zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update factories and apigee tests

This commit is contained in:
Julio Castillo 2023-02-24 18:28:55 +01:00
parent b186365cab
commit edce6edd28
41 changed files with 629 additions and 736 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
blueprints/apigee/bigquery-analytics/README.md
View File

@ -76,3 +76,35 @@ Do the following to verify that everything works as expected.
| [ip_address](outputs.tf#L17) | IP address. | |
<!-- END TFDOC -->
## Test
```hcl
module "test" {
source = "./fabric/blueprints/apigee/bigquery-analytics"
project_create = {
billing_account_id = "12345-12345-12345"
parent = "folders/123456789"
}
project_id = "my-project"
envgroups = {
test = ["test.cool-demos.space"]
}
environments = {
apis-test = {
envgroups = ["test"]
}
}
instances = {
instance-ew1 = {
region = "europe-west1"
environments = ["apis-test"]
runtime_ip_cidr_range = "10.0.4.0/22"
troubleshooting_ip_cidr_range = "10.1.0.0/28"
}
}
psc_config = {
europe-west1 = "10.0.0.0/28"
}
}
# tftest modules=10 resources=62
```

21
blueprints/apigee/hybrid-gke/README.md
View File

@ -25,11 +25,11 @@ The diagram below depicts the architecture.
terraform apply
```
Create an A record in your DNS registrar to point the environment group hostname to the public IP address returned after the terraform configuration was applied. You might need to wait some time until the certificate is provisioned.
Create an A record in your DNS registrar to point the environment group hostname to the public IP address returned after the terraform configuration was applied. You might need to wait some time until the certificate is provisioned.
5. Install Apigee hybrid using de ansible playbook that is in the ansible folder by running this command
ansible-playbook playbook.yaml -vvvß
ansible-playbook playbook.yaml -vvv
## Testing the blueprint
@ -67,3 +67,18 @@ The diagram below depicts the architecture.
| [ip_address](outputs.tf#L17) | GLB IP address. | |
<!-- END TFDOC -->
## Test
```hcl
module "test" {
source = "./fabric/blueprints/apigee/hybrid-gke"
project_create = {
billing_account_id = "12345-12345-12345"
parent = "folders/123456789"
}
project_id = "my-project"
hostname = "test.myorg.org"
}
# tftest modules=18 resources=59
```

14
blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/README.md
View File

@ -67,3 +67,17 @@ Do the following to verify that everything works as expected.
| [ip_address](outputs.tf#L17) | GLB IP address. | |
<!-- END TFDOC -->
## Test
```hcl
module "test" {
source = "./fabric/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg"
billing_account_id = "12345-12345-12345"
parent = "folders/123456789"
apigee_project_id = "my-apigee-project"
onprem_project_id = "my-onprem-project"
hostname = "test.myorg.org"
}
# tftest modules=14 resources=73
```

1
blueprints/data-solutions/vertex-mlops/README.md
View File

@ -74,6 +74,7 @@ This blueprint can be used as a building block for setting up an end2end ML Ops
| [project_id](outputs.tf#L49) | Project ID. | |
<!-- END TFDOC -->
## TODO
- Add support for User Managed Notebooks, SA permission option and non default SA for Single User mode.
- Improve default naming for local VPC and Cloud NAT

1
blueprints/factories/bigquery-factory/README.md
View File

@ -71,6 +71,7 @@ module "bq" {
| [views_path](variables.tf#L27) | Relative path for the folder storing view data. | <code>string</code> | ✓ | |
<!-- END TFDOC -->
## TODO
- [ ] add external table support

17
blueprints/factories/cloud-identity-group-factory/README.md
View File

@ -9,13 +9,22 @@ Yaml abstraction for Groups can simplify groups creation and members management.
