From edce6edd282128ae841403e57179be03c55f7f00 Mon Sep 17 00:00:00 2001 From: Julio Castillo Date: Fri, 24 Feb 2023 18:28:55 +0100 Subject: [PATCH] Update factories and apigee tests --- .../apigee/bigquery-analytics/README.md | 32 +++ blueprints/apigee/hybrid-gke/README.md | 21 +- .../README.md | 14 ++ .../data-solutions/vertex-mlops/README.md | 1 + .../factories/bigquery-factory/README.md | 1 + .../cloud-identity-group-factory/README.md | 17 +- .../factories/net-vpc-firewall-yaml/README.md | 131 ++++++---- .../factories/project-factory/README.md | 2 +- blueprints/factories/project-factory/main.tf | 2 +- .../sample-data/projects/project.yaml | 7 +- .../apigee/bigquery-analytics/__init__.py | 13 - .../apigee/bigquery-analytics/basic.tfvars | 24 -- .../apigee/bigquery-analytics/basic.yaml | 17 -- .../apigee/bigquery-analytics/tftest.yaml | 18 -- .../blueprints/apigee/hybrid-gke/__init__.py | 13 - .../blueprints/apigee/hybrid-gke/basic.tfvars | 6 - tests/blueprints/apigee/hybrid-gke/basic.yaml | 17 -- .../blueprints/apigee/hybrid-gke/tftest.yaml | 18 -- .../__init__.py | 13 - .../basic.tfvars | 5 - .../basic.yaml | 17 -- .../tftest.yaml | 18 -- .../cloud_identity_group_factory/__init__.py | 13 - .../examples/example.yaml | 42 ++++ .../fixture/data/group1@example.com.yaml | 8 - .../fixture/main.tf | 21 -- .../cloud_identity_group_factory/test_plan.py | 19 -- .../net_vpc_firewall_yaml/__init__.py | 13 - .../examples/example.yaml | 188 ++++++++++++++ .../net_vpc_firewall_yaml/fixture/main.tf | 25 -- .../fixture/rules/common.yaml | 34 --- .../fixture/variables.tf | 23 -- .../net_vpc_firewall_yaml/test_plan.py | 42 ---- .../factories/project_factory/__init__.py | 13 - .../project_factory/fixture/defaults.yaml | 25 -- .../factories/project_factory/fixture/main.tf | 52 ---- .../fixture/projects/project.yaml | 103 -------- .../project_factory/fixture/variables.tf | 64 ----- .../factories/project_factory/test_plan.py | 36 --- tests/examples/test_plan.py | 2 +- .../project_factory/examples/example.yaml | 235 ++++++++++++++++++ 41 files changed, 629 insertions(+), 736 deletions(-) delete mode 100644 tests/blueprints/apigee/bigquery-analytics/__init__.py delete mode 100644 tests/blueprints/apigee/bigquery-analytics/basic.tfvars delete mode 100644 tests/blueprints/apigee/bigquery-analytics/basic.yaml delete mode 100644 tests/blueprints/apigee/bigquery-analytics/tftest.yaml delete mode 100644 tests/blueprints/apigee/hybrid-gke/__init__.py delete mode 100644 tests/blueprints/apigee/hybrid-gke/basic.tfvars delete mode 100644 tests/blueprints/apigee/hybrid-gke/basic.yaml delete mode 100644 tests/blueprints/apigee/hybrid-gke/tftest.yaml delete mode 100644 tests/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/__init__.py delete mode 100644 tests/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/basic.tfvars delete mode 100644 tests/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/basic.yaml delete mode 100644 tests/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/tftest.yaml delete mode 100644 tests/blueprints/factories/cloud_identity_group_factory/__init__.py create mode 100644 tests/blueprints/factories/cloud_identity_group_factory/examples/example.yaml delete mode 100644 tests/blueprints/factories/cloud_identity_group_factory/fixture/data/group1@example.com.yaml delete mode 100644 tests/blueprints/factories/cloud_identity_group_factory/fixture/main.tf delete mode 100644 tests/blueprints/factories/cloud_identity_group_factory/test_plan.py delete mode 100644 tests/blueprints/factories/net_vpc_firewall_yaml/__init__.py create mode 100644 tests/blueprints/factories/net_vpc_firewall_yaml/examples/example.yaml delete mode 100644 tests/blueprints/factories/net_vpc_firewall_yaml/fixture/main.tf delete mode 100644 tests/blueprints/factories/net_vpc_firewall_yaml/fixture/rules/common.yaml delete mode 100644 tests/blueprints/factories/net_vpc_firewall_yaml/fixture/variables.tf delete mode 100644 tests/blueprints/factories/net_vpc_firewall_yaml/test_plan.py delete mode 100644 tests/blueprints/factories/project_factory/__init__.py delete mode 100644 tests/blueprints/factories/project_factory/fixture/defaults.yaml