: Fetch apigeectl version
uri:
@ -48,7 +57,7 @@
unarchive:
src: "~/apigeectl.tar.gz"
dest: "~"
remote_src: yes
remote_src: yes
- name: Move apigeectl folder
shell: >
@ -66,25 +75,69 @@
file:
src: ~/apigeectl/{{ item }}
dest: "~/hybrid-files/{{ item }}"
state: link
state: link
with_items:
- tools
- config
- templates
- plugins
- plugins
- name: Create service accounts
shell: >
~/hybrid-files/tools/create-service-account -i {{ project_id }} -e non-prod -d ~/hybrid-files/service-accounts
- name: Create apigee namespace
kubernetes.core.k8s:
state: present
definition:
apiVersion: v1
kind: Namespace
metadata:
name: apigee
- name: Create certificates
- name: Create k8s service accounts
include_tasks: k8s_service_accounts.yaml
vars:
google_service_account: "{{ item.key }}"
k8s_service_accounts: "{{ item.value }}"
with_dict: "{{ service_accounts }}"
- name: Set hostnames
set_fact:
hostnames: "{{ hostnames | default([]) + item.value }}"
with_dict: "{{ envgroups }}"
- name: Create certificate and private key
shell: >
openssl req \
-nodes \
-new \
-x509 \
-keyout ~/hybrid-files/certs/{{ envgroup }}.key \
-out ~/hybrid-files/certs/{{ envgroup }}.cert -subj '/CN='{{ hostname }}'' -days 3650
-keyout ~/hybrid-files/certs/server.key \
-out ~/hybrid-files/certs/server.crt \
-subj "/CN=apigee.com' \
-addext "subjectAltName={{ hostnames | map('regex_replace', '^', 'DNS:') | join(',') }}""
-days 3650
- name: Read certificate
slurp:
src: ~/hybrid-files/certs/server.crt
register: certificate_output
- name: Read private ket
slurp:
src: ~/hybrid-files/certs/server.key
register: privatekey_output
- name: Create secret
kubernetes.core.k8s:
state: present
definition:
apiVersion: v1
kind: Secret
metadata:
name: tls-hybrid-ingress
namespace: apigee
type: kubernetes.io/tls
data:
tls.crt: "{{ certificate_output.content }}"
tls.key: "{{ privatekey_output.content }}"
- name: Create overrides.yaml
template:
@ -96,48 +149,185 @@
curl -X POST -H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type:application/json" \
"https://apigee.googleapis.com/v1/organizations/{{ project_id }}:setSyncAuthorization" \
-d '{"identities":["'"serviceAccount:apigee-non-prod@{{ project_id }}.iam.gserviceaccount.com"'"]}'
-d '{"identities":["'"serviceAccount:apigee-synchronizer@{{ project_id }}.iam.gserviceaccount.com"'"]}'
- name: Dry-run (init)
shell: >
~/apigeectl/apigeectl init -f overrides/overrides.yaml --dry-run=client
~/apigeectl/apigeectl init -f overrides/overrides.yaml --dry-run=client
args:
chdir: ~/hybrid-files
- name: Install the Apigee deployment services Apigee Deployment Controller and Apigee Admission Webhook.
shell: >
~/apigeectl/apigeectl init -f overrides/overrides.yaml
~/apigeectl/apigeectl init -f overrides/overrides.yaml
args:
chdir: ~/hybrid-files
chdir: ~/hybrid-files
- name: Wait until pods are ready in apigee-system namespace
shell: >
kubectl wait --for=condition=ready pods \
-l app=apigee-controller \
-n apigee-system \
--timeout=300s
- name: Wait for apigee-controller pod to be ready
kubernetes.core.k8s_info:
kind: Pod
wait: yes
label_selectors:
- "app=apigee-controller"
namespace: apigee-system
wait_timeout: 600
wait_condition:
type: Ready
status: True
- name: Wait until pods are ready in apigee namespace
shell: >
kubectl wait --for=condition=ready pods \
-l app=apigee-ingressgateway-manager \
-n apigee \
--timeout=300s
- name: Wait for apigee-selfsigned-issuer issuer to be ready
kubernetes.core.k8s_info:
kind: Issuer
wait: yes
name: apigee-selfsigned-issuer
namespace: apigee-system
wait_timeout: 600
wait_condition:
type: Ready
status: True
- name: Wait for apigee-serving-cert certificate to be ready
kubernetes.core.k8s_info:
kind: Certificate
wait: yes
name: apigee-serving-cert
namespace: apigee-system
wait_timeout: 600
wait_condition:
type: Ready
status: True
- name: Wait for apigee-resources-install job to be complete
kubernetes.core.k8s_info:
kind: Job
wait: yes
name: apigee-resources-install
namespace: apigee-system
wait_timeout: 360
wait_condition:
type: Complete
status: True
- name: Dry-run (apply)
shell: >
~/apigeectl/apigeectl apply -f overrides/overrides.yaml --dry-run=client
~/apigeectl/apigeectl apply -f overrides/overrides.yaml --dry-run=client
args:
chdir: ~/hybrid-files
- name: Install the Apigee runtime components
shell: >
~/apigeectl/apigeectl apply -f overrides/overrides.yaml
~/apigeectl/apigeectl apply -f overrides/overrides.yaml
args:
chdir: ~/hybrid-files
chdir: ~/hybrid-files
- name: Check status of the deployment
shell: >
while [ -n "$(kubectl get pods -n apigee | tail -n +2 | grep -v Running | grep -v Completed)" ]; do sleep 1; done
args:
chdir: ~/hybrid-files
- name: Wait for apigee-runtime pod to be ready
kubernetes.core.k8s_info:
kind: Pod
wait: yes
label_selectors:
- "app=apigee-runtime"
namespace: apigee
wait_timeout: 360
wait_condition:
type: Ready
status: True
- name:
kubernetes.core.k8s:
state: present
definition:
apiVersion: apigee.cloud.google.com/v1alpha1
kind: ApigeeRoute
metadata:
name: apigee-wildcard
namespace: apigee
spec:
hostnames:
- '*'
ports:
- number: 443
protocol: HTTPS
tls:
credentialName: tls-hybrid-ingress
mode: SIMPLE
selector:
app: apigee-ingressgateway
enableNonSniClient: true
- name: Create google-managed certificate
kubernetes.core.k8s:
state: present
definition:
apiVersion: networking.gke.io/v1
kind: ManagedCertificate
metadata:
name: "apigee-cert-hybrid"
namespace: apigee
spec:
domains: "{{ hostnames }}"
- name: Create backend config
kubernetes.core.k8s:
state: present
definition:
apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
name: apigee-ingress-backendconfig
namespace: apigee
spec:
healthCheck:
requestPath: /healthz/ready
port: 15021
type: HTTP
logging:
enable: true
sampleRate: 0.5
- name: Create service
kubernetes.core.k8s:
state: present
definition:
apiVersion: v1
kind: Service
metadata:
name: apigee-ingressgateway-hybrid
namespace: apigee
annotations:
cloud.google.com/backend-config: '{"default": "apigee-ingress-backendconfig"}'
cloud.google.com/neg: '{"ingress": true}'
cloud.google.com/app-protocols: '{"https":"HTTPS", "status-port": "HTTP"}'
labels:
app: apigee-ingressgateway-hybrid
spec:
ports:
- name: status-port
port: 15021
targetPort: 15021
- name: https
port: 443
targetPort: 8443
selector:
app: apigee-ingressgateway
ingress_name: ingress
type: ClusterIP
- name: Create ingress
kubernetes.core.k8s:
state: present
definition:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
networking.gke.io/managed-certificates: "apigee-cert-hybrid"
kubernetes.io/ingress.global-static-ip-name: "{{ ingress_ip_name }}"
kubernetes.io/ingress.allow-http: "false"
name: xlb-apigee
namespace: apigee
spec:
defaultBackend:
service:
name: apigee-ingressgateway-hybrid
port:
number: 443

45
blueprints/apigee/hybrid-gke/ansible/roles/apigee-hybrid/templates/overrides.yaml.j2
View File

@ -1,29 +1,26 @@
gcp:
region: {{ region }}
projectID: {{ project_id }}
workloadIdentityEnabled: true
k8sCluster:
name: {{ cluster }}
region: CLUSTER_LOCATION # Must be the closest Google Cloud region to your cluster.
region: {{ region }} # Must be the closest Google Cloud region to your cluster.
org: {{ project_id }}
instanceID: "instance-1"
instanceID: "{{ cluster }}-{{ region }}"
cassandra:
hostNetwork: false
# Set to false for single region installations and multi-region installations
# with connectivity between pods in different clusters, for example GKE installations.
# Set to true for multi-region installations with no communication between
# pods in different clusters, for example GKE On-prem, GKE on AWS, Anthos on bare metal,
# AKS, EKS, and OpenShift installations.
# See Multi-region deployment: Prerequisites
virtualhosts:
- name: {{ envgroup }}
{% for k in envgroups %}
- name: {{ k }}
sslSecret: tls-hybrid-ingress
additionalGateways: ["apigee-wildcard"]
selector:
app: apigee-ingressgateway
sslCertPath: ./certs/{{ envgroup }}.cert
sslKeyPath: ./certs/{{ envgroup }}.key
{% endfor %}
ao:
args:
@ -37,27 +34,9 @@ ingressGateways:
replicaCountMax: 10
envs:
- name: {{ env }}
serviceAccountPaths:
synchronizer: ./service-accounts/{{ project_id }}-apigee-non-prod.json
udca: ./service-accounts/{{ project_id }}-apigee-non-prod.json
runtime: ./service-accounts/{{ project_id }}-apigee-non-prod.json
mart:
serviceAccountPath: ./service-accounts/{{ project_id }}-apigee-non-prod.json
connectAgent:
serviceAccountPath: ./service-accounts/{{ project_id }}-apigee-non-prod.json
metrics:
serviceAccountPath: ./service-accounts/{{ project_id }}-apigee-non-prod.json
udca:
serviceAccountPath: ./service-accounts/{{ project_id }}-apigee-non-prod.json
watcher:
serviceAccountPath: ./service-accounts/{{ project_id }}-apigee-non-prod.json
{% for k in environments %}
- name: {{ k }}
{% endfor %}
logger:
enabled: true
serviceAccountPath: ./service-accounts/{{ project_id }}-apigee-non-prod.json
enabled: false

67
blueprints/apigee/hybrid-gke/apigee.tf
View File

@ -15,8 +15,51 @@
*/
locals {
envgroup = "test"
environment = "apis-test"
envgroups = {
test = [var.hostname]
}
environments = {
apis-test = {
envgroups = ["test"]
}
}
org_short_name = (length(module.project.project_id) < 16 ?
module.project.project_id :
substr(module.project.project_id, 0, 15))
org_hash = format("%s-%s", local.org_short_name, substr(sha256(module.project.project_id), 0, 7))
org_env_hashes = {
for k, v in local.environments :
k => format("%s-%s-%s", local.org_short_name, length(k) < 16 ? k : substr(k, 0, 15), substr(sha256("${module.project.project_id}:${k}"), 0, 7))
}
google_sas = {
apigee-metrics = [
"apigee-metrics-sa"
]
apigee-cassandra = [
"apigee-cassandra-schema-setup-${local.org_hash}-sa",
"apigee-cassandra-user-setup-${local.org_hash}-sa"
]
apigee-mart = [
"apigee-mart-${local.org_hash}-sa",
"apigee-connect-agent-${local.org_hash}-sa"
]
apigee-watcher = [
"apigee-watcher-${local.org_hash}-sa"
]
apigee-udca = concat([
"apigee-udca-${local.org_hash}-sa"
],
[for k, v in local.org_env_hashes :
"apigee-udca-${local.org_env_hashes[k]}-sa"
])
apigee-synchronizer = [
for k, v in local.org_env_hashes :
"apigee-synchronizer-${local.org_env_hashes[k]}-sa"
]
apigee-runtime = [for k, v in local.org_env_hashes :
"apigee-runtime-${local.org_env_hashes[k]}-sa"
]
}
}
module "apigee" {
@ -26,20 +69,24 @@ module "apigee" {
analytics_region = var.region
runtime_type = "HYBRID"
}
envgroups = {
(local.envgroup) = [var.hostname]
}
environments = {
(local.environment) = {
envgroups = [local.envgroup]
}
envgroups = local.envgroups
environments = local.environments
}
module "sas" {
for_each = local.google_sas
source = "../../../modules/iam-service-account"
project_id = module.project.project_id
name = each.key
# authoritative roles granted *on* the service accounts to other identities
iam = {
"roles/iam.workloadIdentityUser" = [for v in each.value : "serviceAccount:${module.project.project_id}.svc.id.goog[apigee/${v}]"]
}
}
resource "local_file" "deploy_apiproxy_file" {
content = templatefile("${path.module}/templates/deploy-apiproxy.sh.tpl", {
org = module.project.project_id
env = local.environment
})
filename = "${path.module}/deploy-apiproxy.sh"
file_permission = "0777"

BIN
blueprints/apigee/hybrid-gke/diagram.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 35 KiB

After

Width:  |  Height:  |  Size: 35 KiB

20
tests/modules/dns/fixture/main.tf → blueprints/apigee/hybrid-gke/glb.tf
View File

