zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fixed e2e test for shared-vpc and subnet-iam

This commit is contained in:
Thangaraju Rajasekaran 2023-11-29 23:19:25 +00:00
parent a259d2cbdb
commit d9cd46d8a7
7 changed files with 33 additions and 96 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
modules/net-vpc/README.md
View File

@ -114,7 +114,7 @@ module "vpc" {
ip_cidr_range = "10.0.1.0/24" ip_cidr_range = "10.0.1.0/24"
iam = { iam = {
"roles/compute.networkUser" = [ "roles/compute.networkUser" = [
"user:${var.user_email}", "group:${var.group_email}" "group:${var.group_email}"
] ]
} }
iam_bindings = { iam_bindings = {
@ -134,7 +134,7 @@ module "vpc" {
ip_cidr_range = "10.0.2.0/24" ip_cidr_range = "10.0.2.0/24"
iam_bindings_additive = { iam_bindings_additive = {
subnet-2-iam = { subnet-2-iam = {
member = "user:${var.user_email}" member = "group:${var.group_email}"
role = "roles/compute.networkUser" role = "roles/compute.networkUser"
subnet = "europe-west1/subnet-2" subnet = "europe-west1/subnet-2"
} }
@ -185,14 +185,21 @@ module "vpc-spoke-1" {
[Shared VPC](https://cloud.google.com/vpc/docs/shared-vpc) is a project-level functionality which enables a project to share its VPCs with other projects. The `shared_vpc_host` variable is here to help with rapid prototyping, we recommend leveraging the project module for production usage. [Shared VPC](https://cloud.google.com/vpc/docs/shared-vpc) is a project-level functionality which enables a project to share its VPCs with other projects. The `shared_vpc_host` variable is here to help with rapid prototyping, we recommend leveraging the project module for production usage.
```hcl ```hcl
locals {
service_project_1 = { module "service-project" {
project_id = var.service_project_1.project_id source = "./fabric/modules/project"
gke_service_account = "serviceAccount:${var.service_account.email}" billing_account = var.billing_account_id
cloud_services_service_account = "serviceAccount:${var.service_account.email}" name = "prj1"
} prefix = var.prefix
service_project_2 = { parent = var.folder_id
project_id = var.service_project_2.project_id services = [
"cloudresourcemanager.googleapis.com",
"compute.googleapis.com",
"iam.googleapis.com",
"serviceusage.googleapis.com"
]
shared_vpc_service_config = {
host_project = var.project_id
} }
} }
@ -211,22 +218,20 @@ module "vpc-host" {
} }
iam = { iam = {
"roles/compute.networkUser" = [ "roles/compute.networkUser" = [
local.service_project_1.cloud_services_service_account, "serviceAccount:${var.service_account.email}"
local.service_project_1.gke_service_account
] ]
"roles/compute.securityAdmin" = [ "roles/compute.securityAdmin" = [
local.service_project_1.gke_service_account "serviceAccount:${var.service_account.email}"
] ]
} }
} }
] ]
shared_vpc_host = true shared_vpc_host = true
shared_vpc_service_projects = [ shared_vpc_service_projects = [
local.service_project_1.project_id, module.service-project.project_id
local.service_project_2.project_id
] ]
} }
# tftest modules=1 resources=9 inventory=shared-vpc.yaml e2e # tftest modules=2 resources=14 inventory=shared-vpc.yaml e2e
``` ```
### Private Service Networking ### Private Service Networking

16
tests/examples/variables.tf
View File

@ -22,10 +22,6 @@ variable "billing_account_id" {
default = "123456-123456-123456" default = "123456-123456-123456"
} }
variable "user_email" {
default = "user1@example.org"
}
variable "group_email" { variable "group_email" {
default = "organization-admins@example.org" default = "organization-admins@example.org"
} }
@ -98,15 +94,3 @@ variable "vpc2" {
variable "zone" { variable "zone" {
default = "zone" default = "zone"
} }
variable "service_project_1" {
default = {
project_id = "service-project-1-project-id"
}
}
variable "service_project_2" {
default = {
project_id = "service-project-2-project-id"
}
}