delete mode 100644 tests/blueprints/factories/project_factory/fixture/main.tf delete mode 100644 tests/blueprints/factories/project_factory/fixture/projects/project.yaml delete mode 100644 tests/blueprints/factories/project_factory/fixture/variables.tf delete mode 100644 tests/blueprints/factories/project_factory/test_plan.py create mode 100644 tests/modules/project_factory/examples/example.yaml diff --git a/blueprints/apigee/bigquery-analytics/README.md b/blueprints/apigee/bigquery-analytics/README.md index 027f28ea..817c39bb 100644 --- a/blueprints/apigee/bigquery-analytics/README.md +++ b/blueprints/apigee/bigquery-analytics/README.md @@ -76,3 +76,35 @@ Do the following to verify that everything works as expected. | [ip_address](outputs.tf#L17) | IP address. | | +## Test + +```hcl +module "test" { + source = "./fabric/blueprints/apigee/bigquery-analytics" + project_create = { + billing_account_id = "12345-12345-12345" + parent = "folders/123456789" + } + project_id = "my-project" + envgroups = { + test = ["test.cool-demos.space"] + } + environments = { + apis-test = { + envgroups = ["test"] + } + } + instances = { + instance-ew1 = { + region = "europe-west1" + environments = ["apis-test"] + runtime_ip_cidr_range = "10.0.4.0/22" + troubleshooting_ip_cidr_range = "10.1.0.0/28" + } + } + psc_config = { + europe-west1 = "10.0.0.0/28" + } +} +# tftest modules=10 resources=62 +``` diff --git a/blueprints/apigee/hybrid-gke/README.md b/blueprints/apigee/hybrid-gke/README.md index ae5c0364..05614fac 100644 --- a/blueprints/apigee/hybrid-gke/README.md +++ b/blueprints/apigee/hybrid-gke/README.md @@ -25,11 +25,11 @@ The diagram below depicts the architecture. terraform apply ``` - Create an A record in your DNS registrar to point the environment group hostname to the public IP address returned after the terraform configuration was applied. You might need to wait some time until the certificate is provisioned. - + Create an A record in your DNS registrar to point the environment group hostname to the public IP address returned after the terraform configuration was applied. You might need to wait some time until the certificate is provisioned. + 5. Install Apigee hybrid using de ansible playbook that is in the ansible folder by running this command - ansible-playbook playbook.yaml -vvvß + ansible-playbook playbook.yaml -vvv ## Testing the blueprint @@ -67,3 +67,18 @@ The diagram below depicts the architecture. | [ip_address](outputs.tf#L17) | GLB IP address. | | + +## Test + +```hcl +module "test" { + source = "./fabric/blueprints/apigee/hybrid-gke" + project_create = { + billing_account_id = "12345-12345-12345" + parent = "folders/123456789" + } + project_id = "my-project" + hostname = "test.myorg.org" +} +# tftest modules=18 resources=59 +``` diff --git a/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/README.md b/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/README.md index 690458f0..0ec240b0 100644 --- a/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/README.md +++ b/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/README.md @@ -67,3 +67,17 @@ Do the following to verify that everything works as expected. | [ip_address](outputs.tf#L17) | GLB IP address. | | + +## Test + +```hcl +module "test" { + source = "./fabric/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg" + billing_account_id = "12345-12345-12345" + parent = "folders/123456789" + apigee_project_id = "my-apigee-project" + onprem_project_id = "my-onprem-project" + hostname = "test.myorg.org" +} +# tftest modules=14 resources=73 +``` diff --git a/blueprints/data-solutions/vertex-mlops/README.md b/blueprints/data-solutions/vertex-mlops/README.md index dc2c74cd..8bb3043e 100644 --- a/blueprints/data-solutions/vertex-mlops/README.md +++ b/blueprints/data-solutions/vertex-mlops/README.md @@ -74,6 +74,7 @@ This blueprint can be used as a building block for setting up an end2end ML Ops | [project_id](outputs.tf#L49) | Project ID. | | + ## TODO - Add support for User Managed Notebooks, SA permission option and non default SA for Single User mode. - Improve default