@ -1,5 +1,5 @@
/**
* Copyright 2022 Google LLC
* Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -14,14 +14,12 @@
* limitations under the License.
*/
module "test" {
source = "../../../../modules/dns"
project_id = "my-project"
name = "test"
domain = "test.example."
client_networks = var.client_networks
type = var.type
forwarders = var.forwarders
peer_network = var.peer_network
recordsets = var.recordsets
locals {
ingress_ip_name = "apigee"
}
module "addresses" {
source = "../../../modules/net-address"
project_id = module.project.project_id
global_addresses = [local.ingress_ip_name]
}

9
blueprints/apigee/hybrid-gke/main.tf
View File

@ -40,5 +40,12 @@ module "project" {
"roles/resourcemanager.projectIamAdmin" = [module.mgmt_server.service_account_iam_email]
"roles/iam.serviceAccountAdmin" = [module.mgmt_server.service_account_iam_email]
"roles/iam.serviceAccountKeyAdmin" = [module.mgmt_server.service_account_iam_email]
"roles/monitoring.metricWriter" = [module.sas["apigee-metrics"].iam_email]
"roles/storage.objectAdmin" = [module.sas["apigee-cassandra"].iam_email]
"roles/apigeeconnect.Agent" = [module.sas["apigee-mart"].iam_email]
"roles/apigee.runtimeAgent" = [module.sas["apigee-watcher"].iam_email]
"roles/apigee.analyticsAgent" = [module.sas["apigee-udca"].iam_email]
"roles/apigee.synchronizerManager" = [module.sas["apigee-synchronizer"].iam_email]
"roles/cloudtrace.agent" = [module.sas["apigee-runtime"].iam_email]
}
}
}

10
blueprints/apigee/hybrid-gke/mgmt.tf
View File

@ -34,4 +34,12 @@ module "mgmt_server" {
type = var.mgmt_server_config.disk_type
size = var.mgmt_server_config.disk_size
}
}
metadata = {
startup-script = <<EOT
#!/bin/bash
apt update -y
apt install python3-pip -y
pip3 install kubernetes
EOT
}
}

17
tests/modules/gke_cluster/fixture/main.tf → blueprints/apigee/hybrid-gke/outputs.tf
View File

@ -1,5 +1,5 @@
/**
* Copyright 2022 Google LLC
* Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -14,16 +14,7 @@
* limitations under the License.
*/
module "test" {
source = "../../../../modules/gke-cluster"
project_id = "my-project"
name = "cluster-1"
location = "europe-west1-b"
vpc_config = {
network = "mynetwork"
subnetwork = "mysubnet"
}
enable_addons = var.enable_addons
enable_features = var.enable_features
tags = var.tags
output "ip_address" {
description = "GLB IP address."
value = module.addresses.global_addresses["apigee"].address
}

7
blueprints/apigee/hybrid-gke/templates/deploy-apiproxy.sh.tpl
View File

@ -14,8 +14,13 @@
#!/bin/bash
if [ $# -lt 1 ]; then
echo "Usage: $0 ENVIRONMENT"
exit 1
fi
ORG_NAME=${org}
ENV_NAME=${env}
ENV_NAME=$1
wget https://github.com/apigee/api-platform-samples/raw/master/sample-proxies/apigee-quickstart/httpbin_rev1_2020_02_02.zip -O apiproxy.zip

4
blueprints/cloud-operations/network-dashboard/src/main.py
View File

@ -84,8 +84,8 @@ def do_discovery(resources):
{k: len(v) for k, v in resources.items() if not isinstance(v, str)}))
def do_init(resources, discovery_root, monitoring_project, folders=None, projects=None,
custom_quota=None):
def do_init(resources, discovery_root, monitoring_project, folders=None,
projects=None, custom_quota=None):
'''Calls init plugins to configure keys in the shared resource map.
Args:

8
blueprints/cloud-operations/network-dashboard/src/plugins/discover-cai.py
View File

@ -62,8 +62,8 @@ def _handle_discovery(resources, response, data):
'Processes the asset API response and returns parsed resources or next URL.'
LOGGER.info('discovery handle request')
for result in parse_cai_results(data, 'cai-compute', method='list'):
resource = _handle_resource(
resources, result['assetType'], result['resource'])
resource = _handle_resource(resources, result['assetType'],
result['resource'])
if not resource:
continue
yield resource
@ -214,6 +214,7 @@ def _handle_sql_instances(resource, data):
'availabilityType': data['settings']['availabilityType'],
}
def _handle_subnetworks(resource, data):
'Handles subnetwork type resource data.'
secondary_ranges = [{
@ -237,8 +238,7 @@ def _self_link(s):
def _url(resources):
'Returns discovery URL'
discovery_root = resources['config:discovery_root']
asset_types = '&'.join(
f'assetTypes={t}' for t in TYPES.values())
asset_types = '&'.join(f'assetTypes={t}' for t in TYPES.values())
return CAI_URL.format(root=discovery_root, asset_types=asset_types)

3
blueprints/cloud-operations/network-dashboard/src/plugins/series-psa.py
View File

@ -47,7 +47,8 @@ def timeseries(resources):
dtype.endswith('ratio'))
psa_nets = {
k: ipaddress.ip_network('{}/{}'.format(v['address'], v['prefixLength']))
for k, v in resources['global_addresses'].items() if v['prefixLength']
for k, v in resources['global_addresses'].items()
if v['prefixLength']
}
psa_counts = {}
for address, ip_count in _sql_addresses(resources.get('sql_instances', {})):

8
fast/stages/01-resman/outputs.tf
View File

@ -76,11 +76,11 @@ locals {
data-platform-prod = try(module.branch-dp-prod-folder.0.id, null)
gke-dev = try(module.branch-gke-dev-folder.0.id, null)
gke-prod = try(module.branch-gke-prod-folder.0.id, null)
networking = module.branch-network-folder.id
networking-dev = module.branch-network-dev-folder.id
networking-prod = module.branch-network-prod-folder.id
networking = try(module.branch-network-folder.id, null)
networking-dev = try(module.branch-network-dev-folder.id, null)
networking-prod = try(module.branch-network-prod-folder.id, null)
sandbox = try(module.branch-sandbox-folder.0.id, null)
security = module.branch-security-folder.id
security = try(module.branch-security-folder.id, null)
teams = try(module.branch-teams-folder.0.id, null)
},
{

28
modules/api-gateway/README.md
View File

@ -1,4 +1,4 @@
# Api Gateway
# API Gateway
This module allows creating an API with its associated API config and API gateway. It also allows you grant IAM roles on the created resources.
# Examples
@ -15,46 +15,46 @@ module "gateway" {
# ...
EOT
}
# tftest modules=1 resources=4
# tftest modules=1 resources=4 inventory=basic.yaml
```
## Basic example + customer service account
## Use existing service account
```hcl
module "gateway" {
source = "./fabric/modules/api-gateway"
project_id = "my-project"
api_id = "api"
region = "europe-west1"
spec = <<EOT
# The OpenAPI spec contents
# ...
EOT
service_account_email = "sa@my-project.iam.gserviceaccount.com"
iam = {
"roles/apigateway.admin" = ["user:user@example.com"]
}
spec = <<EOT
# The OpenAPI spec contents
# ...
EOT
}
# tftest modules=1 resources=7
# tftest modules=1 resources=7 inventory=existing-sa.yaml
```
## Basic example + service account creation
## Create service account
```hcl
module "gateway" {
source = "./fabric/modules/api-gateway"
project_id = "my-project"
api_id = "api"
region = "europe-west1"
spec = <<EOT
# The OpenAPI spec contents
# ...
EOT
service_account_create = true
iam = {
"roles/apigateway.admin" = ["user:mirene@google.com"]
"roles/apigateway.viewer" = ["user:mirene@google.com"]
}
spec = <<EOT
# The OpenAPI spec contents
# ...
EOT
}
# tftest modules=1 resources=11
# tftest modules=1 resources=11 inventory=create-sa.yaml
```
<!-- BEGIN TFDOC -->

29
modules/dns/README.md
View File

@ -21,7 +21,7 @@ module "private-dns" {
"A myhost" = { ttl = 600, records = ["10.0.0.120"] }
}
}
# tftest modules=1 resources=3
# tftest modules=1 resources=3 inventory=private-zone.yaml
```
### Forwarding Zone
@ -36,7 +36,7 @@ module "private-dns" {
client_networks = [var.vpc.self_link]
forwarders = { "10.0.1.1" = null, "1.2.3.4" = "private" }
}
# tftest modules=1 resources=1
# tftest modules=1 resources=1 inventory=forwarding-zone.yaml
```
### Peering Zone
@ -47,11 +47,12 @@ module "private-dns" {
project_id = "myproject"
type = "peering"
name = "test-example"
domain = "test.example."
domain = "."
description = "Forwarding zone for ."
client_networks = [var.vpc.self_link]
peer_network = var.vpc2.self_link
}
# tftest modules=1 resources=1
# tftest modules=1 resources=1 inventory=peering-zone.yaml
```
### Routing Policies
@ -84,7 +85,7 @@ module "private-dns" {
}
}
}
# tftest modules=1 resources=4
# tftest modules=1 resources=4 inventory=routing-policies.yaml
```
### Reverse Lookup Zone
@ -98,7 +99,23 @@ module "private-dns" {
domain = "0.0.10.in-addr.arpa."
client_networks = [var.vpc.self_link]
}
# tftest modules=1 resources=1
# tftest modules=1 resources=1 inventory=reverse-zone.yaml
```
### Public Zone
```hcl
module "public-dns" {
source = "./fabric/modules/dns"
project_id = "myproject"
type = "public"
name = "example"
domain = "example.com."
recordsets = {
"A myhost" = { ttl = 300, records = ["127.0.0.1"] }
}
}
# tftest modules=1 resources=3 inventory=public-zone.yaml
```
<!-- BEGIN TFDOC -->

2
modules/dns/main.tf
View File

@ -1,5 +1,5 @@
/**
* Copyright 2022 Google LLC
* Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