8
tests/examples_e2e/setup_module/e2e_tests.tfvars.tftpl
View File

@ -17,17 +17,11 @@ billing_account_id = "${billing_account_id}"
kms_key = { kms_key = {
id = "${kms_key_id}" id = "${kms_key_id}"
} }
user_email = "${user_email}"
group_email = "${group_email}" group_email = "${group_email}"
organization_id = "organizations/${organization_id}" organization_id = "organizations/${organization_id}"
folder_id = "folders/${folder_id}" folder_id = "folders/${folder_id}"
prefix = "${prefix}"
project_id = "${project_id}" project_id = "${project_id}"
service_project_1 = {
project_id = "${service_project_1.project_id}"
}
service_project_2 = {
project_id = "${service_project_2.project_id}"
}
region = "${region}" region = "${region}"
service_account = { service_account = {
id = "${service_account.id}" id = "${service_account.id}"

49
tests/examples_e2e/setup_module/main.tf
View File

@ -26,24 +26,17 @@ locals {
"cloudkms.googleapis.com", "cloudkms.googleapis.com",
"cloudresourcemanager.googleapis.com", "cloudresourcemanager.googleapis.com",
"compute.googleapis.com", "compute.googleapis.com",
"dns.googleapis.com",
"eventarc.googleapis.com", "eventarc.googleapis.com",
"iam.googleapis.com", "iam.googleapis.com",
"run.googleapis.com", "run.googleapis.com",
"secretmanager.googleapis.com", "secretmanager.googleapis.com",
"servicenetworking.googleapis.com",
"serviceusage.googleapis.com", "serviceusage.googleapis.com",
"stackdriver.googleapis.com", "stackdriver.googleapis.com",
"storage-component.googleapis.com", "storage-component.googleapis.com",
"storage.googleapis.com", "storage.googleapis.com",
"vpcaccess.googleapis.com", "vpcaccess.googleapis.com",
"servicenetworking.googleapis.com",
"dns.googleapis.com",
]
services-svc = [
# trimmed down list of services, to be extended as needed
"cloudresourcemanager.googleapis.com",
"compute.googleapis.com",
"iam.googleapis.com",
"serviceusage.googleapis.com",
] ]
} }
@ -66,34 +59,6 @@ resource "google_project_service" "project_service" {
disable_dependent_services = true disable_dependent_services = true
} }
resource "google_project" "service_project_1" {
name = "${local.prefix}-prj-1"
billing_account = var.billing_account
folder_id = google_folder.folder.id
project_id = "${local.prefix}-prj-1"
}
resource "google_project_service" "service_project_1_service" {
for_each = toset(local.services-svc)
service = each.value
project = google_project.service_project_1.project_id
disable_dependent_services = true
}
resource "google_project" "service_project_2" {
name = "${local.prefix}-prj-2"
billing_account = var.billing_account
folder_id = google_folder.folder.id
project_id = "${local.prefix}-prj-2"
}
resource "google_project_service" "service_project_2_service" {
for_each = toset(local.services-svc)
service = each.value
project = google_project.service_project_2.project_id
disable_dependent_services = true
}
resource "google_storage_bucket" "bucket" { resource "google_storage_bucket" "bucket" {
location = var.region location = var.region
name = "${local.prefix}-bucket" name = "${local.prefix}-bucket"
@ -152,17 +117,11 @@ resource "local_file" "terraform_tfvars" {
billing_account_id = var.billing_account billing_account_id = var.billing_account
folder_id = google_folder.folder.folder_id folder_id = google_folder.folder.folder_id
group_email = var.group_email group_email = var.group_email
user_email = var.user_email prefix = var.prefix
kms_key_id = google_kms_crypto_key.key.id kms_key_id = google_kms_crypto_key.key.id
organization_id = var.organization_id organization_id = var.organization_id
project_id = google_project.project.project_id project_id = google_project.project.project_id
service_project_1 = { region = var.region
project_id = google_project.service_project_1.project_id
}
service_project_2 = {
project_id = google_project.service_project_2.project_id
}
region = var.region
service_account = { service_account = {
id = google_service_account.service_account.id id = google_service_account.service_account.id
email = google_service_account.service_account.email email = google_service_account.service_account.email