### Terraform code
```hcl
module "prod-firewall" {
source = "./fabric/blueprints/factories/cloud-identity-group-factory"
module "groups" {
source = "./fabric/blueprints/factories/cloud-identity-group-factory"
customer_id = "customers/C0xxxxxxx"
data_dir = "data"
}
# tftest skip
# tftest modules=2 resources=3 files=group1 inventory=example.yaml
```
```yaml
# tftest-file id=group1 path=data/group1@example.com.yaml
display_name: Group 1
description: Group 1
members:
- user1@example.com
managers:
- user2@example.com
```
### Configuration Structure

131
blueprints/factories/net-vpc-firewall-yaml/README.md
View File

@ -17,8 +17,8 @@ module "prod-firewall" {
project_id = "my-prod-project"
network = "my-prod-network"
config_directories = [
"./prod",
"./common"
"./firewall/prod",
"./firewall/common"
]
log_config = {
@ -32,13 +32,86 @@ module "dev-firewall" {
project_id = "my-dev-project"
network = "my-dev-network"
config_directories = [
"./dev",
"./common"
"./firewall/dev",
"./firewall/common"
]
}
# tftest skip
# tftest modules=2 resources=16 files=common,dev,prod inventory=example.yaml
```
```yaml
# tftest-file id=common path=firewall/common/common.yaml
# allow ingress from GCLB to all instances in the network
lb-health-checks:
allow:
- ports: []
protocol: tcp
direction: INGRESS
priority: 1001
source_ranges:
- 35.191.0.0/16
- 130.211.0.0/22
# deny all egress
deny-all:
deny:
- ports: []
protocol: all
direction: EGRESS
priority: 65535
destination_ranges:
- 0.0.0.0/0
```
```yaml
# tftest-file id=dev path=firewall/dev/app.yaml
# Myapp egress
web-app-dev-egress:
allow:
- ports: [443]
protocol: tcp
direction: EGRESS
destination_ranges:
- 192.168.0.0/24
target_service_accounts:
- myapp@myproject-dev.iam.gserviceaccount.com
# Myapp ingress
web-app-dev-ingress:
allow:
- ports: [1234]
protocol: tcp
direction: INGRESS
source_service_accounts:
- frontend-sa@myproject-dev.iam.gserviceaccount.com
target_service_accounts:
- web-app-a@myproject-dev.iam.gserviceaccount.com
```
```yaml
# tftest-file id=prod path=firewall/prod/app.yaml
# Myapp egress
web-app-prod-egress:
allow:
- ports: [443]
protocol: tcp
direction: EGRESS
destination_ranges:
- 192.168.10.0/24
target_service_accounts:
- myapp@myproject-prod.iam.gserviceaccount.com
# Myapp ingress
web-app-prod-ingress:
allow:
- ports: [1234]
protocol: tcp
direction: INGRESS
source_service_accounts:
- frontend-sa@myproject-prod.iam.gserviceaccount.com
target_service_accounts:
- web-app-a@myproject-prod.iam.gserviceaccount.com
```
### Configuration Structure
```bash
@ -86,54 +159,6 @@ rule-name: # descriptive name, naming convention is adjusted by the module
- myapp@myproject-id.iam.gserviceaccount.com
```
Firewall rules example yaml configuration
```bash
cat ./prod/core-network/common-rules.yaml
# allow ingress from GCLB to all instances in the network
lb-health-checks:
allow:
- ports: []
protocol: tcp
direction: INGRESS
priority: 1001
source_ranges:
- 35.191.0.0/16
- 130.211.0.0/22
# deny all egress
deny-all:
deny:
- ports: []
protocol: all
direction: EGRESS
priority: 65535
destination_ranges:
- 0.0.0.0/0
cat ./dev/team-a/web-app-a.yaml
# Myapp egress
web-app-a-egress:
allow:
- ports: [443]
protocol: tcp
direction: EGRESS
destination_ranges:
- 192.168.0.0/24
target_service_accounts:
- myapp@myproject-id.iam.gserviceaccount.com
# Myapp ingress
web-app-a-ingress:
allow:
- ports: [1234]
protocol: tcp
direction: INGRESS
source_service_accounts:
- frontend-sa@myproject-id.iam.gserviceaccount.com
target_service_accounts:
- web-app-a@myproject-id.iam.gserviceaccount.com
```
<!-- BEGIN TFDOC -->
## Variables

2
blueprints/factories/project-factory/README.md
View File

@ -76,7 +76,7 @@ module "projects" {
service_identities_iam = try(each.value.service_identities_iam, {})
vpc = try(each.value.vpc, null)
}
# tftest modules=7 resources=29
# tftest modules=7 resources=30 inventory=example.yaml
```
### Projects configuration

2
blueprints/factories/project-factory/main.tf
View File

@ -1,5 +1,5 @@
/**
* Copyright 2022 Google LLC
* Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

7
blueprints/factories/project-factory/sample-data/projects/project.yaml
View File

@ -44,7 +44,8 @@ kms_service_agents:
# [opt] Labels for the project - merged with the ones defined in defaults
labels:
environment: dev
environment: dev2
costcenter: apps
# [opt] Org policy overrides defined at project level
org_policies:
@ -70,7 +71,7 @@ service_accounts:
another-service-account:
- roles/compute.admin
my-service-account:
- roles/compute.admin
- roles/compute.adminv1
# [opt] APIs to enable on the project.
services:
@ -103,4 +104,4 @@ vpc:
subnets_iam:
europe-west1/dev-default-ew1:
- user:foobar@example.com
- serviceAccount:service-account1
- serviceAccount:my-service-account

13
tests/blueprints/apigee/bigquery-analytics/__init__.py
View File

@ -1,13 +0,0 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

24
tests/blueprints/apigee/bigquery-analytics/basic.tfvars
View File

@ -1,24 +0,0 @@
project_create = {
billing_account_id = "12345-12345-12345"
parent = "folders/123456789"
}
project_id = "my-project"
envgroups = {
test = ["test.cool-demos.space"]
}
environments = {
apis-test = {
envgroups = ["test"]
}
}
instances = {
instance-ew1 = {
region = "europe-west1"
environments = ["apis-test"]
runtime_ip_cidr_range = "10.0.4.0/22"
troubleshooting_ip_cidr_range = "10.1.0.0/28"
}
}
psc_config = {
europe-west1 = "10.0.0.0/28"
}

17
tests/blueprints/apigee/bigquery-analytics/basic.yaml
View File

@ -1,17 +0,0 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
counts:
modules: 9
resources: 62

18
tests/blueprints/apigee/bigquery-analytics/tftest.yaml
View File

@ -1,18 +0,0 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
module: blueprints/apigee/bigquery-analytics
tests:
basic:

13
tests/blueprints/apigee/hybrid-gke/__init__.py
View File

@ -1,13 +0,0 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

6
tests/blueprints/apigee/hybrid-gke/basic.tfvars
View File

@ -1,6 +0,0 @@
project_create = {
billing_account_id = "12345-12345-12345"
parent = "folders/123456789"
}
project_id = "my-project"
hostname = "test.myorg.org"

17
tests/blueprints/apigee/hybrid-gke/basic.yaml
View File

@ -1,17 +0,0 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
counts:
modules: 17
resources: 59

18
tests/blueprints/apigee/hybrid-gke/tftest.yaml
View File

@ -1,18 +0,0 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
module: blueprints/apigee/hybrid-gke
tests:
basic:

13
tests/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/__init__.py
View File

@ -1,13 +0,0 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

5
tests/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/basic.tfvars
View File

@ -1,5 +0,0 @@
billing_account_id = "12345-12345-12345"
parent = "folders/123456789"
apigee_project_id = "my-apigee-project"
onprem_project_id = "my-onprem-project"
hostname = "test.myorg.org"

17
tests/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/basic.yaml
View File

@ -1,17 +0,0 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
counts:
modules: 13
resources: 73

18
tests/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/tftest.yaml
View File

@ -1,18 +0,0 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
module: blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg
tests:
basic:

13
tests/blueprints/factories/cloud_identity_group_factory/__init__.py
View File

@ -1,13 +0,0 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

42
tests/blueprints/factories/cloud_identity_group_factory/examples/example.yaml Normal file
View File

@ -0,0 +1,42 @@
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
module.groups.module.group["group1@example.com"].google_cloud_identity_group.group:
description: Group 1
display_name: Group 1
group_key:
- id: group1@example.com
namespace: null
initial_group_config: EMPTY
labels:
cloudidentity.googleapis.com/groups.discussion_forum: ''
parent: customers/C0xxxxxxx
module.groups.module.group["group1@example.com"].google_cloud_identity_group_membership.managers["user2@example.com"]:
preferred_member_key:
- id: user2@example.com
namespace: null
roles:
- name: MANAGER
- name: MEMBER
module.groups.module.group["group1@example.com"].google_cloud_identity_group_membership.members["user1@example.com"]:
preferred_member_key:
- id: user1@example.com
namespace: null
roles:
- name: MEMBER
counts:
google_cloud_identity_group: 1
google_cloud_identity_group_membership: 2

8
tests/blueprints/factories/cloud_identity_group_factory/fixture/data/group1@example.com.yaml
View File

@ -1,8 +0,0 @@
# skip boilerplate check
display_name: Group 1
description: Group 1
members:
- user1@example.com
managers:
- user2@example.com

21
tests/blueprints/factories/cloud_identity_group_factory/fixture/main.tf
View File

@ -1,21 +0,0 @@
/**
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
module "test" {
source = "../../../../../blueprints/factories/cloud-identity-group-factory/"
customer_id = "customers/C01234567"
data_dir = "data"
}

19
tests/blueprints/factories/cloud_identity_group_factory/test_plan.py
View File

@ -1,19 +0,0 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
def test_resources(e2e_plan_runner):
"Test that plan works and the numbers of resources is as expected."