37
modules/gcs/README.md
View File

@ -8,50 +8,46 @@ module "bucket" {
project_id = "myproject"
prefix = "test"
name = "my-bucket"
versioning = true
iam = {
"roles/storage.admin" = ["group:storage@example.com"]
}
labels = {
cost-center = "devops"
}
}
# tftest modules=1 resources=2
# tftest modules=1 resources=2 inventory=simple.yaml
```
### Example with Cloud KMS
```hcl
module "bucket" {
source = "./fabric/modules/gcs"
project_id = "myproject"
prefix = "test"
name = "my-bucket"
iam = {
"roles/storage.admin" = ["group:storage@example.com"]
}
source = "./fabric/modules/gcs"
project_id = "myproject"
name = "my-bucket"
encryption_key = "my-encryption-key"
}
# tftest modules=1 resources=2
# tftest modules=1 resources=1 inventory=cmek.yaml
```
### Example with retention policy
### Example with retention policy and logging
```hcl
module "bucket" {
source = "./fabric/modules/gcs"
project_id = "myproject"
prefix = "test"
name = "my-bucket"
iam = {
"roles/storage.admin" = ["group:storage@example.com"]
}
retention_policy = {
retention_period = 100
is_locked = true
}
logging_config = {
log_bucket = var.bucket
log_bucket = "log-bucket"
log_object_prefix = null
}
}
# tftest modules=1 resources=2
# tftest modules=1 resources=1 inventory=retention-logging.yaml
```
### Example with lifecycle rule
@ -60,11 +56,7 @@ module "bucket" {
module "bucket" {
source = "./fabric/modules/gcs"
project_id = "myproject"
prefix = "test"
name = "my-bucket"
iam = {
"roles/storage.admin" = ["group:storage@example.com"]
}
lifecycle_rules = {
lr-0 = {
action = {
@ -77,7 +69,7 @@ module "bucket" {
}
}
}
# tftest modules=1 resources=2
# tftest modules=1 resources=1 inventory=lifecycle.yaml
```
### Minimal example with GCS notifications
@ -86,7 +78,6 @@ module "bucket" {
module "bucket-gcs-notification" {
source = "./fabric/modules/gcs"
project_id = "myproject"
prefix = "test"
name = "my-bucket"
notification_config = {
enabled = true
@ -97,7 +88,7 @@ module "bucket-gcs-notification" {
custom_attributes = {}
}
}
# tftest modules=1 resources=4
# tftest modules=1 resources=4 inventory=notification.yaml
```
<!-- BEGIN TFDOC -->

34
modules/gke-cluster/README.md
View File

@ -33,7 +33,7 @@ module "cluster-1" {
environment = "dev"
}
}
# tftest modules=1 resources=1
# tftest modules=1 resources=1 inventory=basic.yaml
```
### GKE Cluster with Dataplane V2 enabled
@ -42,7 +42,7 @@ module "cluster-1" {
module "cluster-1" {
source = "./fabric/modules/gke-cluster"
project_id = "myproject"
name = "cluster-1"
name = "cluster-dataplane-v2"
location = "europe-west1-b"
vpc_config = {
network = var.vpc.self_link
@ -68,8 +68,36 @@ module "cluster-1" {
environment = "dev"
}
}
# tftest modules=1 resources=1
# tftest modules=1 resources=1 inventory=dataplane-v2.yaml
```
### Autopilot Cluster
```hcl
module "cluster-autopilot" {
source = "./fabric/modules/gke-cluster"
project_id = "myproject"
name = "cluster-autopilot"
location = "europe-west1-b"
vpc_config = {
network = var.vpc.self_link
subnetwork = var.subnet.self_link
secondary_range_names = {
pods = "pods"
services = "services"
}
master_authorized_ranges = {
internal-vms = "10.0.0.0/8"
}
master_ipv4_cidr_block = "192.168.0.0/28"
}
enable_features = {
autopilot = true
}
}
# tftest modules=1 resources=1 inventory=autopilot.yaml
```
<!-- BEGIN TFDOC -->
## Variables

68
modules/gke-nodepool/README.md
View File

@ -16,7 +16,7 @@ module "cluster-1-nodepool-1" {
location = "europe-west1-b"
name = "nodepool-1"
}
# tftest modules=1 resources=1
# tftest modules=1 resources=1 inventory=basic.yaml
```
### Internally managed service account
@ -27,22 +27,11 @@ If you create a new service account, its resource and email (in both plain and I
#### GCE default service account
To use the GCE default service account, you can ignore the variable which is equivalent to `{ create = null, email = null }`.
```hcl
module "cluster-1-nodepool-1" {
source = "./fabric/modules/gke-nodepool"
project_id = "myproject"
cluster_name = "cluster-1"
location = "europe-west1-b"
name = "nodepool-1"
}
# tftest modules=1 resources=1
```
To use the GCE default service account, you can ignore the variable which is equivalent to `{ create = null, email = null }`. This is what the first example of this document does.
#### Externally defined service account
To use an existing service account, pass in just the `email` attribute.
To use an existing service account, pass in just the `email` attribute. If you do this, will most likely want to use the `cloud-platform` scope.
```hcl
module "cluster-1-nodepool-1" {
@ -52,10 +41,11 @@ module "cluster-1-nodepool-1" {
location = "europe-west1-b"
name = "nodepool-1"
service_account = {
email = "foo-bar@myproject.iam.gserviceaccount.com"
email = "foo-bar@myproject.iam.gserviceaccount.com"
oauth_scopes = ["https://www.googleapis.com/auth/cloud-platform"]
}
}
# tftest modules=1 resources=1
# tftest modules=1 resources=1 inventory=external-sa.yaml
```
#### Auto-created service account
@ -70,12 +60,48 @@ module "cluster-1-nodepool-1" {
location = "europe-west1-b"
name = "nodepool-1"
service_account = {
create = true
# optional
email = "spam-eggs"
create = true
email = "spam-eggs" # optional
oauth_scopes = ["https://www.googleapis.com/auth/cloud-platform"]
}
}
# tftest modules=1 resources=2
# tftest modules=1 resources=2 inventory=create-sa.yaml
```
### Node & node pool configuration
```hcl
module "cluster-1-nodepool-1" {
source = "./fabric/modules/gke-nodepool"
project_id = "myproject"
cluster_name = "cluster-1"
location = "europe-west1-b"
name = "nodepool-1"
labels = { environment = "dev" }
service_account = {
create = true
email = "nodepool-1" # optional
oauth_scopes = ["https://www.googleapis.com/auth/cloud-platform"]
}
node_config = {
machine_type = "n2-standard-2"
disk_size_gb = 50
disk_type = "pd-ssd"
ephemeral_ssd_count = 1
gvnic = true
spot = true
}
nodepool_config = {
autoscaling = {
max_node_count = 10
min_node_count = 1
}
management = {
auto_repair = true
auto_upgrade = false
}
}
}
# tftest modules=1 resources=2 inventory=config.yaml
```
<!-- BEGIN TFDOC -->
@ -97,7 +123,7 @@ module "cluster-1-nodepool-1" {
| [nodepool_config](variables.tf#L115) | Nodepool-level configuration. | <code title="object&#40;&#123;&#10; autoscaling &#61; optional&#40;object&#40;&#123;&#10; location_policy &#61; optional&#40;string&#41;&#10; max_node_count &#61; optional&#40;number&#41;&#10; min_node_count &#61; optional&#40;number&#41;&#10; use_total_nodes &#61; optional&#40;bool, false&#41;&#10; &#125;&#41;&#41;&#10; management &#61; optional&#40;object&#40;&#123;&#10; auto_repair &#61; optional&#40;bool&#41;&#10; auto_upgrade &#61; optional&#40;bool&#41;&#10; &#125;&#41;&#41;&#10; upgrade_settings &#61; optional&#40;object&#40;&#123;&#10; max_surge &#61; number&#10; max_unavailable &#61; number&#10; &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> |
| [pod_range](variables.tf#L137) | Pod secondary range configuration. | <code title="object&#40;&#123;&#10; secondary_pod_range &#61; object&#40;&#123;&#10; cidr &#61; optional&#40;string&#41;&#10; create &#61; optional&#40;bool&#41;&#10; name &#61; string&#10; &#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> |
| [reservation_affinity](variables.tf#L154) | Configuration of the desired reservation which instances could take capacity from. | <code title="object&#40;&#123;&#10; consume_reservation_type &#61; string&#10; key &#61; optional&#40;string&#41;&#10; values &#61; optional&#40;list&#40;string&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> |
| [service_account](variables.tf#L164) | Nodepool service account. If this variable is set to null, the default GCE service account will be used. If set and email is null, a service account will be created. If scopes are null a default will be used. | <code title="object&#40;&#123;&#10; create &#61; optional&#40;bool, false&#41;&#10; email &#61; optional&#40;string, null&#41;&#10; oauth_scopes &#61; optional&#40;list&#40;string&#41;, null&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [service_account](variables.tf#L164) | Nodepool service account. If this variable is set to null, the default GCE service account will be used. If set and email is null, a service account will be created. If scopes are null a default will be used. | <code title="object&#40;&#123;&#10; create &#61; optional&#40;bool, false&#41;&#10; email &#61; optional&#40;string&#41;&#10; oauth_scopes &#61; optional&#40;list&#40;string&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [sole_tenant_nodegroup](variables.tf#L175) | Sole tenant node group. | <code>string</code> | | <code>null</code> |
| [tags](variables.tf#L181) | Network tags applied to nodes. | <code>list&#40;string&#41;</code> | | <code>null</code> |
| [taints](variables.tf#L187) | Kubernetes taints applied to all nodes. | <code title="list&#40;object&#40;&#123;&#10; key &#61; string&#10; value &#61; string&#10; effect &#61; string&#10;&#125;&#41;&#41;">list&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>null</code> |

6
modules/gke-nodepool/variables.tf
View File

@ -1,5 +1,5 @@
/**
* Copyright 2022 Google LLC
* Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -165,8 +165,8 @@ variable "service_account" {
description = "Nodepool service account. If this variable is set to null, the default GCE service account will be used. If set and email is null, a service account will be created. If scopes are null a default will be used."
type = object({
create = optional(bool, false)
email = optional(string, null)
oauth_scopes = optional(list(string), null)
email = optional(string)
oauth_scopes = optional(list(string))
})
default = {}
nullable = false

145
modules/net-vpc/README.md
View File

@ -30,7 +30,88 @@ module "vpc" {
}
]
}
# tftest modules=1 resources=3
# tftest modules=1 resources=3 inventory=simple.yaml
```
### Subnet Options
```hcl
module "vpc" {
source = "./fabric/modules/net-vpc"
project_id = "my-project"
name = "my-network"
subnets = [
# simple subnet
{
name = "simple"
region = "europe-west1"
ip_cidr_range = "10.0.0.0/24"
},
# custom description and PGA disabled
{
name = "no-pga"
region = "europe-west1"
ip_cidr_range = "10.0.1.0/24",
description = "Subnet b"
enable_private_access = false
},
# secondary ranges
{
name = "with-secondary-ranges"
region = "europe-west1"
ip_cidr_range = "10.0.2.0/24"
secondary_ip_ranges = {
a = "192.168.0.0/24"
b = "192.168.1.0/24"
}
},
# enable flow logs
{
name = "with-flow-logs"
region = "europe-west1"
ip_cidr_range = "10.0.3.0/24"
flow_logs_config = {
flow_sampling = 0.5
aggregation_interval = "INTERVAL_10_MIN"
}
}
]
}
# tftest modules=1 resources=5 inventory=subnet-options.yaml
```
### Subnet IAM
```hcl
module "vpc" {
source = "./fabric/modules/net-vpc"
project_id = "my-project"
name = "my-network"
subnets = [
{
name = "subnet-1"
region = "europe-west1"
ip_cidr_range = "10.0.1.0/24"
},
{
name = "subnet-2"
region = "europe-west1"
ip_cidr_range = "10.0.1.0/24"
}
]
subnet_iam = {
"europe-west1/subnet-1" = {
"roles/compute.networkUser" = [
"user:user1@example.com", "group:group1@example.com"
]
}
"europe-west1/subnet-2" = {
"roles/compute.networkUser" = [
"user:user2@example.com", "group:group2@example.com"
]
}
}
}
# tftest modules=1 resources=5 inventory=subnet-iam.yaml
```
### Peering
@ -65,7 +146,7 @@ module "vpc-spoke-1" {
import_routes = true
}
}
# tftest modules=2 resources=6
# tftest modules=2 resources=6 inventory=peering.yaml
```
### Shared VPC
@ -116,7 +197,7 @@ module "vpc-host" {
}
}
}
# tftest modules=1 resources=7
# tftest modules=1 resources=7 inventory=shared-vpc.yaml
```
### Private Service Networking
@ -137,7 +218,7 @@ module "vpc" {
ranges = { myrange = "10.0.1.0/24" }
}
}
# tftest modules=1 resources=5
# tftest modules=1 resources=5 inventory=psc.yaml
```
### Private Service Networking with peering routes
@ -162,7 +243,7 @@ module "vpc" {
import_routes = true
}
}
# tftest modules=1 resources=5
# tftest modules=1 resources=5 inventory=psc-routes.yaml
```
### Subnets for Private Service Connect, Proxy-only subnets
@ -194,7 +275,7 @@ module "vpc" {
}
]
}
# tftest modules=1 resources=3
# tftest modules=1 resources=3 inventory=proxy-only-subnets.yaml
```
### DNS Policies
@ -219,7 +300,7 @@ module "vpc" {
}
]
}
# tftest modules=1 resources=3
# tftest modules=1 resources=3 inventory=dns-policies.yaml
```
### Subnet Factory
@ -233,11 +314,17 @@ module "vpc" {
name = "my-network"
data_folder = "config/subnets"
}
# tftest modules=1 resources=2 files=subnets
# tftest modules=1 resources=3 files=subnet-simple,subnet-detailed inventory=factory.yaml
```
```yaml
# tftest-file id=subnets path=config/subnets/subnet-name.yaml
# tftest-file id=subnet-simple path=config/subnets/subnet-simple.yaml
region: europe-west4