3
tests/examples_e2e/setup_module/variables.tf
View File

@ -18,9 +18,6 @@ variable "billing_account" {
variable "group_email" { variable "group_email" {
type = string type = string
} }
variable "user_email" {
type = string
}
variable "organization_id" { variable "organization_id" {
type = string type = string
} }

13
tests/modules/net_vpc/examples/shared-vpc.yaml
View File

@ -18,12 +18,9 @@ values:
project: project-id project: project-id
module.vpc-host.google_compute_shared_vpc_host_project.shared_vpc_host[0]: module.vpc-host.google_compute_shared_vpc_host_project.shared_vpc_host[0]:
project: project-id project: project-id
module.vpc-host.google_compute_shared_vpc_service_project.service_projects["service-project-1-project-id"]: module.service-project.google_compute_shared_vpc_service_project.shared_vpc_service[0]:
host_project: project-id host_project: project-id
service_project: service-project-1-project-id service_project: test-prj1
module.vpc-host.google_compute_shared_vpc_service_project.service_projects["service-project-2-project-id"]:
host_project: project-id
service_project: service-project-2-project-id
module.vpc-host.google_compute_subnetwork.subnetwork["europe-west1/subnet-1"]: module.vpc-host.google_compute_subnetwork.subnetwork["europe-west1/subnet-1"]:
secondary_ip_range: secondary_ip_range:
- ip_cidr_range: 172.16.0.0/20 - ip_cidr_range: 172.16.0.0/20
@ -34,7 +31,6 @@ values:
condition: [] condition: []
members: members:
- serviceAccount:service_account_email - serviceAccount:service_account_email
# - serviceAccount:gke
project: project-id project: project-id
region: europe-west1 region: europe-west1
role: roles/compute.networkUser role: roles/compute.networkUser
@ -48,9 +44,12 @@ values:
role: roles/compute.securityAdmin role: roles/compute.securityAdmin
subnetwork: subnet-1 subnetwork: subnet-1
counts: counts:
google_compute_network: 1 google_compute_network: 1
google_compute_route: 2
google_compute_shared_vpc_host_project: 1 google_compute_shared_vpc_host_project: 1
google_compute_shared_vpc_service_project: 2 google_compute_shared_vpc_service_project: 2
google_compute_subnetwork: 1 google_compute_subnetwork: 1
google_compute_subnetwork_iam_binding: 2 google_compute_subnetwork_iam_binding: 2
modules: 2

3
tests/modules/net_vpc/examples/subnet-iam.yaml
View File

@ -75,7 +75,6 @@ values:
condition: [] condition: []
members: members:
- group:organization-admins@example.org - group:organization-admins@example.org
- user:user1@example.org
project: project-id project: project-id
region: europe-west1 region: europe-west1
role: roles/compute.networkUser role: roles/compute.networkUser
@ -93,7 +92,7 @@ values:
subnetwork: subnet-1 subnetwork: subnet-1
module.vpc.google_compute_subnetwork_iam_member.bindings["subnet-2-iam"]: module.vpc.google_compute_subnetwork_iam_member.bindings["subnet-2-iam"]:
condition: [] condition: []
member: user:user1@example.org member: group:organization-admins@example.org
project: project-id project: project-id
region: europe-west1 region: europe-west1
role: roles/compute.networkUser role: roles/compute.networkUser