modules, resources = e2e_plan_runner()
assert len(modules) == 1
assert len(resources) == 3

13
tests/blueprints/factories/net_vpc_firewall_yaml/__init__.py
View File

@ -1,13 +0,0 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

188
tests/blueprints/factories/net_vpc_firewall_yaml/examples/example.yaml Normal file
View File

@ -0,0 +1,188 @@
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
module.dev-firewall.google_compute_firewall.rules["deny-all"]:
allow: []
deny:
- ports: []
protocol: all
destination_ranges:
- 0.0.0.0/0
direction: EGRESS
disabled: null
log_config: []
name: fwr-my-dev-network-all-e-deny-all
network: my-dev-network
priority: 65535
project: my-dev-project
source_ranges: null
source_service_accounts: null
source_tags: null
target_service_accounts: null
target_tags: null
timeouts: null
module.dev-firewall.google_compute_firewall.rules["lb-health-checks"]:
allow:
- ports: []
protocol: tcp
deny: []
direction: INGRESS
disabled: null
log_config: []
name: fwr-my-dev-network-all-i-lb-health-checks
network: my-dev-network
priority: 1001
project: my-dev-project
source_ranges:
- 130.211.0.0/22
- 35.191.0.0/16
source_service_accounts: null
source_tags: null
target_service_accounts: null
target_tags: null
timeouts: null
module.dev-firewall.google_compute_firewall.rules["web-app-dev-egress"]:
allow:
- ports:
- '443'
protocol: tcp
deny: []
destination_ranges:
- 192.168.0.0/24
direction: EGRESS
disabled: null
log_config: []
name: fwr-my-dev-network-sac-e-web-app-dev-egress
network: my-dev-network
priority: 1000
project: my-dev-project
source_ranges: null
source_service_accounts: null
source_tags: null
target_service_accounts:
- myapp@myproject-dev.iam.gserviceaccount.com
target_tags: null
timeouts: null
module.dev-firewall.google_compute_firewall.rules["web-app-dev-ingress"]:
allow:
- ports:
- '1234'
protocol: tcp
deny: []
direction: INGRESS
disabled: null
log_config: []
name: fwr-my-dev-network-sac-i-web-app-dev-ingress
network: my-dev-network
priority: 1000
project: my-dev-project
source_ranges: null
source_service_accounts:
- frontend-sa@myproject-dev.iam.gserviceaccount.com
source_tags: null
target_service_accounts:
- web-app-a@myproject-dev.iam.gserviceaccount.com
target_tags: null
timeouts: null
module.prod-firewall.google_compute_firewall.rules["deny-all"]:
allow: []
deny:
- ports: []
protocol: all
destination_ranges:
- 0.0.0.0/0
direction: EGRESS
disabled: null
log_config:
- metadata: INCLUDE_ALL_METADATA
name: fwr-my-prod-network-all-e-deny-all
network: my-prod-network
priority: 65535
project: my-prod-project
source_ranges: null
source_service_accounts: null
source_tags: null
target_service_accounts: null
target_tags: null
timeouts: null
module.prod-firewall.google_compute_firewall.rules["lb-health-checks"]:
allow:
- ports: []
protocol: tcp
deny: []
direction: INGRESS
disabled: null
log_config:
- metadata: INCLUDE_ALL_METADATA
name: fwr-my-prod-network-all-i-lb-health-checks
network: my-prod-network
priority: 1001
project: my-prod-project
source_ranges:
- 130.211.0.0/22
- 35.191.0.0/16
source_service_accounts: null
source_tags: null
target_service_accounts: null
target_tags: null
timeouts: null
module.prod-firewall.google_compute_firewall.rules["web-app-prod-egress"]:
allow:
- ports:
- '443'
protocol: tcp
deny: []
destination_ranges:
- 192.168.10.0/24
direction: EGRESS
disabled: null
log_config:
- metadata: INCLUDE_ALL_METADATA
name: fwr-my-prod-network-sac-e-web-app-prod-egress
network: my-prod-network
priority: 1000
project: my-prod-project
source_ranges: null
source_service_accounts: null
source_tags: null
target_service_accounts:
- myapp@myproject-prod.iam.gserviceaccount.com
target_tags: null
timeouts: null
module.prod-firewall.google_compute_firewall.rules["web-app-prod-ingress"]:
allow:
- ports:
- '1234'
protocol: tcp
deny: []
direction: INGRESS
disabled: null
log_config:
- metadata: INCLUDE_ALL_METADATA
name: fwr-my-prod-network-sac-i-web-app-prod-ingress
network: my-prod-network
priority: 1000
project: my-prod-project
source_ranges: null
source_service_accounts:
- frontend-sa@myproject-prod.iam.gserviceaccount.com
source_tags: null
target_service_accounts:
- web-app-a@myproject-prod.iam.gserviceaccount.com
target_tags: null
timeouts: null
counts:
google_compute_firewall: 8

25
tests/blueprints/factories/net_vpc_firewall_yaml/fixture/main.tf
View File

@ -1,25 +0,0 @@
/**
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
module "firewall" {
source = "../../../../../blueprints/factories/net-vpc-firewall-yaml"
project_id = "my-project"
network = "my-network"
config_directories = [
"./rules"
]
log_config = var.log_config
}

34
tests/blueprints/factories/net_vpc_firewall_yaml/fixture/rules/common.yaml
View File

@ -1,34 +0,0 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# allow ingress from GCLB to all instances in the network
lb-health-checks:
allow:
- ports: []
protocol: tcp
direction: INGRESS
priority: 1001
source_ranges:
- 35.191.0.0/16
- 130.211.0.0/22
# deny all egress
deny-all:
deny:
- ports: []
protocol: all
direction: EGRESS
priority: 65535
destination_ranges:
- 0.0.0.0/0

23
tests/blueprints/factories/net_vpc_firewall_yaml/fixture/variables.tf
View File

@ -1,23 +0,0 @@
/**
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
variable "log_config" {
description = "Log configuration. Possible values for `metadata` are `EXCLUDE_ALL_METADATA` and `INCLUDE_ALL_METADATA`. Set to `null` for disabling firewall logging."
type = object({
metadata = string
})
default = null
}

42
tests/blueprints/factories/net_vpc_firewall_yaml/test_plan.py
View File

@ -1,42 +0,0 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
def test_firewall_simple(plan_runner):
"Test firewall rules from rules/common.yaml with no extra options."
_, resources = plan_runner()
assert len(resources) == 4
assert set(r['type'] for r in resources) == set([
'google_compute_firewall', 'time_static'
])
firewall_values = [r['values'] for r in resources if r['type']
== 'google_compute_firewall']
assert set([f['project'] for f in firewall_values]) == set(['my-project'])
assert set([f['network'] for f in firewall_values]) == set(['my-network'])
def test_firewall_log_config(plan_runner):
"Test firewall rules log configuration."
log_config = """ {
metadata = "INCLUDE_ALL_METADATA"
}
"""
log_config_value = [{"metadata": "INCLUDE_ALL_METADATA"}]
_, resources = plan_runner(log_config=log_config)
assert len(resources) == 4
assert set(r['type'] for r in resources) == set([
'google_compute_firewall', 'time_static'
])
firewall_values = [r['values'] for r in resources if r['type']
== 'google_compute_firewall']
assert all(f['log_config'] == log_config_value for f in firewall_values)

13
tests/blueprints/factories/project_factory/__init__.py
View File

@ -1,13 +0,0 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

25
tests/blueprints/factories/project_factory/fixture/defaults.yaml
View File

@ -1,25 +0,0 @@
# skip boilerplate check
billing_account_id: 012345-67890A-BCDEF0
# [opt] Setup for billing alerts
billing_alert:
amount: 1000
thresholds:
current: [0.5, 0.8]
forecasted: [0.5, 0.8]
credit_treatment: INCLUDE_ALL_CREDITS
# [opt] Contacts for billing alerts and important notifications
essential_contacts: ["team-contacts@example.com"]
# [opt] Labels set for all projects
labels:
environment: prod
department: accounting
application: example-app
foo: bar
# [opt] Additional notification channels for billing
notification_channels: []
prefix: test

52
tests/blueprints/factories/project_factory/fixture/main.tf
View File

@ -1,52 +0,0 @@
/**
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
locals {
_defaults = yamldecode(file(var.defaults_file))
_defaults_net = {
billing_account_id = var.billing_account_id
environment_dns_zone = var.environment_dns_zone
shared_vpc_self_link = var.shared_vpc_self_link
vpc_host_project = var.vpc_host_project
}
defaults = merge(local._defaults, local._defaults_net)
projects = {
for f in fileset("${var.data_dir}", "**/*.yaml") :
trimsuffix(f, ".yaml") => yamldecode(file("${var.data_dir}/${f}"))
}
}
module "projects" {
source = "../../../../../blueprints/factories/project-factory"
for_each = local.projects
defaults = local.defaults
project_id = each.key
billing_account_id = try(each.value.billing_account_id, null)
billing_alert = try(each.value.billing_alert, null)