ip_cidr_range: 10.0.1.0/24
```
```yaml
# tftest-file id=subnet-detailed path=config/subnets/subnet-detailed.yaml
region: europe-west1
description: Sample description
ip_cidr_range: 10.0.0.0/24
@ -254,7 +341,45 @@ flow_logs: # enable, set to empty map to use defaults
metadata: "INCLUDE_ALL_METADATA"
filter_expression: null
```
<!-- BEGIN TFDOC -->
### Custom Routes
VPC routes can be configured through the `routes` variable.
```hcl
locals {
route_types = {
gateway = "global/gateways/default-internet-gateway"
instance = "zones/europe-west1-b/test"
ip = "192.168.0.128"
ilb = "regions/europe-west1/forwardingRules/test"
vpn_tunnel = "regions/europe-west1/vpnTunnels/foo"
}
}
module "vpc" {
source = "./fabric/modules/net-vpc"
for_each = local.route_types
project_id = "my-project"
name = "my-network-with-route-${replace(each.key, "_", "-")}"
routes = {
next-hop = {
dest_range = "192.168.128.0/24"
tags = null
next_hop_type = each.key
next_hop = each.value
}
gateway = {
dest_range = "0.0.0.0/0",
priority = 100
tags = ["tag-a"]
next_hop_type = "gateway",
next_hop = "global/gateways/default-internet-gateway"
}
}
}
# tftest modules=5 resources=15 inventory=routes.yaml
```
## Variables

6
modules/net-vpc/main.tf
View File

@ -1,5 +1,5 @@
/**
* Copyright 2022 Google LLC
* Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -109,7 +109,7 @@ resource "google_dns_policy" "default" {
)
iterator = ns
content {
ipv4_address = ns.key
ipv4_address = ns.value
forwarding_path = "private"
}
}
@ -121,7 +121,7 @@ resource "google_dns_policy" "default" {
)
iterator = ns
content {
ipv4_address = ns.key
ipv4_address = ns.value
}
}
}

4
tests/blueprints/apigee/hybrid-gke/basic.yaml
View File

@ -13,5 +13,5 @@
# limitations under the License.
counts:
modules: 9
resources: 37
modules: 17
resources: 59

4
tests/examples/conftest.py
View File

@ -1,4 +1,4 @@
# Copyright 2022 Google LLC
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@ -21,7 +21,7 @@ import marko
FABRIC_ROOT = Path(__file__).parents[2]
FILE_TEST_RE = re.compile(r'# tftest-file +id=(\w+) +path=([\S]+)')
FILE_TEST_RE = re.compile(r'# tftest-file +id=([\w_.-]+) +path=([\S]+)')
Example = collections.namedtuple('Example', 'name code module files')
File = collections.namedtuple('File', 'path content')

4
tests/examples/test_plan.py
View File

@ -1,4 +1,4 @@
# Copyright 2022 Google LLC
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@ -18,7 +18,7 @@ from pathlib import Path
BASE_PATH = Path(__file__).parent
COUNT_TEST_RE = re.compile(r'# tftest +modules=(\d+) +resources=(\d+)' +
r'(?: +files=([\w,-.]+))?' +
r'(?: +files=([\w,_-]+))?' +
r'(?: +inventory=([\w\-.]+))?')

42
tests/modules/api_gateway/examples/basic.yaml Normal file
View File

@ -0,0 +1,42 @@
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
module.gateway.google_api_gateway_api.api:
api_id: api
display_name: api
project: my-project
module.gateway.google_api_gateway_api_config.api_config:
api: api
gateway_config: []
grpc_services: []
labels: null
managed_service_configs: []
project: my-project
module.gateway.google_api_gateway_gateway.gateway:
display_name: gw-api
gateway_id: gw-api
labels: null
project: my-project
region: europe-west1
module.gateway.google_project_service.service:
disable_dependent_services: true
disable_on_destroy: true
project: my-project
counts:
google_api_gateway_api: 1
google_api_gateway_api_config: 1
google_api_gateway_gateway: 1
google_project_service: 1

90
tests/modules/api_gateway/examples/create-sa.yaml Normal file
View File

@ -0,0 +1,90 @@
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
module.gateway.google_api_gateway_api.api:
api_id: api
display_name: api
labels: null
project: my-project
module.gateway.google_api_gateway_api_config.api_config:
api: api
grpc_services: []
labels: null
managed_service_configs: []
project: my-project
module.gateway.google_api_gateway_api_config_iam_binding.api_config_iam_bindings["roles/apigateway.admin"]:
api: api
condition: []
members:
- user:mirene@google.com
project: my-project
role: roles/apigateway.admin
module.gateway.google_api_gateway_api_config_iam_binding.api_config_iam_bindings["roles/apigateway.viewer"]:
api: api
condition: []
members:
- user:mirene@google.com
project: my-project
role: roles/apigateway.viewer
module.gateway.google_api_gateway_api_iam_binding.api_iam_bindings["roles/apigateway.admin"]:
api: api
condition: []
members:
- user:mirene@google.com
project: my-project
role: roles/apigateway.admin
module.gateway.google_api_gateway_api_iam_binding.api_iam_bindings["roles/apigateway.viewer"]:
api: api
condition: []
members:
- user:mirene@google.com
project: my-project
role: roles/apigateway.viewer
module.gateway.google_api_gateway_gateway.gateway:
display_name: gw-api
gateway_id: gw-api
labels: null
project: my-project
region: europe-west1
module.gateway.google_api_gateway_gateway_iam_binding.gateway_iam_bindings["roles/apigateway.admin"]:
condition: []
gateway: gw-api
members:
- user:mirene@google.com
project: my-project
region: europe-west1
role: roles/apigateway.admin
module.gateway.google_api_gateway_gateway_iam_binding.gateway_iam_bindings["roles/apigateway.viewer"]:
condition: []
gateway: gw-api
members:
- user:mirene@google.com
project: my-project
region: europe-west1
role: roles/apigateway.viewer
module.gateway.google_project_service.service: {}
module.gateway.google_service_account.service_account[0]:
account_id: sa-api-cfg-api
project: my-project
counts:
google_api_gateway_api: 1
google_api_gateway_api_config: 1
google_api_gateway_api_config_iam_binding: 2
google_api_gateway_api_iam_binding: 2
google_api_gateway_gateway: 1
google_api_gateway_gateway_iam_binding: 2
google_project_service: 1
google_service_account: 1

71
tests/modules/api_gateway/examples/existing-sa.yaml Normal file
View File

@ -0,0 +1,71 @@
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
module.gateway.google_api_gateway_api.api:
api_id: api
display_name: api
labels: null
project: my-project
module.gateway.google_api_gateway_api_config.api_config:
api: api
gateway_config:
- backend_config:
- google_service_account: sa@my-project.iam.gserviceaccount.com
grpc_services: []
labels: null
managed_service_configs: []
project: my-project
module.gateway.google_api_gateway_api_config_iam_binding.api_config_iam_bindings["roles/apigateway.admin"]:
api: api
api_config: api-cfg-api-8656c6040d6d9ba18a8b9b5f3955c223
condition: []
members:
- user:user@example.com
project: my-project
role: roles/apigateway.admin
module.gateway.google_api_gateway_api_iam_binding.api_iam_bindings["roles/apigateway.admin"]:
api: api
condition: []
members:
- user:user@example.com
project: my-project
role: roles/apigateway.admin
module.gateway.google_api_gateway_gateway.gateway:
display_name: gw-api
gateway_id: gw-api
labels: null
project: my-project
region: europe-west1
module.gateway.google_api_gateway_gateway_iam_binding.gateway_iam_bindings["roles/apigateway.admin"]:
condition: []
gateway: gw-api
members:
- user:user@example.com
project: my-project
region: europe-west1
role: roles/apigateway.admin
module.gateway.google_project_service.service:
disable_dependent_services: true
disable_on_destroy: true
project: my-project
counts:
google_api_gateway_api: 1
google_api_gateway_api_config: 1
google_api_gateway_api_config_iam_binding: 1
google_api_gateway_api_iam_binding: 1
google_api_gateway_gateway: 1
google_api_gateway_gateway_iam_binding: 1
google_project_service: 1

26
tests/modules/api_gateway/fixture/main.tf
View File

@ -1,26 +0,0 @@
/**
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
module "gateway" {
source = "../../../../modules/api-gateway"
api_id = var.api_id
project_id = var.project_id
labels = var.labels
iam = var.iam
region = var.region
spec = var.spec
service_account_create = true
}

55
tests/modules/api_gateway/fixture/variables.tf
View File

@ -1,55 +0,0 @@
/**
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
variable "api_id" {
type = string
default = "my-api"
}
variable "iam" {
type = map(list(string))
default = null
}
variable "labels" {
type = map(string)
default = null
}
variable "project_id" {
type = string
default = "my-project"
}
variable "region" {
type = string
default = "europe-west1"
}
variable "service_account_create" {
type = bool
default = true
}
variable "service_account_email" {
type = string
default = null
}
variable "spec" {
type = string
default = "Spec contents"
}

34
tests/modules/dns/examples/forwarding-zone.yaml Normal file
View File

@ -0,0 +1,34 @@
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
module.private-dns.google_dns_managed_zone.non-public[0]:
dns_name: test.example.
forwarding_config:
- target_name_servers:
- forwarding_path: ''
ipv4_address: 10.0.1.1
- forwarding_path: private
ipv4_address: 1.2.3.4
name: test-example
private_visibility_config:
- gke_clusters: []
networks:
- network_url: projects/xxx/global/networks/aaa
project: myproject
visibility: private
counts:
google_dns_managed_zone: 1

36
tests/modules/net_vpc/simple.yaml → tests/modules/dns/examples/peering-zone.yaml
View File

@ -1,4 +1,4 @@
# Copyright 2022 Google LLC
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@ -13,24 +13,22 @@
# limitations under the License.
values:
google_compute_network.network[0]:
auto_create_subnetworks: false
delete_default_routes_on_create: false
description: Terraform-managed.
name: test
project: test-project
routing_mode: GLOBAL
module.private-dns.google_dns_managed_zone.non-public[0]:
description: Forwarding zone for .
dns_name: .
forwarding_config: []
name: test-example
peering_config:
- target_network:
- network_url: projects/xxx/global/networks/ccc
private_visibility_config:
- gke_clusters: []
networks:
- network_url: projects/xxx/global/networks/aaa
project: myproject
visibility: private
counts:
google_compute_network: 1
google_dns_managed_zone: 1
outputs:
bindings: {}
project_id: test-project
subnet_ips: {}
subnet_regions: {}
subnet_secondary_ranges: {}
subnet_self_links: {}
subnets: {}
subnets_proxy_only: {}
subnets_psc: {}
outputs: {}

50
tests/modules/dns/examples/private-zone.yaml Normal file
View File

@ -0,0 +1,50 @@
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
module.private-dns.google_dns_managed_zone.non-public[0]:
description: Terraform managed.
dns_name: test.example.
force_destroy: false
forwarding_config: []
name: test-example
peering_config: []
private_visibility_config:
- gke_clusters: []
networks:
- network_url: projects/xxx/global/networks/aaa
project: myproject
visibility: private
module.private-dns.google_dns_record_set.cloud-static-records["A localhost"]:
managed_zone: test-example
name: localhost.test.example.
project: myproject
routing_policy: []
rrdatas:
- 127.0.0.1
ttl: 300
type: A
module.private-dns.google_dns_record_set.cloud-static-records["A myhost"]:
managed_zone: test-example
name: myhost.test.example.
project: myproject
routing_policy: []
rrdatas:
- 10.0.0.120
ttl: 600
type: A
counts:
google_dns_managed_zone: 1
google_dns_record_set: 2

38
tests/modules/dns/examples/public-zone.yaml Normal file
View File

@ -0,0 +1,38 @@
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
module.public-dns.google_dns_managed_zone.public[0]:
dns_name: example.com.
name: example
project: myproject
visibility: public
module.public-dns.google_dns_record_set.cloud-static-records["A myhost"]:
managed_zone: example
name: myhost.example.com.
project: myproject
routing_policy: []
rrdatas:
- 127.0.0.1
ttl: 300
type: A
counts:
google_dns_keys: 1
google_dns_managed_zone: 1
google_dns_record_set: 1
modules: 1
resources: 3
outputs: {}

24
tests/modules/net_vpc/data/factory-subnet.yaml → tests/modules/dns/examples/reverse-zone.yaml
View File

@ -1,4 +1,4 @@
# Copyright 2022 Google LLC
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@ -12,12 +12,16 @@
# See the License for the specific language governing permissions and
# limitations under the License.
region: europe-west1
description: Sample description
ip_cidr_range: 10.128.0.0/24
enable_private_access: false
iam_users: ["foobar@example.com"]
iam_groups: ["lorem@example.com"]
iam_service_accounts: ["foobar@project-id.iam.gserviceaccount.com"]
secondary_ip_ranges:
secondary-range-a: 192.168.128.0/24
values:
module.private-dns.google_dns_managed_zone.non-public[0]:
description: Terraform managed.
dns_name: 0.0.10.in-addr.arpa.
name: test-example
project: myproject
reverse_lookup: true
visibility: private
counts:
google_dns_managed_zone: 1
outputs: {}

80
tests/modules/dns/examples/routing-policies.yaml Normal file
View File

@ -0,0 +1,80 @@
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
module.private-dns.google_dns_managed_zone.non-public[0]:
dns_name: test.example.
name: test-example