naming for local VPC and Cloud NAT diff --git a/blueprints/factories/bigquery-factory/README.md b/blueprints/factories/bigquery-factory/README.md index 2cba6e01..1e3015ed 100644 --- a/blueprints/factories/bigquery-factory/README.md +++ b/blueprints/factories/bigquery-factory/README.md @@ -71,6 +71,7 @@ module "bq" { | [views_path](variables.tf#L27) | Relative path for the folder storing view data. | string | ✓ | | + ## TODO - [ ] add external table support diff --git a/blueprints/factories/cloud-identity-group-factory/README.md b/blueprints/factories/cloud-identity-group-factory/README.md index b833304e..318eea25 100644 --- a/blueprints/factories/cloud-identity-group-factory/README.md +++ b/blueprints/factories/cloud-identity-group-factory/README.md @@ -9,13 +9,22 @@ Yaml abstraction for Groups can simplify groups creation and members management. ### Terraform code ```hcl -module "prod-firewall" { - source = "./fabric/blueprints/factories/cloud-identity-group-factory" - +module "groups" { + source = "./fabric/blueprints/factories/cloud-identity-group-factory" customer_id = "customers/C0xxxxxxx" data_dir = "data" } -# tftest skip +# tftest modules=2 resources=3 files=group1 inventory=example.yaml +``` + +```yaml +# tftest-file id=group1 path=data/group1@example.com.yaml +display_name: Group 1 +description: Group 1 +members: + - user1@example.com +managers: + - user2@example.com ``` ### Configuration Structure diff --git a/blueprints/factories/net-vpc-firewall-yaml/README.md b/blueprints/factories/net-vpc-firewall-yaml/README.md index 5e7260e9..42cd6fad 100644 --- a/blueprints/factories/net-vpc-firewall-yaml/README.md +++ b/blueprints/factories/net-vpc-firewall-yaml/README.md @@ -17,8 +17,8 @@ module "prod-firewall" { project_id = "my-prod-project" network = "my-prod-network" config_directories = [ - "./prod", - "./common" + "./firewall/prod", + "./firewall/common" ] log_config = { @@ -32,13 +32,86 @@ module "dev-firewall" { project_id = "my-dev-project" network = "my-dev-network" config_directories = [ - "./dev", - "./common" + "./firewall/dev", + "./firewall/common" ] } -# tftest skip +# tftest modules=2 resources=16 files=common,dev,prod inventory=example.yaml ``` +```yaml +# tftest-file id=common path=firewall/common/common.yaml +# allow ingress from GCLB to all instances in the network +lb-health-checks: + allow: + - ports: [] + protocol: tcp + direction: INGRESS + priority: 1001 + source_ranges: + - 35.191.0.0/16 + - 130.211.0.0/22 + +# deny all egress +deny-all: + deny: + - ports: [] + protocol: all + direction: EGRESS + priority: 65535 + destination_ranges: + - 0.0.0.0/0 +``` + +```yaml +# tftest-file id=dev path=firewall/dev/app.yaml +# Myapp egress +web-app-dev-egress: + allow: + - ports: [443] + protocol: tcp + direction: EGRESS + destination_ranges: + - 192.168.0.0/24 + target_service_accounts: + - myapp@myproject-dev.iam.gserviceaccount.com +# Myapp ingress +web-app-dev-ingress: + allow: + - ports: [1234] + protocol: tcp + direction: INGRESS + source_service_accounts: + - frontend-sa@myproject-dev.iam.gserviceaccount.com + target_service_accounts: + - web-app-a@myproject-dev.iam.gserviceaccount.com +``` + +```yaml +# tftest-file id=prod path=firewall/prod/app.yaml +# Myapp egress +web-app-prod-egress: + allow: + - ports: [443] + protocol: tcp + direction: EGRESS + destination_ranges: + - 192.168.10.0/24 + target_service_accounts: + - myapp@myproject-prod.iam.gserviceaccount.com +# Myapp ingress +web-app-prod-ingress: + allow: + - ports: [1234] + protocol: tcp + direction: INGRESS + source_service_accounts: + - frontend-sa@myproject-prod.iam.gserviceaccount.com + target_service_accounts: + - web-app-a@myproject-prod.iam.gserviceaccount.com +``` + + ### Configuration Structure ```bash @@ -86,54 +159,6 @@ rule-name: # descriptive name, naming convention is adjusted by the module - myapp@myproject-id.iam.gserviceaccount.com ``` - -Firewall rules example yaml configuration - -```bash -cat ./prod/core-network/common-rules.yaml -# allow ingress from GCLB to all instances in the network -lb-health-checks: - allow: - - ports: [] - protocol: tcp - direction: INGRESS - priority: 1001 - source_ranges: - - 35.191.0.0/16 - - 130.211.0.0/22 - -# deny all egress -deny-all: - deny: - - ports: [] - protocol: all - direction: EGRESS - priority: 65535 - destination_ranges: - - 0.0.0.0/0 - -cat ./dev/team-a/web-app-a.yaml -# Myapp egress -web-app-a-egress: - allow: - - ports: [443] - protocol: tcp - direction: EGRESS - destination_ranges: - - 192.168.0.0/24 - target_service_accounts: - - myapp@myproject-id.iam.gserviceaccount.com -# Myapp ingress -web-app-a-ingress: - allow: - - ports: [1234] - protocol: tcp - direction: INGRESS - source_service_accounts: - - frontend-sa@myproject-id.iam.gserviceaccount.com - target_service_accounts: - - web-app-a@myproject-id.iam.gserviceaccount.com -``` ## Variables diff --git a/blueprints/factories/project-factory/README.md b/blueprints/factories/project-factory/README.md index 68e2e1d0..a86e708e 100644 --- a/blueprints/factories/project-factory/README.md +++ b/blueprints/factories/project-factory/README.md @@ -76,7 +76,7 @@ module "projects" { service_identities_iam = try(each.value.service_identities_iam, {}) vpc = try(each.value.vpc, null) } -# tftest modules=7 resources=29 +# tftest modules=7 resources=30 inventory=example.yaml ``` ### Projects configuration diff --git a/blueprints/factories/project-factory/main.tf b/blueprints/factories/project-factory/main.tf index 518d5a69..9dbe1721 100644 --- a/blueprints/factories/project-factory/main.tf +++ b/blueprints/factories/project-factory/main.tf @@ -1,5 +1,5 @@ /** - * Copyright 2022 Google LLC + * Copyright 2023 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/blueprints/factories/project-factory/sample-data/projects/project.yaml b/blueprints/factories/project-factory/sample-data/projects/project.yaml index cd7b1837..d8cf982e 100644 --- a/blueprints/factories/project-factory/sample-data/projects/project.yaml +++ b/blueprints/factories/project-factory/sample-data/projects/project.yaml @@ -44,7 +44,8 @@ kms_service_agents: # [opt] Labels for the project - merged with the ones defined in defaults labels: - environment: dev + environment: dev2 + costcenter: apps # [opt] Org policy overrides defined at project level org_policies: @@ -70,7 +71,7 @@ service_accounts: another-service-account: - roles/compute.admin my-service-account: - - roles/compute.admin + - roles/compute.adminv1 # [opt] APIs to enable on the project. services: @@ -103,4 +104,4 @@ vpc: subnets_iam: europe-west1/dev-default-ew1: - user:foobar@example.com - - serviceAccount:service-account1 + - serviceAccount:my-service-account diff --git a/tests/blueprints/apigee/bigquery-analytics/__init__.py b/tests/blueprints/apigee/bigquery-analytics/__init__.py deleted file mode 100644 index 6d6d1266..00000000 --- a/tests/blueprints/apigee/bigquery-analytics/__init__.py +++ /dev/null @@ -1,13 +0,0 @@ -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. diff --git a/tests/blueprints/apigee/bigquery-analytics/basic.tfvars b/tests/blueprints/apigee/bigquery-analytics/basic.tfvars deleted file mode 100644 index 2f9315a4..00000000 --- a/tests/blueprints/apigee/bigquery-analytics/basic.tfvars +++ /dev/null @@ -1,24 +0,0 @@ -project_create = { - billing_account_id = "12345-12345-12345" - parent = "folders/123456789" -} -project_id = "my-project" -envgroups = { - test = ["test.cool-demos.space"] -} -environments = { - apis-test = { - envgroups = ["test"] - } -} -instances = { - instance-ew1 = { - region = "europe-west1" - environments = ["apis-test"] - runtime_ip_cidr_range = "10.0.4.0/22" - troubleshooting_ip_cidr_range = "10.1.0.0/28" - } -} -psc_config = { - europe-west1 = "10.0.0.0/28" -} diff --git a/tests/blueprints/apigee/bigquery-analytics/basic.yaml b/tests/blueprints/apigee/bigquery-analytics/basic.yaml deleted file mode 100644 index 691af456..00000000 --- a/tests/blueprints/apigee/bigquery-analytics/basic.yaml +++ /dev/null @@ -1,17 +0,0 @@ -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -counts: - modules: 9 - resources: 62 diff --git a/tests/blueprints/apigee/bigquery-analytics/tftest.yaml b/tests/blueprints/apigee/bigquery-analytics/tftest.yaml deleted file mode 100644 index a3441f55..00000000 --- a/tests/blueprints/apigee/bigquery-analytics/tftest.