dns_zones = try(each.value.dns_zones, [])
essential_contacts = try(each.value.essential_contacts, [])
folder_id = each.value.folder_id
group_iam = try(each.value.group_iam, {})
iam = try(each.value.iam, {})
kms_service_agents = try(each.value.kms, {})
labels = try(each.value.labels, {})
org_policies = try(each.value.org_policies, null)
prefix = each.value.prefix
service_accounts = try(each.value.service_accounts, {})
services = try(each.value.services, [])
service_identities_iam = try(each.value.service_identities_iam, {})
vpc = try(each.value.vpc, null)
}

103
tests/blueprints/factories/project_factory/fixture/projects/project.yaml
View File

@ -1,103 +0,0 @@
# skip boilerplate check
# [opt] Billing account id - overrides default if set
billing_account_id: 012345-67890A-BCDEF0
# [opt] Billing alerts config - overrides default if set
billing_alert:
amount: 10
thresholds:
current:
- 0.5
- 0.8
forecasted: []
credit_treatment: INCLUDE_ALL_CREDITS
# [opt] DNS zones to be created as children of the environment_dns_zone defined in defaults
dns_zones:
- lorem
- ipsum
# [opt] Contacts for billing alerts and important notifications
essential_contacts:
- team-a-contacts@example.com
# Folder the project will be created as children of
folder_id: folders/012345678901
# [opt] Authoritative IAM bindings in group => [roles] format
group_iam:
test-team-foobar@fast-lab-0.gcp-pso-italy.net:
- roles/compute.admin
# [opt] Authoritative IAM bindings in role => [principals] format
# Generally used to grant roles to service accounts external to the project
iam:
roles/compute.admin:
- serviceAccount:service-account
# [opt] Service robots and keys they will be assigned as cryptoKeyEncrypterDecrypter
# in service => [keys] format
kms_service_agents:
compute: [key1, key2]
storage: [key1, key2]
# [opt] Labels for the project - merged with the ones defined in defaults
labels:
environment: prod
# [opt] Org policy overrides defined at project level
org_policies:
compute.disableGuestAttributesAccess:
rules:
- enforce: true
compute.trustedImageProjects:
rules:
- allow:
values:
- projects/fast-prod-iac-core-0
# [opt] Prefix - overrides default if set
prefix: test1
# [opt] Service account to create for the project and their roles on the project
# in name => [roles] format
service_accounts:
another-service-account:
- roles/compute.admin
my-service-account:
- roles/compute.admin
# [opt] APIs to enable on the project.
services:
- storage.googleapis.com
- stackdriver.googleapis.com
- compute.googleapis.com
# [opt] Roles to assign to the service identities in service => [roles] format
service_identities_iam:
compute:
- roles/storage.objectViewer
# [opt] VPC setup.
# If set enables the `compute.googleapis.com` service and configures
# service project attachment
vpc:
# [opt] If set, enables the container API
gke_setup:
# Grants "roles/container.hostServiceAgentUser" to the container robot if set
enable_host_service_agent: false
# Grants "roles/compute.securityAdmin" to the container robot if set
enable_security_admin: true
# Host project the project will be service project of
host_project: fast-prod-net-spoke-0
# [opt] Subnets in the host project where principals will be granted networkUser
# in region/subnet-name => [principals]
subnets_iam:
europe-west1/prod-default-ew1:
- user:foobar@example.com
- serviceAccount:service-account1@example.com
- my-service-account

64
tests/blueprints/factories/project_factory/fixture/variables.tf
View File

@ -1,64 +0,0 @@
/**
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
variable "billing_account_id" {
description = "Billing account id."
type = string
default = "012345-67890A-BCDEF0"
}
variable "data_dir" {
description = "Relative path for the folder storing configuration data."
type = string
default = "./projects/"
}
variable "environment_dns_zone" {
description = "DNS zone suffix for environment."
type = string
default = "prod.gcp.example.com"
}
variable "defaults_file" {
description = "Relative path for the file storing the project factory configuration."
type = string
default = "./defaults.yaml"
}
variable "service_accounts" {
description = "Service accounts to be created, and roles assigned them on the project."