project: myproject
module.private-dns.google_dns_record_set.cloud-geo-records["A geo"]:
managed_zone: test-example
name: geo.test.example.
project: myproject
routing_policy:
- enable_geo_fencing: null
geo:
- health_checked_targets: []
location: europe-west1
rrdatas:
- 10.0.0.1
- health_checked_targets: []
location: europe-west2
rrdatas:
- 10.0.0.2
- health_checked_targets: []
location: europe-west3
rrdatas:
- 10.0.0.3
primary_backup: []
wrr: []
rrdatas: null
ttl: 300
type: A
module.private-dns.google_dns_record_set.cloud-static-records["A regular"]:
managed_zone: test-example
name: regular.test.example.
project: myproject
routing_policy: []
rrdatas:
- 10.20.0.1
ttl: 300
type: A
module.private-dns.google_dns_record_set.cloud-wrr-records["A wrr"]:
managed_zone: test-example
name: wrr.test.example.
project: myproject
routing_policy:
- enable_geo_fencing: null
geo: []
primary_backup: []
wrr:
- health_checked_targets: []
rrdatas:
- 10.10.0.1
weight: 0.6
- health_checked_targets: []
rrdatas:
- 10.10.0.2
weight: 0.2
- health_checked_targets: []
rrdatas:
- 10.10.0.3
weight: 0.2
rrdatas: null
ttl: 600
type: A
counts:
google_dns_managed_zone: 1
google_dns_record_set: 3

62
tests/modules/dns/fixture/variables.tf
View File

@ -1,62 +0,0 @@
/**
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
variable "client_networks" {
type = list(string)
default = [
"https://www.googleapis.com/compute/v1/projects/my-project/global/networks/default"
]
}
variable "forwarders" {
type = map(string)
default = {}
}
variable "peer_network" {
type = string
default = null
}
variable "recordsets" {
type = any
default = {
"A localhost" = { ttl = 300, records = ["127.0.0.1"] }
"A local-host.test.example." = { ttl = 300, records = ["127.0.0.2"] }
"CNAME *" = { ttl = 300, records = ["localhost.example.org."] }
"A " = { ttl = 300, records = ["127.0.0.3"] }
"A geo" = {
geo_routing = [
{ location = "europe-west1", records = ["127.0.0.4"] },
{ location = "europe-west2", records = ["127.0.0.5"] },
{ location = "europe-west3", records = ["127.0.0.6"] }
]
}
"A wrr" = {
ttl = 600
wrr_routing = [
{ weight = 0.6, records = ["127.0.0.7"] },
{ weight = 0.2, records = ["127.0.0.8"] },
{ weight = 0.2, records = ["127.0.0.9"] }
]
}
}
}
variable "type" {
type = string
default = "private"
}

5
tests/modules/dns/no_clients.tfvars Normal file
View File

@ -0,0 +1,5 @@
type = "private"
domain = "test.example."
name = "test"
project_id = "my-project"
client_networks = []

19
tests/modules/gcs/iam.yaml → tests/modules/dns/no_clients.yaml
View File

@ -1,4 +1,4 @@
# Copyright 2022 Google LLC
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@ -13,18 +13,13 @@
# limitations under the License.
values:
google_storage_bucket.bucket:
google_dns_managed_zone.non-public[0]:
dns_name: test.example.
name: test
google_storage_bucket_iam_binding.bindings["roles/storage.admin"]:
bucket: test
condition: []
members:
- user:a@example.org
role: roles/storage.admin
private_visibility_config: []
visibility: private
counts:
google_storage_bucket: 1
google_storage_bucket_iam_binding: 1
google_dns_managed_zone: 1
modules: 0
resources: 2
resources: 1

4
tests/modules/dns/null_forwarders.tfvars Normal file
View File

@ -0,0 +1,4 @@
type = "forwarding"
domain = "test.example."
name = "test"
project_id = "my-project"

11
tests/modules/net_vpc/data/factory-subnet2.yaml → tests/modules/dns/null_forwarders.yaml
View File

@ -1,4 +1,4 @@
# Copyright 2022 Google LLC
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@ -12,6 +12,9 @@
# See the License for the specific language governing permissions and
# limitations under the License.
region: europe-west4
description: Sample description
ip_cidr_range: 10.129.0.0/24
values:
google_dns_managed_zone.non-public[0]:
forwarding_config: []
counts:
google_dns_managed_zone: 1

138
tests/modules/dns/test_plan.py
View File

@ -1,138 +0,0 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
def test_private(plan_runner):
"Test private zone with three recordsets."
_, resources = plan_runner()
assert len(resources) == 7
assert set(r['type'] for r in resources) == {
'google_dns_record_set', 'google_dns_managed_zone'
}
for r in resources:
if r['type'] != 'google_dns_managed_zone':
continue
assert r['values']['visibility'] == 'private'
assert len(r['values']['private_visibility_config']) == 1
def test_private_recordsets(plan_runner):
"Test recordsets in private zone."
_, resources = plan_runner()
recordsets = [
r['values'] for r in resources if r['type'] == 'google_dns_record_set'
]
assert set(r['name'] for r in recordsets) == {
'localhost.test.example.', 'local-host.test.example.', '*.test.example.',
"test.example.", "geo.test.example.", "wrr.test.example."
}
for r in recordsets:
if r['name'] not in ['wrr.test.example.', 'geo.test.example.']:
assert r['routing_policy'] == []
assert r['rrdatas'] != []
def test_routing_policies(plan_runner):
"Test recordsets with routing policies."
_, resources = plan_runner()
recordsets = [
r['values'] for r in resources if r['type'] == 'google_dns_record_set'
]
geo_zone = [
r['values'] for r in resources if r['address'] ==
'module.test.google_dns_record_set.cloud-geo-records["A geo"]'
][0]
assert geo_zone['name'] == 'geo.test.example.'
assert geo_zone['routing_policy'][0]['wrr'] == []
geo_policy = geo_zone['routing_policy'][0]['geo']
assert geo_policy[0]['location'] == 'europe-west1'
assert geo_policy[0]['rrdatas'] == ['127.0.0.4']
assert geo_policy[1]['location'] == 'europe-west2'
assert geo_policy[1]['rrdatas'] == ['127.0.0.5']
assert geo_policy[2]['location'] == 'europe-west3'
assert geo_policy[2]['rrdatas'] == ['127.0.0.6']
wrr_zone = [
r['values'] for r in resources if r['address'] ==
'module.test.google_dns_record_set.cloud-wrr-records["A wrr"]'
][0]
assert wrr_zone['name'] == 'wrr.test.example.'
wrr_policy = wrr_zone['routing_policy'][0]['wrr']
assert wrr_policy[0]['weight'] == 0.6
assert wrr_policy[0]['rrdatas'] == ['127.0.0.7']
assert wrr_policy[1]['weight'] == 0.2
assert wrr_policy[1]['rrdatas'] == ['127.0.0.8']
assert wrr_policy[2]['weight'] == 0.2
assert wrr_policy[2]['rrdatas'] == ['127.0.0.9']
assert wrr_zone['routing_policy'][0]['geo'] == []
def test_private_no_networks(plan_runner):
"Test private zone not exposed to any network."
_, resources = plan_runner(client_networks='[]')
for r in resources:
if r['type'] != 'google_dns_managed_zone':
continue
assert r['values']['visibility'] == 'private'
assert len(r['values']['private_visibility_config']) == 0
def test_forwarding_recordsets_null_forwarders(plan_runner):
"Test forwarding zone with wrong set of attributes does not break."
_, resources = plan_runner(type='forwarding')
assert len(resources) == 1
resource = resources[0]
assert resource['type'] == 'google_dns_managed_zone'
assert resource['values']['forwarding_config'] == []
def test_forwarding(plan_runner):
"Test forwarding zone with single forwarder."
_, resources = plan_runner(type='forwarding', recordsets='null',
forwarders='{ "1.2.3.4" = null }')
assert len(resources) == 1
resource = resources[0]
assert resource['type'] == 'google_dns_managed_zone'
assert resource['values']['forwarding_config'] == [{
'target_name_servers': [{
'forwarding_path': '',
'ipv4_address': '1.2.3.4'
}]
}]
def test_peering(plan_runner):
"Test peering zone."
_, resources = plan_runner(type='peering', recordsets='null',
peer_network='dummy-vpc-self-link')
assert len(resources) == 1
resource = resources[0]
assert resource['type'] == 'google_dns_managed_zone'
assert resource['values']['peering_config'] == [{
'target_network': [{
'network_url': 'dummy-vpc-self-link'
}]
}]
def test_public(plan_runner):
"Test public zone with two recordsets."
_, resources = plan_runner(type='public')
for r in resources:
if r['type'] != 'google_dns_managed_zone':
continue
assert r['values']['visibility'] == 'public'
assert r['values']['private_visibility_config'] == []

11
tests/modules/gcs/tftest.yaml → tests/modules/dns/tftest.yaml
View File

@ -1,4 +1,4 @@
# Copyright 2022 Google LLC
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@ -12,9 +12,8 @@
# See the License for the specific language governing permissions and
# limitations under the License.
module: modules/gcs
common_tfvars:
- common.tfvars
module: modules/dns
tests:
prefix:
iam:
no_clients:
null_forwarders:

13
tests/modules/gcs/common.tfvars
View File

@ -1,13 +0,0 @@
force_destroy = true
labels = { environment = "test" }
logging_config = {
log_bucket = "foo"
}
name = "test"
project_id = "test-project"
retention_policy = {
retention_period = 5
is_locked = false
}
storage_class = "MULTI_REGIONAL"
versioning = true

14
tests/modules/api_gateway/test_plan.py → tests/modules/gcs/examples/cmek.yaml
View File

@ -1,4 +1,4 @@
# Copyright 2022 Google LLC
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@ -12,8 +12,12 @@
# See the License for the specific language governing permissions and
# limitations under the License.
values:
module.bucket.google_storage_bucket.bucket:
encryption:
- default_kms_key_name: my-encryption-key
name: my-bucket
project: myproject
def test_resource_count(plan_runner):
"Test number of resources created."
_, resources = plan_runner()
assert len(resources) == 5
counts:
google_storage_bucket: 1

46
tests/modules/gcs/prefix.yaml → tests/modules/gcs/examples/lifecycle.yaml
View File

@ -1,4 +1,4 @@
# Copyright 2022 Google LLC
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@ -13,32 +13,26 @@
# limitations under the License.
values:
google_storage_bucket.bucket:
force_destroy: true
labels:
environment: test
location: EU
logging:
- log_bucket: foo
name: foo-test
project: test-project
retention_policy:
- is_locked: false
retention_period: 5
storage_class: MULTI_REGIONAL
uniform_bucket_level_access: true
versioning:
- enabled: true
module.bucket.google_storage_bucket.bucket:
lifecycle_rule:
- action:
- storage_class: STANDARD
type: SetStorageClass
condition:
- age: 30
created_before: ''
custom_time_before: ''
days_since_custom_time: null
days_since_noncurrent_time: null
matches_prefix: []
matches_storage_class: []
matches_suffix: []
noncurrent_time_before: ''
num_newer_versions: null
name: my-bucket
project: myproject
counts:
google_storage_bucket: 1
modules: 0
resources: 1
outputs:
bucket: __missing__
id: foo-test
name: foo-test
notification: null
topic: null
url: __missing__
outputs: {}

31
tests/modules/gcs/examples/notification.yaml Normal file
View File

@ -0,0 +1,31 @@
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
module.bucket-gcs-notification.google_pubsub_topic.topic[0]: {}
module.bucket-gcs-notification.google_pubsub_topic_iam_binding.binding[0]: {}
module.bucket-gcs-notification.google_storage_bucket.bucket:
name: my-bucket
project: myproject
module.bucket-gcs-notification.google_storage_notification.notification[0]:
bucket: my-bucket
event_types:
- OBJECT_FINALIZE
payload_format: JSON_API_V1
counts:
google_pubsub_topic: 1
google_pubsub_topic_iam_binding: 1
google_storage_bucket: 1
google_storage_notification: 1

26
tests/modules/gcs/examples/retention-logging.yaml Normal file
View File

@ -0,0 +1,26 @@
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
module.bucket.google_storage_bucket.bucket:
logging:
- log_bucket: log-bucket
name: my-bucket
project: myproject
retention_policy:
- is_locked: true
retention_period: 100
counts:
google_storage_bucket: 1

46
tests/modules/gcs/examples/simple.yaml Normal file
View File

@ -0,0 +1,46 @@
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
module.bucket.google_storage_bucket.bucket:
autoclass: []
cors: []
custom_placement_config: []
default_event_based_hold: null
encryption: []
force_destroy: false
labels:
cost-center: devops
lifecycle_rule: []
location: EU
logging: []
name: test-my-bucket
project: myproject
requester_pays: null
retention_policy: []
storage_class: MULTI_REGIONAL
timeouts: null
uniform_bucket_level_access: true
versioning:
- enabled: true
module.bucket.google_storage_bucket_iam_binding.bindings["roles/storage.admin"]:
bucket: test-my-bucket
condition: []
members:
- group:storage@example.com
role: roles/storage.admin
counts:
google_storage_bucket: 1
google_storage_bucket_iam_binding: 1

3
tests/modules/gcs/iam.tfvars
View File

@ -1,3 +0,0 @@
iam = {
"roles/storage.admin" = ["user:a@example.org"]
}

1
tests/modules/gcs/prefix.tfvars
View File

@ -1 +0,0 @@
prefix = "foo"

32
tests/modules/gke_cluster/examples/autopilot.yaml Normal file
View File

@ -0,0 +1,32 @@
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
module.cluster-autopilot.google_container_cluster.cluster:
enable_autopilot: true
ip_allocation_policy:
- cluster_secondary_range_name: pods
services_secondary_range_name: services
location: europe-west1-b