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -module: blueprints/apigee/bigquery-analytics - -tests: - basic: diff --git a/tests/blueprints/apigee/hybrid-gke/__init__.py b/tests/blueprints/apigee/hybrid-gke/__init__.py deleted file mode 100644 index 6d6d1266..00000000 --- a/tests/blueprints/apigee/hybrid-gke/__init__.py +++ /dev/null @@ -1,13 +0,0 @@ -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. diff --git a/tests/blueprints/apigee/hybrid-gke/basic.tfvars b/tests/blueprints/apigee/hybrid-gke/basic.tfvars deleted file mode 100644 index 5b2cb4cc..00000000 --- a/tests/blueprints/apigee/hybrid-gke/basic.tfvars +++ /dev/null @@ -1,6 +0,0 @@ -project_create = { - billing_account_id = "12345-12345-12345" - parent = "folders/123456789" -} -project_id = "my-project" -hostname = "test.myorg.org" \ No newline at end of file diff --git a/tests/blueprints/apigee/hybrid-gke/basic.yaml b/tests/blueprints/apigee/hybrid-gke/basic.yaml deleted file mode 100644 index 0bab5641..00000000 --- a/tests/blueprints/apigee/hybrid-gke/basic.yaml +++ /dev/null @@ -1,17 +0,0 @@ -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -counts: - modules: 17 - resources: 59 diff --git a/tests/blueprints/apigee/hybrid-gke/tftest.yaml b/tests/blueprints/apigee/hybrid-gke/tftest.yaml deleted file mode 100644 index ebe16e57..00000000 --- a/tests/blueprints/apigee/hybrid-gke/tftest.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -module: blueprints/apigee/hybrid-gke - -tests: - basic: diff --git a/tests/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/__init__.py b/tests/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/__init__.py deleted file mode 100644 index 6d6d1266..00000000 --- a/tests/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/__init__.py +++ /dev/null @@ -1,13 +0,0 @@ -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. diff --git a/tests/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/basic.tfvars b/tests/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/basic.tfvars deleted file mode 100644 index ae07c514..00000000 --- a/tests/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/basic.tfvars +++ /dev/null @@ -1,5 +0,0 @@ -billing_account_id = "12345-12345-12345" -parent = "folders/123456789" -apigee_project_id = "my-apigee-project" -onprem_project_id = "my-onprem-project" -hostname = "test.myorg.org" diff --git a/tests/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/basic.yaml b/tests/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/basic.yaml deleted file mode 100644 index de461ff2..00000000 --- a/tests/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/basic.yaml +++ /dev/null @@ -1,17 +0,0 @@ -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -counts: - modules: 13 - resources: 73 diff --git a/tests/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/tftest.yaml b/tests/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/tftest.yaml deleted file mode 100644 index 5c92fb82..00000000 --- a/tests/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/tftest.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -module: blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg - -tests: - basic: diff --git a/tests/blueprints/factories/cloud_identity_group_factory/__init__.py b/tests/blueprints/factories/cloud_identity_group_factory/__init__.py deleted file mode 100644 index 6d6d1266..00000000 --- a/tests/blueprints/factories/cloud_identity_group_factory/__init__.py +++ /dev/null @@ -1,13 +0,0 @@ -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. diff --git a/tests/blueprints/factories/cloud_identity_group_factory/examples/example.yaml b/tests/blueprints/factories/cloud_identity_group_factory/examples/example.yaml new file mode 100644 index 00000000..1a8db1b5 --- /dev/null +++ b/tests/blueprints/factories/cloud_identity_group_factory/examples/example.yaml @@ -0,0 +1,42 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +values: + module.groups.module.group["group1@example.com"].google_cloud_identity_group.group: + description: Group 1 + display_name: Group 1 + group_key: + - id: group1@example.com + namespace: null + initial_group_config: EMPTY + labels: + cloudidentity.googleapis.com/groups.discussion_forum: '' + parent: customers/C0xxxxxxx + module.groups.module.group["group1@example.com"].google_cloud_identity_group_membership.managers["user2@example.com"]: + preferred_member_key: + - id: user2@example.com + namespace: null + roles: + - name: MANAGER + - name: MEMBER + module.groups.module.group["group1@example.com"].google_cloud_identity_group_membership.members["user1@example.com"]: + preferred_member_key: + - id: user1@example.com + namespace: null + roles: + - name: MEMBER + +counts: + google_cloud_identity_group: 1 + google_cloud_identity_group_membership: 2 diff --git a/tests/blueprints/factories/cloud_identity_group_factory/fixture/data/group1@example.com.yaml b/tests/blueprints/factories/cloud_identity_group_factory/fixture/data/group1@example.com.yaml deleted file mode 100644 index 98bdcb8e..00000000 --- a/tests/blueprints/factories/cloud_identity_group_factory/fixture/data/group1@example.com.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# skip boilerplate check - -display_name: Group 1 -description: Group 1 -members: - - user1@example.com -managers: - - user2@example.com \ No newline at end of file diff --git a/tests/blueprints/factories/cloud_identity_group_factory/fixture/main.tf b/tests/blueprints/factories/cloud_identity_group_factory/fixture/main.tf deleted file mode 100644 index 4f56c63c..00000000 --- a/tests/blueprints/factories/cloud_identity_group_factory/fixture/main.tf +++ /dev/null @@ -1,21 +0,0 @@ -/** - * Copyright 2022 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -module "test" { - source = "../../../../../blueprints/factories/cloud-identity-group-factory/" - customer_id = "customers/C01234567" - data_dir = "data" -} diff --git a/tests/blueprints/factories/cloud_identity_group_factory/test_plan.py b/tests/blueprints/factories/cloud_identity_group_factory/test_plan.py deleted file mode 100644 index 7de10b1a..00000000 --- a/tests/blueprints/factories/cloud_identity_group_factory/test_plan.py +++ /dev/null @@ -1,19 +0,0 @@ -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -def test_resources(e2e_plan_runner): - "Test that plan works and the numbers of resources is as expected." - modules, resources = e2e_plan_runner() - assert len(modules) == 1 - assert len(resources) == 3 diff --git a/tests/blueprints/factories/net_vpc_firewall_yaml/__init__.py b/tests/blueprints/factories/net_vpc_firewall_yaml/__init__.py deleted file mode 100644 index 6d6d1266..00000000 --- a/tests/blueprints/factories/net_vpc_firewall_yaml/__init__.py +++ /dev/null @@ -1,13 +0,0 @@ -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. diff --git a/tests/blueprints/factories/net_vpc_firewall_yaml/examples/example.yaml b/tests/blueprints/factories/net_vpc_firewall_yaml/examples/example.yaml new file mode 100644 index 00000000..c2375ae5 --- /dev/null +++ b/tests/blueprints/factories/net_vpc_firewall_yaml/examples/example.yaml @@ -0,0 +1,188 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +values: + module.dev-firewall.google_compute_firewall.rules["deny-all"]: + allow: [] + deny: + - ports: [] + protocol: all + destination_ranges: + - 0.0.0.0/0 + direction: EGRESS + disabled: null + log_config: [] + name: fwr-my-dev-network-all-e-deny-all + network: my-dev-network + priority: 65535 + project: my-dev-project + source_ranges: null + source_service_accounts: null + source_tags: null + target_service_accounts: null + target_tags: null + timeouts: null + module.dev-firewall.google_compute_firewall.rules["lb-health-checks"]: + allow: + - ports: [] + protocol: tcp + deny: [] + direction: INGRESS + disabled: null + log_config: [] + name: fwr-my-dev-network-all-i-lb-health-checks + network: my-dev-network + priority: 1001 + project: my-dev-project + source_ranges: + - 130.211.0.0/22 + - 35.191.0.0/16 + source_service_accounts: null + source_tags: null + target_service_accounts: null + target_tags: null + timeouts: null + module.dev-firewall.google_compute_firewall.rules["web-app-dev-egress"]: + allow: + - ports: + - '443' + protocol: tcp + deny: [] + destination_ranges: + - 192.168.0.0/24 + direction: EGRESS + disabled: null + log_config: [] + name: fwr-my-dev-network-sac-e-web-app-dev-egress + network: my-dev-network + priority: 1000 + project: my-dev-project + source_ranges: null + source_service_accounts: null + source_tags: null + target_service_accounts: + - myapp@myproject-dev.iam.gserviceaccount.com + target_tags: null + timeouts: null + module.dev-firewall.google_compute_firewall.rules["web-app-dev-ingress"]: + allow: + - ports: + - '1234' + protocol: tcp + deny: [] + direction: INGRESS + disabled: null + log_config: [] + name: fwr-my-dev-network-sac-i-web-app-dev-ingress + network: my-dev-network + priority: 1000 + project: my-dev-project + source_ranges: null + source_service_accounts: + - frontend-sa@myproject-dev.iam.gserviceaccount.com + source_tags: null + target_service_accounts: + - web-app-a@myproject-dev.iam.gserviceaccount.com + target_tags: null + timeouts: null + module.prod-firewall.google_compute_firewall.rules["deny-all"]: + allow: [] + deny: + - ports: [] + protocol: all + destination_ranges: + - 0.0.0.0/0 + direction: EGRESS + disabled: null + log_config: + - metadata: INCLUDE_ALL_METADATA + name: fwr-my-prod-network-all-e-deny-all + network: my-prod-network + priority: 65535 + project: my-prod-project + source_ranges: null + source_service_accounts: null + source_tags: null + target_service_accounts: null + target_tags: null + timeouts: null + module.prod-firewall.google_compute_firewall.rules["lb-health-checks"]: + allow: + - ports: [] + protocol: tcp + deny: [] + direction: INGRESS + disabled: null + log_config: + - metadata: INCLUDE_ALL_METADATA + name: fwr-my-prod-network-all-i-lb-health-checks + network: my-prod-network + priority: 1001 + project: my-prod-project + source_ranges: + - 130.211.0.0/22 + - 35.191.0.0/16 + source_service_accounts: null + source_tags: null + target_service_accounts: null + target_tags: null + timeouts: null + module.prod-firewall.google_compute_firewall.rules["web-app-prod-egress"]: + allow: + - ports: + - '443' + protocol: tcp + deny: [] + destination_ranges: + - 192.168.10.0/24 + direction: EGRESS + disabled: null + log_config: + - metadata: INCLUDE_ALL_METADATA + name: fwr-my-prod-network-sac-e-web-app-prod-egress + network: my-prod-network + priority: 1000 + project: my-prod-project + source_ranges: null + source_service_accounts: null + source_tags: null + target_service_accounts: + - myapp@myproject-prod.iam.gserviceaccount.com + target_tags: null + timeouts: null + module.prod-firewall.google_compute_firewall.rules["web-app-prod-ingress"]: + allow: + - ports: + - '1234' + protocol: tcp + deny: [] + direction: INGRESS + disabled: null + log_config: + - metadata: INCLUDE_ALL_METADATA + name: fwr-my-prod-network-sac-i-web-app-prod-ingress + network: my-prod-network + priority: 1000 + project: my-prod-project + source_ranges: null + source_service_accounts: + - frontend-sa@myproject-prod.iam.gserviceaccount.com + source_tags: null + target_service_accounts: + - web-app-a@myproject-prod.iam.gserviceaccount.com + target_tags: null + timeouts: null + +counts: + google_compute_firewall: 8 diff --git a/tests/blueprints/factories/net_vpc_firewall_yaml/fixture/main.tf b/tests/blueprints/factories/net_vpc_firewall_yaml/fixture/main.tf deleted file mode 100644 index 22956f40..00000000 --- a/tests/blueprints/factories/net_vpc_firewall_yaml/fixture/main.tf +++ /dev/null @@ -1,25 +0,0 @@ -/** - * Copyright 2022 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -module "firewall" { - source = "../../../../../blueprints/factories/net-vpc-firewall-yaml" - project_id = "my-project" - network = "my-network" - config_directories = [ - "./rules" - ] - log_config = var.log_config -} diff --git a/tests/blueprints/factories/net_vpc_firewall_yaml/fixture/rules/common.yaml b/tests/blueprints/factories/net_vpc_firewall_yaml/fixture/rules/common.yaml deleted file mode 100644 index cbe8466f..00000000 --- a/tests/blueprints/factories/net_vpc_firewall_yaml/fixture/rules/common.