type = map(list(string))
default = {}
}
variable "service_accounts_iam" {
description = "IAM bindings on service account resources. Format is KEY => {ROLE => [MEMBERS]}"
type = map(map(list(string)))
default = {}
nullable = false
}
variable "shared_vpc_self_link" {
description = "Self link for the shared VPC."
type = string
default = "self-link"
}
variable "vpc_host_project" {
description = "Host project for the shared VPC."
type = string
default = "host-project"
}

36
tests/blueprints/factories/project_factory/test_plan.py
View File

@ -1,36 +0,0 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
def test_plan(e2e_plan_runner):
"Check for a clean plan"
modules, resources = e2e_plan_runner()
assert len(modules) > 0 and len(resources) > 0
def test_plan_service_accounts(e2e_plan_runner):
"Check for a clean plan"
service_accounts = '''{
sa-001 = []
sa-002 = ["roles/owner"]
}'''
service_accounts_iam = '''{
sa-002 = {
"roles/iam.serviceAccountTokenCreator" = ["group:team-1@example.com"]
}
}'''
modules, resources = e2e_plan_runner(
service_accounts=service_accounts,
service_accounts_iam=service_accounts_iam)
assert len(modules) > 0 and len(resources) > 0

2
tests/examples/test_plan.py
View File

@ -18,7 +18,7 @@ from pathlib import Path
BASE_PATH = Path(__file__).parent
COUNT_TEST_RE = re.compile(r'# tftest +modules=(\d+) +resources=(\d+)' +
r'(?: +files=([\w,_-]+))?' +
r'(?: +files=([\w@,_-]+))?' +
r'(?: +inventory=([\w\-.]+))?')

235
tests/modules/project_factory/examples/example.yaml Normal file
View File

@ -0,0 +1,235 @@
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# This is one of the few modules where it actually makes sense to be
# very verbose with values
values:
module.projects["project"].google_compute_subnetwork_iam_member.default["dev-default-ew1:serviceAccount:my-service-account"]:
condition: []
member: serviceAccount:my-service-account
project: fast-dev-net-spoke-0
region: europe-west1
role: roles/compute.networkUser
subnetwork: projects/fast-dev-net-spoke-0/regions/europe-west1/subnetworks/dev-default-ew1
module.projects["project"].google_compute_subnetwork_iam_member.default["dev-default-ew1:user:foobar@example.com"]:
condition: []
member: user:foobar@example.com
project: fast-dev-net-spoke-0
region: europe-west1
role: roles/compute.networkUser
subnetwork: projects/fast-dev-net-spoke-0/regions/europe-west1/subnetworks/dev-default-ew1
module.projects["project"].module.billing-alert["1"].google_billing_budget.budget:
all_updates_rule:
- disable_default_iam_recipients: false
pubsub_topic: null
schema_version: '1.0'
amount:
- last_period_amount: null
specified_amount:
- nanos: null
units: '10'
billing_account: 012345-67890A-BCDEF0
budget_filter:
- calendar_period: null
credit_types_treatment: INCLUDE_ALL_CREDITS
custom_period: []
display_name: test1-project budget
threshold_rules:
- spend_basis: CURRENT_SPEND
threshold_percent: 0.5
- spend_basis: CURRENT_SPEND
threshold_percent: 0.8
module.projects["project"].module.billing-alert["1"].google_monitoring_notification_channel.email_channels["team-a-contacts@example.com"]:
display_name: test1-project budget budget email notification (team-a-contacts@example.com)
labels:
email_address: team-a-contacts@example.com
project: test1-project
sensitive_labels: []
type: email
module.projects["project"].module.billing-alert["1"].google_monitoring_notification_channel.email_channels["team-contacts@example.com"]:
display_name: test1-project budget budget email notification (team-contacts@example.com)
labels:
email_address: team-contacts@example.com
project: test1-project
sensitive_labels: []
type: email
module.projects["project"].module.dns["ipsum"].google_dns_managed_zone.non-public[0]:
dns_name: ipsum.dev.example.org
name: ipsum
private_visibility_config:
- gke_clusters: []
networks:
- network_url: projects/foo/networks/bar
project: fast-dev-net-spoke-0
visibility: private
module.projects["project"].module.dns["lorem"].google_dns_managed_zone.non-public[0]:
dns_name: lorem.dev.example.org
name: lorem
private_visibility_config:
- gke_clusters: []
networks:
- network_url: projects/foo/networks/bar
project: fast-dev-net-spoke-0
module.projects["project"].module.project.google_compute_shared_vpc_service_project.shared_vpc_service[0]:
host_project: fast-dev-net-spoke-0
service_project: test1-project
module.projects["project"].module.project.google_essential_contacts_contact.contact["team-a-contacts@example.com"]:
email: team-a-contacts@example.com
language_tag: en
notification_category_subscriptions:
- ALL
parent: projects/test1-project
module.projects["project"].module.project.google_essential_contacts_contact.contact["team-contacts@example.com"]:
email: team-contacts@example.com
language_tag: en
notification_category_subscriptions:
- ALL