master_authorized_networks_config:
- cidr_blocks:
- cidr_block: 10.0.0.0/8
display_name: internal-vms
name: cluster-autopilot
network: projects/xxx/global/networks/aaa
project: myproject
subnetwork: subnet_self_link
counts:
google_container_cluster: 1

42
tests/modules/gke_cluster/examples/basic.yaml Normal file
View File

@ -0,0 +1,42 @@
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
module.cluster-1.google_container_cluster.cluster:
default_max_pods_per_node: 32
ip_allocation_policy:
- cluster_secondary_range_name: pods
services_secondary_range_name: services
location: europe-west1-b
master_authorized_networks_config:
- cidr_blocks:
- cidr_block: 10.0.0.0/8
display_name: internal-vms
name: cluster-1
network: projects/xxx/global/networks/aaa
private_cluster_config:
- enable_private_endpoint: true
enable_private_nodes: true
master_global_access_config:
- enabled: false
master_ipv4_cidr_block: 192.168.0.0/28
private_endpoint_subnetwork: null
project: myproject
remove_default_node_pool: true
resource_labels:
environment: dev
subnetwork: subnet_self_link
counts:
google_container_cluster: 1

45
tests/modules/gke_cluster/examples/dataplane-v2.yaml Normal file
View File

@ -0,0 +1,45 @@
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
module.cluster-1.google_container_cluster.cluster:
datapath_provider: ADVANCED_DATAPATH
ip_allocation_policy:
- cluster_secondary_range_name: pods
services_secondary_range_name: services
location: europe-west1-b
master_authorized_networks_config:
- cidr_blocks:
- cidr_block: 10.0.0.0/8
display_name: internal-vms
min_master_version: null
name: cluster-dataplane-v2
network: projects/xxx/global/networks/aaa
private_cluster_config:
- enable_private_endpoint: true
enable_private_nodes: true
master_global_access_config:
- enabled: false
master_ipv4_cidr_block: 192.168.0.0/28
private_endpoint_subnetwork: null
project: myproject
remove_default_node_pool: true
resource_labels:
environment: dev
subnetwork: subnet_self_link
workload_identity_config:
- workload_pool: myproject.svc.id.goog
counts:
google_container_cluster: 1

43
tests/modules/gke_cluster/fixture/variables.tf
View File

@ -1,43 +0,0 @@
/**
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
variable "enable_addons" {
type = any
default = {
horizontal_pod_autoscaling = true
http_load_balancing = true
}
}
variable "enable_features" {
type = any
default = {
workload_identity = true
}
}
variable "monitoring_config" {
type = any
default = {
managed_prometheus = true
}
}
variable "tags" {
description = "Network tags applied to nodes."
type = list(string)
default = null
}

38
tests/modules/gke_cluster/test_plan.py
View File

@ -1,38 +0,0 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
def test_standard(plan_runner):
"Test resources created with variable defaults."
_, resources = plan_runner()
assert len(resources) == 1
cluster_config = resources[0]['values']
assert cluster_config['name'] == "cluster-1"
assert cluster_config['network'] == "mynetwork"
assert cluster_config['subnetwork'] == "mysubnet"
assert cluster_config['enable_autopilot'] is None
# assert 'service_account' not in node_config
def test_autopilot(plan_runner):
"Test resources created with variable defaults."
_, resources = plan_runner(enable_features='{ autopilot=true }')
assert len(resources) == 1
cluster_config = resources[0]['values']
assert cluster_config['name'] == "cluster-1"
assert cluster_config['network'] == "mynetwork"
assert cluster_config['subnetwork'] == "mysubnet"
assert cluster_config['enable_autopilot'] == True
# assert 'service_account' not in node_config

23
tests/modules/gke_nodepool/examples/basic.yaml Normal file
View File

@ -0,0 +1,23 @@
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
module.cluster-1-nodepool-1.google_container_node_pool.nodepool:
cluster: cluster-1
location: europe-west1-b
name: nodepool-1
project: myproject
counts:
google_container_node_pool: 1

60
tests/modules/gke_nodepool/examples/config.yaml Normal file
View File

@ -0,0 +1,60 @@
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
module.cluster-1-nodepool-1.google_container_node_pool.nodepool:
autoscaling:
- location_policy: null
max_node_count: 10
min_node_count: 1
total_max_node_count: null
total_min_node_count: null
cluster: cluster-1
initial_node_count: 1
location: europe-west1-b
management:
- auto_repair: true
auto_upgrade: false
name: nodepool-1
node_config:
- boot_disk_kms_key: null
disk_size_gb: 50
disk_type: pd-ssd
ephemeral_storage_config:
- local_ssd_count: 1
gcfs_config: []
gvnic: []
kubelet_config: []
labels:
environment: dev
linux_node_config: []
logging_variant: DEFAULT
machine_type: n2-standard-2
node_group: null
oauth_scopes:
- https://www.googleapis.com/auth/cloud-platform
preemptible: false
reservation_affinity: []
resource_labels: null
sandbox_config: []
spot: true
tags: null
taint: []
placement_policy: []
project: myproject
module.cluster-1-nodepool-1.google_service_account.service_account[0]: {}
counts:
google_container_node_pool: 1
google_service_account: 1

52
tests/modules/gke_nodepool/examples/create-sa.yaml Normal file
View File

@ -0,0 +1,52 @@
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
module.cluster-1-nodepool-1.google_container_node_pool.nodepool:
cluster: cluster-1
location: europe-west1-b
name: nodepool-1
node_config:
- boot_disk_kms_key: null
disk_type: pd-balanced
ephemeral_storage_config: []
gcfs_config: []
gvnic: []
kubelet_config: []
linux_node_config: []
logging_variant: DEFAULT
node_group: null
oauth_scopes:
- https://www.googleapis.com/auth/cloud-platform
preemptible: false
reservation_affinity: []
resource_labels: null
sandbox_config: []
spot: false
tags: null
taint: []
placement_policy: []
project: myproject
timeouts: null
module.cluster-1-nodepool-1.google_service_account.service_account[0]:
account_id: spam-eggs
description: null
disabled: false
display_name: Terraform GKE cluster-1 nodepool-1.
project: myproject
timeouts: null
counts:
google_container_node_pool: 1
google_service_account: 1

43
tests/modules/gke_nodepool/examples/external-sa.yaml Normal file
View File

@ -0,0 +1,43 @@
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
module.cluster-1-nodepool-1.google_container_node_pool.nodepool:
cluster: cluster-1
location: europe-west1-b
name: nodepool-1
node_config:
- boot_disk_kms_key: null
disk_type: pd-balanced
ephemeral_storage_config: []
gcfs_config: []
gvnic: []
kubelet_config: []
linux_node_config: []
logging_variant: DEFAULT
node_group: null
oauth_scopes:
- https://www.googleapis.com/auth/cloud-platform
preemptible: false
reservation_affinity: []
resource_labels: null
sandbox_config: []
service_account: foo-bar@myproject.iam.gserviceaccount.com
spot: false
tags: null
taint: []
project: myproject
counts:
google_container_node_pool: 1

45
tests/modules/gke_nodepool/fixture/main.tf
View File

@ -1,45 +0,0 @@
/**
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
resource "google_service_account" "test" {
project = "my-project"
account_id = "gke-nodepool-test"
display_name = "Test Service Account"
}
module "test" {
source = "../../../../modules/gke-nodepool"
project_id = "my-project"
cluster_name = "cluster-1"
location = "europe-west1-b"
name = "nodepool-1"
gke_version = var.gke_version
labels = var.labels
max_pods_per_node = var.max_pods_per_node
node_config = var.node_config
node_count = var.node_count
node_locations = var.node_locations
nodepool_config = var.nodepool_config
pod_range = var.pod_range
reservation_affinity = var.reservation_affinity
service_account = {
create = var.service_account_create
email = google_service_account.test.email
}
sole_tenant_nodegroup = var.sole_tenant_nodegroup
tags = var.tags
taints = var.taints
}

86
tests/modules/gke_nodepool/fixture/variables.tf
View File

@ -1,86 +0,0 @@
/**
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
variable "gke_version" {
type = string
default = null
}
variable "labels" {
type = map(string)
default = {}
nullable = false
}
variable "max_pods_per_node" {
type = number
default = null
}
variable "node_config" {
type = any
default = {
disk_type = "pd-balanced"
}
}
variable "node_count" {
type = any
default = {
initial = 1
}
nullable = false
}
variable "node_locations" {
type = list(string)
default = null
}
variable "nodepool_config" {
type = any
default = null
}
variable "pod_range" {
type = any
default = null
}
variable "reservation_affinity" {
type = any
default = null
}
variable "service_account_create" {
type = bool
default = false
}
variable "sole_tenant_nodegroup" {
type = string
default = null
}
variable "tags" {
type = list(string)
default = null
}
variable "taints" {
type = any
default = null
}

67
tests/modules/gke_nodepool/test_plan.py
View File

@ -1,67 +0,0 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
def test_defaults(plan_runner):
"Test resources created with variable defaults."
_, resources = plan_runner()
assert len(resources) == 1
assert resources[0]['values']['autoscaling'] == []
def test_service_account(plan_runner):
_, resources = plan_runner()
assert len(resources) == 1
_, resources = plan_runner(service_account_create='true')
assert len(resources) == 2
assert 'google_service_account' in [r['type'] for r in resources]
def test_nodepool_config(plan_runner):
nodepool_config = '''{
autoscaling = { use_total_nodes = true, max_node_count = 3}
management = {}
upgrade_settings = { max_surge = 3, max_unavailable = 3 }
}'''
_, resources = plan_runner(nodepool_config=nodepool_config)
assert resources[0]['values']['autoscaling'] == [{
'location_policy': None,
'max_node_count': None,
'min_node_count': None,
'total_max_node_count': 3,
'total_min_node_count': None
}]
nodepool_config = '{ autoscaling = { max_node_count = 3} }'
_, resources = plan_runner(nodepool_config=nodepool_config)
assert resources[0]['values']['autoscaling'] == [{
'location_policy': None,
'max_node_count': 3,
'min_node_count': None,
'total_max_node_count': None,
'total_min_node_count': None
}]
def test_node_config(plan_runner):
node_config = '''{
gcfs = true
metadata = { foo = "bar" }
}'''
_, resources = plan_runner(node_config=node_config)
values = resources[0]['values']['node_config'][0]
assert values['gcfs_config'] == [{'enabled': True}]
assert values['metadata'] == {
'disable-legacy-endpoints': 'true',
'foo': 'bar'
}

42
tests/modules/net_vpc/examples/dns-policies.yaml Normal file
View File

@ -0,0 +1,42 @@
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
module.vpc.google_compute_network.network[0]:
name: my-network
project: my-project
module.vpc.google_compute_subnetwork.subnetwork["europe-west1/production"]: {}
module.vpc.google_dns_policy.default[0]:
alternative_name_server_config:
- target_name_servers:
- forwarding_path: ''
ipv4_address: '8.8.8.8'
- forwarding_path: private
ipv4_address: '10.0.0.1'
description: Managed by Terraform
enable_inbound_forwarding: true
enable_logging: null
name: my-network
networks:
- {}
project: my-project
counts:
google_compute_network: 1
google_compute_subnetwork: 1
google_dns_policy: 1
modules: 1
resources: 3
outputs: {}

50
tests/modules/net_vpc/examples/factory.yaml Normal file
View File

@ -0,0 +1,50 @@
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
module.vpc.google_compute_network.network[0]:
name: my-network
project: my-project
routing_mode: GLOBAL
module.vpc.google_compute_subnetwork.subnetwork["europe-west1/subnet-detailed"]:
description: Sample description
ip_cidr_range: 10.0.0.0/24
log_config:
- aggregation_interval: INTERVAL_5_SEC
filter_expr: 'true'
flow_sampling: 0.5
metadata: INCLUDE_ALL_METADATA
metadata_fields: null
name: subnet-detailed
private_ip_google_access: false
project: my-project
region: europe-west1
role: null
secondary_ip_range:
- ip_cidr_range: 192.168.0.0/24
range_name: secondary-range-a
module.vpc.google_compute_subnetwork.subnetwork["europe-west4/subnet-simple"]:
description: Terraform-managed.
ip_cidr_range: 10.0.1.0/24
log_config: []
name: subnet-simple
private_ip_google_access: true
project: my-project
region: europe-west4
role: null
secondary_ip_range: []
counts:
google_compute_network: 1
google_compute_subnetwork: 2

43
tests/modules/net_vpc/peering.yaml → tests/modules/net_vpc/examples/peering.yaml
View File

@ -1,4 +1,4 @@
# Copyright 2022 Google LLC
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@ -13,35 +13,22 @@
# limitations under the License.
values:
google_compute_network.network[0]:
auto_create_subnetworks: false
delete_default_routes_on_create: false
description: Terraform-managed.
name: test
project: test-project
routing_mode: GLOBAL
google_compute_network_peering.local[0]:
export_custom_routes: true
import_custom_routes: false
name: test-peer
peer_network: projects/my-project/global/networks/peer
google_compute_network_peering.remote[0]:
module.vpc-hub.google_compute_network.network[0]: {}
module.vpc-spoke-1.google_compute_network.network[0]: {}
module.vpc-hub.google_compute_subnetwork.subnetwork["europe-west1/subnet-1"]: {}
module.vpc-spoke-1.google_compute_subnetwork.subnetwork["europe-west1/subnet-2"]: {}
module.vpc-spoke-1.google_compute_network_peering.local[0]:
export_custom_routes: false
export_subnet_routes_with_public_ip: true
import_custom_routes: true
name: peer-test
network: projects/my-project/global/networks/peer
import_subnet_routes_with_public_ip: null
module.vpc-spoke-1.google_compute_network_peering.remote[0]:
export_custom_routes: true
export_subnet_routes_with_public_ip: true
import_custom_routes: false
import_subnet_routes_with_public_ip: null
counts:
google_compute_network: 1
google_compute_network: 2
google_compute_network_peering: 2
outputs:
bindings: {}
project_id: test-project
subnet_ips: {}
subnet_regions: {}
subnet_secondary_ranges: {}
subnet_self_links: {}
subnets: {}
subnets_proxy_only: {}
subnets_psc: {}
google_compute_subnetwork: 2

40
tests/modules/net_vpc/examples/proxy-only-subnets.yaml Normal file
View File

@ -0,0 +1,40 @@
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
module.vpc.google_compute_network.network[0]:
name: my-network
project: my-project
module.vpc.google_compute_subnetwork.proxy_only["europe-west1/regional-proxy"]:
description: Terraform-managed proxy-only subnet for Regional HTTPS or Internal HTTPS LB.
ip_cidr_range: 10.0.1.0/24
log_config: []
name: regional-proxy
project: my-project
purpose: REGIONAL_MANAGED_PROXY
region: europe-west1
role: ACTIVE
module.vpc.google_compute_subnetwork.psc["europe-west1/psc"]:
description: Terraform-managed subnet for Private Service Connect (PSC NAT).
ip_cidr_range: 10.0.3.0/24
log_config: []
name: psc
project: my-project
purpose: PRIVATE_SERVICE_CONNECT
region: europe-west1
role: null
counts:
google_compute_network: 1
google_compute_subnetwork: 2

47
tests/modules/net_vpc/examples/psc-routes.yaml Normal file
View File

@ -0,0 +1,47 @@
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
module.vpc.google_compute_global_address.psa_ranges["myrange"]:
address: 10.0.1.0
address_type: INTERNAL
description: null
ip_version: null
name: myrange
prefix_length: 24
project: my-project
purpose: VPC_PEERING
module.vpc.google_compute_network.network[0]:
name: my-network
project: my-project
routing_mode: GLOBAL
module.vpc.google_compute_network_peering_routes_config.psa_routes["1"]:
export_custom_routes: true
import_custom_routes: true
project: my-project
module.vpc.google_compute_subnetwork.subnetwork["europe-west1/production"]:
ip_cidr_range: 10.0.0.0/24
name: production
project: my-project
module.vpc.google_service_networking_connection.psa_connection["1"]:
reserved_peering_ranges:
- myrange
service: servicenetworking.googleapis.com
counts:
google_compute_global_address: 1
google_compute_network: 1
google_compute_network_peering_routes_config: 1
google_compute_subnetwork: 1
google_service_networking_connection: 1

46
tests/modules/net_vpc/examples/psc.yaml Normal file
View File

@ -0,0 +1,46 @@
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
module.vpc.google_compute_global_address.psa_ranges["myrange"]:
address: 10.0.1.0
address_type: INTERNAL
name: myrange
prefix_length: 24
project: my-project
purpose: VPC_PEERING
module.vpc.google_compute_network.network[0]:
name: my-network
project: my-project
module.vpc.google_compute_network_peering_routes_config.psa_routes["1"]:
export_custom_routes: false
import_custom_routes: false
project: my-project
module.vpc.google_compute_subnetwork.subnetwork["europe-west1/production"]:
ip_cidr_range: 10.0.0.0/24
name: production
project: my-project
module.vpc.google_service_networking_connection.psa_connection["1"]:
reserved_peering_ranges:
- myrange
service: servicenetworking.googleapis.com
counts:
google_compute_global_address: 1
google_compute_network: 1
google_compute_network_peering_routes_config: 1
google_compute_subnetwork: 1
google_service_networking_connection: 1
outputs: {}

146
tests/modules/net_vpc/examples/routes.yaml Normal file
View File

@ -0,0 +1,146 @@
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
module.vpc["gateway"].google_compute_network.network[0]:
name: my-network-with-route-gateway
project: my-project
routing_mode: GLOBAL
module.vpc["gateway"].google_compute_route.gateway["gateway"]:
dest_range: 0.0.0.0/0
name: my-network-with-route-gateway-gateway
next_hop_gateway: global/gateways/default-internet-gateway
next_hop_ilb: null
next_hop_instance: null
next_hop_vpn_tunnel: null
priority: 100
project: my-project
tags:
- tag-a
module.vpc["gateway"].google_compute_route.gateway["next-hop"]:
dest_range: 192.168.128.0/24
name: my-network-with-route-gateway-next-hop
next_hop_gateway: global/gateways/default-internet-gateway
next_hop_ilb: null
next_hop_instance: null
next_hop_vpn_tunnel: null
priority: 1000
project: my-project
tags: null
module.vpc["ilb"].google_compute_network.network[0]:
name: my-network-with-route-ilb
project: my-project
routing_mode: GLOBAL
module.vpc["ilb"].google_compute_route.gateway["gateway"]:
dest_range: 0.0.0.0/0
name: my-network-with-route-ilb-gateway
next_hop_gateway: global/gateways/default-internet-gateway
next_hop_ilb: null
next_hop_instance: null
next_hop_vpn_tunnel: null
priority: 100
project: my-project
tags:
- tag-a
module.vpc["ilb"].google_compute_route.ilb["next-hop"]:
dest_range: 192.168.128.0/24
name: my-network-with-route-ilb-next-hop
next_hop_gateway: null
next_hop_ilb: regions/europe-west1/forwardingRules/test
next_hop_instance: null
next_hop_vpn_tunnel: null
priority: 1000
project: my-project
tags: null
module.vpc["instance"].google_compute_network.network[0]:
name: my-network-with-route-instance
project: my-project
routing_mode: GLOBAL
module.vpc["instance"].google_compute_route.gateway["gateway"]:
dest_range: 0.0.0.0/0
name: my-network-with-route-instance-gateway
next_hop_gateway: global/gateways/default-internet-gateway
next_hop_ilb: null
next_hop_instance: null
next_hop_vpn_tunnel: null
priority: 100
project: my-project
tags:
- tag-a
module.vpc["instance"].google_compute_route.instance["next-hop"]:
dest_range: 192.168.128.0/24
name: my-network-with-route-instance-next-hop
next_hop_gateway: null
next_hop_ilb: null
next_hop_instance: zones/europe-west1-b/test
next_hop_instance_zone: europe-west1-b
next_hop_vpn_tunnel: null
priority: 1000
project: my-project
tags: null
module.vpc["ip"].google_compute_network.network[0]:
name: my-network-with-route-ip
project: my-project
routing_mode: GLOBAL
module.vpc["ip"].google_compute_route.gateway["gateway"]:
dest_range: 0.0.0.0/0
name: my-network-with-route-ip-gateway
next_hop_gateway: global/gateways/default-internet-gateway
next_hop_ilb: null
next_hop_instance: null
next_hop_vpn_tunnel: null
priority: 100
project: my-project
tags:
- tag-a
module.vpc["ip"].google_compute_route.ip["next-hop"]:
dest_range: 192.168.128.0/24
name: my-network-with-route-ip-next-hop
next_hop_gateway: null
next_hop_ilb: null
next_hop_instance: null
next_hop_ip: 192.168.0.128
next_hop_vpn_tunnel: null
priority: 1000
project: my-project
tags: null
module.vpc["vpn_tunnel"].google_compute_network.network[0]:
name: my-network-with-route-vpn-tunnel
project: my-project
routing_mode: GLOBAL
module.vpc["vpn_tunnel"].google_compute_route.gateway["gateway"]:
dest_range: 0.0.0.0/0
name: my-network-with-route-vpn-tunnel-gateway
next_hop_gateway: global/gateways/default-internet-gateway
next_hop_ilb: null
next_hop_instance: null
next_hop_vpn_tunnel: null
priority: 100
project: my-project
tags:
- tag-a
module.vpc["vpn_tunnel"].google_compute_route.vpn_tunnel["next-hop"]:
dest_range: 192.168.128.0/24
name: my-network-with-route-vpn-tunnel-next-hop
next_hop_gateway: null
next_hop_ilb: null
next_hop_instance: null
next_hop_vpn_tunnel: regions/europe-west1/vpnTunnels/foo
priority: 1000
project: my-project
tags: null
counts:
google_compute_network: 5
google_compute_route: 10

51
tests/modules/net_vpc/examples/shared-vpc.yaml Normal file
View File

@ -0,0 +1,51 @@
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
module.vpc-host.google_compute_network.network[0]:
name: my-host-network
project: my-project
module.vpc-host.google_compute_shared_vpc_host_project.shared_vpc_host[0]:
project: my-project
module.vpc-host.google_compute_shared_vpc_service_project.service_projects["project1"]:
host_project: my-project
service_project: project1
module.vpc-host.google_compute_shared_vpc_service_project.service_projects["project2"]:
host_project: my-project
service_project: project2
module.vpc-host.google_compute_subnetwork.subnetwork["europe-west1/subnet-1"]: {}
module.vpc-host.google_compute_subnetwork_iam_binding.binding["europe-west1/subnet-1.roles/compute.networkUser"]:
condition: []
members:
- serviceAccount:cloudsvc
- serviceAccount:gke
project: my-project
region: europe-west1
role: roles/compute.networkUser
subnetwork: subnet-1
module.vpc-host.google_compute_subnetwork_iam_binding.binding["europe-west1/subnet-1.roles/compute.securityAdmin"]:
condition: []
members:
- serviceAccount:gke
project: my-project
region: europe-west1
role: roles/compute.securityAdmin
subnetwork: subnet-1
counts:
google_compute_network: 1
google_compute_shared_vpc_host_project: 1
google_compute_shared_vpc_service_project: 2
google_compute_subnetwork: 1
google_compute_subnetwork_iam_binding: 2

50
tests/modules/net_vpc/examples/simple.yaml Normal file
View File

@ -0,0 +1,50 @@
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
module.vpc.google_compute_network.network[0]:
auto_create_subnetworks: false
delete_default_routes_on_create: false
description: Terraform-managed.
name: my-network
project: my-project
routing_mode: GLOBAL
module.vpc.google_compute_subnetwork.subnetwork["europe-west1/production"]:
description: Terraform-managed.
ip_cidr_range: 10.0.0.0/24
log_config: []
name: production
private_ip_google_access: true
project: my-project
region: europe-west1
role: null
secondary_ip_range:
- ip_cidr_range: 172.16.0.0/20
range_name: pods
- ip_cidr_range: 192.168.0.0/24
range_name: services
module.vpc.google_compute_subnetwork.subnetwork["europe-west2/production"]:
description: Terraform-managed.
ip_cidr_range: 10.0.16.0/24
log_config: []
name: production
private_ip_google_access: true
project: my-project
region: europe-west2
role: null
secondary_ip_range: []
counts:
google_compute_network: 1
google_compute_subnetwork: 2

54
tests/modules/net_vpc/examples/subnet-iam.yaml Normal file
View File

@ -0,0 +1,54 @@
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
module.vpc.google_compute_network.network[0]:
name: my-network
project: my-project
module.vpc.google_compute_subnetwork.subnetwork["europe-west1/subnet-1"]:
name: subnet-1
project: my-project
region: europe-west1
module.vpc.google_compute_subnetwork.subnetwork["europe-west1/subnet-2"]:
name: subnet-2
private_ip_google_access: true
project: my-project
region: europe-west1
module.vpc.google_compute_subnetwork_iam_binding.binding["europe-west1/subnet-1.roles/compute.networkUser"]:
condition: []
members:
- group:group1@example.com
- user:user1@example.com
project: my-project
region: europe-west1
role: roles/compute.networkUser
subnetwork: subnet-1
module.vpc.google_compute_subnetwork_iam_binding.binding["europe-west1/subnet-2.roles/compute.networkUser"]:
condition: []
members:
- group:group2@example.com
- user:user2@example.com
project: my-project
region: europe-west1
role: roles/compute.networkUser
subnetwork: subnet-2
counts:
google_compute_network: 1
google_compute_subnetwork: 2
google_compute_subnetwork_iam_binding: 2
modules: 1
resources: 5
outputs: {}

70
tests/modules/net_vpc/examples/subnet-options.yaml Normal file
View File

@ -0,0 +1,70 @@
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
module.vpc.google_compute_network.network[0]:
name: my-network
project: my-project
module.vpc.google_compute_subnetwork.subnetwork["europe-west1/no-pga"]:
description: Subnet b
ip_cidr_range: 10.0.1.0/24
log_config: []
name: no-pga
private_ip_google_access: false
project: my-project
region: europe-west1
secondary_ip_range: []
module.vpc.google_compute_subnetwork.subnetwork["europe-west1/simple"]:
description: Terraform-managed.
ip_cidr_range: 10.0.0.0/24
log_config: []
name: simple
private_ip_google_access: true
project: my-project
region: europe-west1
secondary_ip_range: []
module.vpc.google_compute_subnetwork.subnetwork["europe-west1/with-flow-logs"]:
description: Terraform-managed.
ip_cidr_range: 10.0.3.0/24
ipv6_access_type: null
log_config:
- aggregation_interval: INTERVAL_10_MIN
filter_expr: 'true'
flow_sampling: 0.5