parent: projects/test1-project
module.projects["project"].module.project.google_org_policy_policy.default["constraints/compute.disableGuestAttributesAccess"]:
name: projects/test1-project/policies/constraints/compute.disableGuestAttributesAccess
parent: projects/test1-project
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'TRUE'
values: []
module.projects["project"].module.project.google_org_policy_policy.default["constraints/compute.trustedImageProjects"]:
name: projects/test1-project/policies/constraints/compute.trustedImageProjects
parent: projects/test1-project
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: null
values:
- allowed_values:
- projects/fast-dev-iac-core-0
denied_values: null
module.projects["project"].module.project.google_org_policy_policy.default["constraints/compute.vmExternalIpAccess"]:
name: projects/test1-project/policies/constraints/compute.vmExternalIpAccess
parent: projects/test1-project
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: 'TRUE'
enforce: null
values: []
module.projects["project"].module.project.google_project.project[0]:
auto_create_network: false
billing_account: 012345-67890A-BCDEF0
folder_id: 012345678901
labels:
application: example-app
costcenter: apps
department: accounting
environment: dev
foo: bar
name: test1-project
org_id: null
project_id: test1-project
skip_delete: false
module.projects["project"].module.project.google_project_iam_binding.authoritative["roles/compute.admin"]:
condition: []
project: test1-project
role: roles/compute.admin
module.projects["project"].module.project.google_project_iam_binding.authoritative["roles/compute.adminv1"]:
condition: []
project: test1-project
role: roles/compute.adminv1
module.projects["project"].module.project.google_project_iam_binding.authoritative["roles/storage.objectViewer"]:
condition: []
project: test1-project
role: roles/storage.objectViewer
module.projects["project"].module.project.google_project_iam_member.shared_vpc_host_robots["roles/compute.networkUser:cloudservices"]:
condition: []
project: fast-dev-net-spoke-0
role: roles/compute.networkUser
module.projects["project"].module.project.google_project_iam_member.shared_vpc_host_robots["roles/compute.securityAdmin:container-engine"]:
condition: []
project: fast-dev-net-spoke-0
role: roles/compute.securityAdmin
module.projects["project"].module.project.google_project_service.project_services["billingbudgets.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
project: test1-project
service: billingbudgets.googleapis.com
module.projects["project"].module.project.google_project_service.project_services["compute.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
project: test1-project
service: compute.googleapis.com
module.projects["project"].module.project.google_project_service.project_services["container.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
project: test1-project
service: container.googleapis.com
module.projects["project"].module.project.google_project_service.project_services["dns.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
project: test1-project
service: dns.googleapis.com
module.projects["project"].module.project.google_project_service.project_services["essentialcontacts.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
project: test1-project
service: essentialcontacts.googleapis.com
module.projects["project"].module.project.google_project_service.project_services["orgpolicy.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
project: test1-project
service: orgpolicy.googleapis.com
module.projects["project"].module.project.google_project_service.project_services["stackdriver.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
project: test1-project
service: stackdriver.googleapis.com
module.projects["project"].module.project.google_project_service.project_services["storage.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
project: test1-project
service: storage.googleapis.com
module.projects["project"].module.service-accounts["another-service-account"].google_service_account.service_account[0]:
account_id: another-service-account
display_name: Terraform-managed.
project: test1-project
module.projects["project"].module.service-accounts["my-service-account"].google_service_account.service_account[0]:
account_id: my-service-account
display_name: Terraform-managed.
project: test1-project
counts:
google_billing_budget: 1
google_compute_shared_vpc_service_project: 1
google_compute_subnetwork_iam_member: 2
google_dns_managed_zone: 2
google_essential_contacts_contact: 2
google_monitoring_notification_channel: 2
google_org_policy_policy: 3
google_project: 1
google_project_iam_binding: 3
google_project_iam_member: 2
google_project_service: 8
google_service_account: 2
google_storage_project_service_account: 1