metadata: INCLUDE_ALL_METADATA
metadata_fields: null
name: with-flow-logs
private_ip_google_access: true
project: my-project
region: europe-west1
role: null
secondary_ip_range: []
module.vpc.google_compute_subnetwork.subnetwork["europe-west1/with-secondary-ranges"]:
description: Terraform-managed.
ip_cidr_range: 10.0.2.0/24
log_config: []
name: with-secondary-ranges
private_ip_google_access: true
project: my-project
region: europe-west1
role: null
secondary_ip_range:
- ip_cidr_range: 192.168.0.0/24
range_name: a
- ip_cidr_range: 192.168.1.0/24
range_name: b
counts:
google_compute_network: 1
google_compute_subnetwork: 4

1
tests/modules/net_vpc/factory.tfvars
View File

@ -1 +0,0 @@
data_folder = "../../tests/modules/net_vpc/data"

44
tests/modules/net_vpc/factory.yaml
View File

@ -1,44 +0,0 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
google_compute_subnetwork.subnetwork["europe-west1/factory-subnet"]:
description: 'Sample description'
ip_cidr_range: '10.128.0.0/24'
ipv6_access_type: null
log_config: []
name: 'factory-subnet'
private_ip_google_access: false
project: 'test-project'
region: 'europe-west1'
role: null
secondary_ip_range:
- ip_cidr_range: '192.168.128.0/24'
range_name: 'secondary-range-a'
google_compute_subnetwork.subnetwork["europe-west4/factory-subnet2"]:
description: 'Sample description'
ip_cidr_range: '10.129.0.0/24'
log_config: []
name: 'factory-subnet2'
private_ip_google_access: true
project: 'test-project'
region: 'europe-west4'
role: null
secondary_ip_range: []
# FIXME: should we have some bindings here?
counts:
google_compute_network: 1
google_compute_subnetwork: 2

30
tests/modules/net_vpc/fixture/main.tf
View File

@ -1,30 +0,0 @@
/**
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
module "test" {
source = "../../../../modules/net-vpc"
project_id = "test-project"
name = "test"
peering_config = var.peering_config
routes = var.routes
shared_vpc_host = var.shared_vpc_host
shared_vpc_service_projects = var.shared_vpc_service_projects
subnet_iam = var.subnet_iam
subnets = var.subnets
auto_create_subnetworks = var.auto_create_subnetworks
psa_config = var.psa_config
data_folder = var.data_folder
}

44
tests/modules/net_vpc/fixture/test.subnets.tfvars
View File

@ -1,44 +0,0 @@
subnet_iam = {
"europe-west1/a" = {
"roles/compute.networkUser" = [
"user:a@example.com", "group:g-a@example.com"
]
}
"europe-west1/c" = {
"roles/compute.networkUser" = [
"user:c@example.com", "group:g-c@example.com"
]
}
}
subnets = [
{
name = "a"
region = "europe-west1"
ip_cidr_range = "10.0.0.0/24"
},
{
name = "b"
region = "europe-west1"
ip_cidr_range = "10.0.1.0/24",
description = "Subnet b"
enable_private_access = false
},
{
name = "c"
region = "europe-west1"
ip_cidr_range = "10.0.2.0/24"
secondary_ip_ranges = {
a = "192.168.0.0/24"
b = "192.168.1.0/24"
}
},
{
name = "d"
region = "europe-west1"
ip_cidr_range = "10.0.3.0/24"
flow_logs_config = {
flow_sampling = 0.5
aggregation_interval = "INTERVAL_10_MIN"
}
}
]

101
tests/modules/net_vpc/fixture/variables.tf
View File

@ -1,101 +0,0 @@
/**
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
variable "auto_create_subnetworks" {
type = bool
default = false
}
variable "data_folder" {
type = string
default = null
}
variable "delete_default_routes_on_create" {
type = bool
default = false
}
variable "description" {
type = string
default = "Terraform-managed."
}
variable "dns_policy" {
type = any
default = null
}
variable "mtu" {
type = number
default = null
}
variable "peering_config" {
type = any
default = null
}
variable "psa_config" {
type = any
default = null
}
variable "routes" {
type = any
default = {}
nullable = false
}
variable "routing_mode" {
type = string
default = "GLOBAL"
}
variable "shared_vpc_host" {
type = bool
default = false
}
variable "shared_vpc_service_projects" {
type = list(string)
default = []
}
variable "subnets" {
type = any
default = []
}
variable "subnet_iam" {
type = map(map(list(string)))
default = {}
}
variable "subnets_proxy_only" {
type = any
default = []
}
variable "subnets_psc" {
type = any
default = []
}
variable "vpc_create" {
type = bool
default = true
}

5
tests/modules/net_vpc/peering.tfvars
View File

@ -1,5 +0,0 @@
peering_config = {
peer_vpc_self_link = "projects/my-project/global/networks/peer"
export_routes = true
import_routes = null
}

7
tests/modules/net_vpc/psa_simple.tfvars
View File

@ -1,7 +0,0 @@
psa_config = {
ranges = {
bar = "172.16.100.0/24"
foo = "172.16.101.0/24"
}
routes = null
}

70
tests/modules/net_vpc/psa_simple.yaml
View File

@ -1,70 +0,0 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
google_compute_global_address.psa_ranges["bar"]:
address: 172.16.100.0
address_type: INTERNAL
description: null
ip_version: null
name: bar
prefix_length: 24
project: test-project
purpose: VPC_PEERING
google_compute_global_address.psa_ranges["foo"]:
address: 172.16.101.0
address_type: INTERNAL
description: null
ip_version: null
name: foo
prefix_length: 24
project: test-project
purpose: VPC_PEERING
google_compute_network.network[0]:
auto_create_subnetworks: false
delete_default_routes_on_create: false
description: Terraform-managed.
enable_ula_internal_ipv6: null
name: test
project: test-project
routing_mode: GLOBAL
google_compute_network_peering_routes_config.psa_routes["1"]:
export_custom_routes: false
import_custom_routes: false
project: test-project
google_service_networking_connection.psa_connection["1"]:
reserved_peering_ranges:
- bar
- foo
service: servicenetworking.googleapis.com
counts:
google_compute_global_address: 2
google_compute_network: 1
google_compute_network_peering_routes_config: 1
google_service_networking_connection: 1
outputs:
bindings: {}
name: __missing__
network: __missing__
project_id: test-project
self_link: __missing__
subnet_ips: {}
subnet_regions: {}
subnet_secondary_ranges: {}
subnet_self_links: {}
subnets: {}
subnets_proxy_only: {}
subnets_psc: {}

1
tests/modules/net_vpc/simple.tfvars
View File

@ -1 +0,0 @@
# skip boilerplate check

44
tests/modules/net_vpc/subnets.tfvars
View File

@ -1,44 +0,0 @@
subnet_iam = {
"europe-west1/a" = {
"roles/compute.networkUser" = [
"user:a@example.com", "group:g-a@example.com"
]
}
"europe-west1/c" = {
"roles/compute.networkUser" = [
"user:c@example.com", "group:g-c@example.com"
]
}
}
subnets = [
{
name = "a"
region = "europe-west1"
ip_cidr_range = "10.0.0.0/24"
},
{
name = "b"
region = "europe-west1"
ip_cidr_range = "10.0.1.0/24",
description = "Subnet b"
enable_private_access = false
},
{
name = "c"
region = "europe-west1"
ip_cidr_range = "10.0.2.0/24"
secondary_ip_ranges = {
a = "192.168.0.0/24"
b = "192.168.1.0/24"
}
},
{
name = "d"
region = "europe-west1"
ip_cidr_range = "10.0.3.0/24"
flow_logs_config = {
flow_sampling = 0.5
aggregation_interval = "INTERVAL_10_MIN"
}
}
]

120
tests/modules/net_vpc/subnets.yaml
View File

@ -1,120 +0,0 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
google_compute_network.network[0]:
auto_create_subnetworks: false
delete_default_routes_on_create: false
description: Terraform-managed.
name: test
project: test-project
routing_mode: GLOBAL
google_compute_subnetwork.subnetwork["europe-west1/a"]:
description: Terraform-managed.
ip_cidr_range: 10.0.0.0/24
log_config: []
name: a
private_ip_google_access: true
project: test-project
region: europe-west1
role: null
secondary_ip_range: []
google_compute_subnetwork.subnetwork["europe-west1/b"]:
description: Subnet b
ip_cidr_range: 10.0.1.0/24
log_config: []
name: b
private_ip_google_access: false
project: test-project
region: europe-west1
role: null
secondary_ip_range: []
google_compute_subnetwork.subnetwork["europe-west1/c"]:
description: Terraform-managed.
ip_cidr_range: 10.0.2.0/24
ipv6_access_type: null
log_config: []
name: c
private_ip_google_access: true
project: test-project
region: europe-west1
role: null
secondary_ip_range:
- ip_cidr_range: 192.168.0.0/24
range_name: a
- ip_cidr_range: 192.168.1.0/24
range_name: b
google_compute_subnetwork.subnetwork["europe-west1/d"]:
description: Terraform-managed.
ip_cidr_range: 10.0.3.0/24
log_config:
- aggregation_interval: INTERVAL_10_MIN
filter_expr: 'true'
flow_sampling: 0.5
metadata: INCLUDE_ALL_METADATA
metadata_fields: null
name: d
private_ip_google_access: true
project: test-project
region: europe-west1
role: null
secondary_ip_range: []
google_compute_subnetwork_iam_binding.binding["europe-west1/a.roles/compute.networkUser"]:
condition: []
members:
- group:g-a@example.com
- user:a@example.com
project: test-project
region: europe-west1
role: roles/compute.networkUser
subnetwork: a
google_compute_subnetwork_iam_binding.binding["europe-west1/c.roles/compute.networkUser"]:
condition: []
members:
- group:g-c@example.com
- user:c@example.com
project: test-project
region: europe-west1
role: roles/compute.networkUser
subnetwork: c
counts:
google_compute_network: 1
google_compute_subnetwork: 4
google_compute_subnetwork_iam_binding: 2
outputs:
bindings: __missing__
project_id: test-project
subnet_ips:
europe-west1/a: 10.0.0.0/24
europe-west1/b: 10.0.1.0/24
europe-west1/c: 10.0.2.0/24
europe-west1/d: 10.0.3.0/24
subnet_regions:
europe-west1/a: europe-west1
europe-west1/b: europe-west1
europe-west1/c: europe-west1
europe-west1/d: europe-west1
subnet_secondary_ranges:
europe-west1/a: {}
europe-west1/b: {}
europe-west1/c:
a: 192.168.0.0/24
b: 192.168.1.0/24
europe-west1/d: {}
subnet_self_links: __missing__
subnets: __missing__
subnets_proxy_only: {}
subnets_psc: {}

47
tests/modules/net_vpc/test_routes.py
View File

@ -1,47 +0,0 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
import pytest
_route_parameters = [('gateway', 'global/gateways/default-internet-gateway'),
('instance', 'zones/europe-west1-b/test'),
('ip', '192.168.0.128'),
('ilb', 'regions/europe-west1/forwardingRules/test'),
('vpn_tunnel', 'regions/europe-west1/vpnTunnels/foo')]
@pytest.mark.parametrize('next_hop_type,next_hop', _route_parameters)
def test_vpc_routes(plan_summary, next_hop_type, next_hop):
'Test vpc routes.'
var_routes = '''{
next-hop = {
dest_range = "192.168.128.0/24"
tags = null
next_hop_type = "%s"
next_hop = "%s"
}
gateway = {
dest_range = "0.0.0.0/0",
priority = 100
tags = ["tag-a"]
next_hop_type = "gateway",
next_hop = "global/gateways/default-internet-gateway"
}
}''' % (next_hop_type, next_hop)
summary = plan_summary('modules/net-vpc', tf_var_files=['common.tfvars'],
routes=var_routes)
assert len(summary.values) == 3
route = summary.values[f'google_compute_route.{next_hop_type}["next-hop"]']
assert route[f'next_hop_{next_hop_type}'] == next_hop

7
tests/modules/net_vpc/tftest.yaml
View File

@ -1,4 +1,4 @@
# Copyright 2022 Google LLC
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@ -17,12 +17,7 @@ common_tfvars:
- common.tfvars
tests:
simple:
subnets:
peering:
shared_vpc:
factory:
psa_simple:
psa_routes_export:
psa_routes_import:
psa_routes_import_export:

2
tests/modules/organization/examples/basic.yaml
View File

@ -1,4 +1,4 @@
# Copyright 2022 Google LLC
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

8
tests/requirements.txt
View File

@ -1,6 +1,6 @@
pytest>=6.2.5
pytest>=7.2.1
PyYAML>=6.0
tftest>=1.8.1
marko>=1.2.0
deepdiff>=5.7.0
python-hcl2>=3.0.5
marko>=1.2.2
deepdiff>=6.2.3
python-hcl2>=4.3.0

36
tools/plan_summary.py
View File

@ -1,6 +1,6 @@
#!/usr/bin/env python3
# Copyright 2022 Google LLC
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@ -16,6 +16,7 @@
import click
import sys
import tempfile
import yaml
from pathlib import Path
@ -27,17 +28,32 @@ import fixtures
@click.command()
@click.option('--example', default=False, is_flag=True)
@click.argument('module', type=click.Path(), nargs=1)
@click.argument('tfvars', type=click.Path(exists=True), nargs=-1)
def main(module, tfvars):
module = BASEDIR / module
summary = fixtures.plan_summary(module, Path(), tfvars)
print(yaml.dump({'values': summary.values}))
print(yaml.dump({'counts': summary.counts}))
outputs = {
k: v.get('value', '__missing__') for k, v in summary.outputs.items()
}
print(yaml.dump({'outputs': outputs}))
def main(example, module, tfvars):
try:
if example:
tmp_dir = tempfile.TemporaryDirectory()
tmp_path = Path(tmp_dir.name)
common_vars = BASEDIR / 'tests' / 'examples' / 'variables.tf'
(tmp_path / 'main.tf').symlink_to(module)
(tmp_path / 'variables.tf').symlink_to(common_vars)
(tmp_path / 'fabric').symlink_to(BASEDIR)
module = tmp_path
else:
module = BASEDIR / module
summary = fixtures.plan_summary(module, Path(), tfvars)
print(yaml.dump({'values': summary.values}))
print(yaml.dump({'counts': summary.counts}))
outputs = {
k: v.get('value', '__missing__') for k, v in summary.outputs.items()
}
print(yaml.dump({'outputs': outputs}))
finally:
if example:
tmp_dir.cleanup()
if __name__ == '__main__':