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# allow ingress from GCLB to all instances in the network -lb-health-checks: - allow: - - ports: [] - protocol: tcp - direction: INGRESS - priority: 1001 - source_ranges: - - 35.191.0.0/16 - - 130.211.0.0/22 - -# deny all egress -deny-all: - deny: - - ports: [] - protocol: all - direction: EGRESS - priority: 65535 - destination_ranges: - - 0.0.0.0/0 diff --git a/tests/blueprints/factories/net_vpc_firewall_yaml/fixture/variables.tf b/tests/blueprints/factories/net_vpc_firewall_yaml/fixture/variables.tf deleted file mode 100644 index 018289fe..00000000 --- a/tests/blueprints/factories/net_vpc_firewall_yaml/fixture/variables.tf +++ /dev/null @@ -1,23 +0,0 @@ -/** - * Copyright 2022 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -variable "log_config" { - description = "Log configuration. Possible values for `metadata` are `EXCLUDE_ALL_METADATA` and `INCLUDE_ALL_METADATA`. Set to `null` for disabling firewall logging." - type = object({ - metadata = string - }) - default = null -} diff --git a/tests/blueprints/factories/net_vpc_firewall_yaml/test_plan.py b/tests/blueprints/factories/net_vpc_firewall_yaml/test_plan.py deleted file mode 100644 index 80205e57..00000000 --- a/tests/blueprints/factories/net_vpc_firewall_yaml/test_plan.py +++ /dev/null @@ -1,42 +0,0 @@ -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -def test_firewall_simple(plan_runner): - "Test firewall rules from rules/common.yaml with no extra options." - _, resources = plan_runner() - assert len(resources) == 4 - assert set(r['type'] for r in resources) == set([ - 'google_compute_firewall', 'time_static' - ]) - firewall_values = [r['values'] for r in resources if r['type'] - == 'google_compute_firewall'] - assert set([f['project'] for f in firewall_values]) == set(['my-project']) - assert set([f['network'] for f in firewall_values]) == set(['my-network']) - - -def test_firewall_log_config(plan_runner): - "Test firewall rules log configuration." - log_config = """ { - metadata = "INCLUDE_ALL_METADATA" - } - """ - log_config_value = [{"metadata": "INCLUDE_ALL_METADATA"}] - _, resources = plan_runner(log_config=log_config) - assert len(resources) == 4 - assert set(r['type'] for r in resources) == set([ - 'google_compute_firewall', 'time_static' - ]) - firewall_values = [r['values'] for r in resources if r['type'] - == 'google_compute_firewall'] - assert all(f['log_config'] == log_config_value for f in firewall_values) diff --git a/tests/blueprints/factories/project_factory/__init__.py b/tests/blueprints/factories/project_factory/__init__.py deleted file mode 100644 index 6d6d1266..00000000 --- a/tests/blueprints/factories/project_factory/__init__.py +++ /dev/null @@ -1,13 +0,0 @@ -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. diff --git a/tests/blueprints/factories/project_factory/fixture/defaults.yaml b/tests/blueprints/factories/project_factory/fixture/defaults.yaml deleted file mode 100644 index 61837818..00000000 --- a/tests/blueprints/factories/project_factory/fixture/defaults.yaml +++ /dev/null @@ -1,25 +0,0 @@ -# skip boilerplate check - -billing_account_id: 012345-67890A-BCDEF0 - -# [opt] Setup for billing alerts -billing_alert: - amount: 1000 - thresholds: - current: [0.5, 0.8] - forecasted: [0.5, 0.8] - credit_treatment: INCLUDE_ALL_CREDITS - -# [opt] Contacts for billing alerts and important notifications -essential_contacts: ["team-contacts@example.com"] - -# [opt] Labels set for all projects -labels: - environment: prod - department: accounting - application: example-app - foo: bar - -# [opt] Additional notification channels for billing -notification_channels: [] -prefix: test diff --git a/tests/blueprints/factories/project_factory/fixture/main.tf b/tests/blueprints/factories/project_factory/fixture/main.tf deleted file mode 100644 index ae686b93..00000000 --- a/tests/blueprints/factories/project_factory/fixture/main.tf +++ /dev/null @@ -1,52 +0,0 @@ -/** - * Copyright 2022 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -locals { - _defaults = yamldecode(file(var.defaults_file)) - _defaults_net = { - billing_account_id = var.billing_account_id - environment_dns_zone = var.environment_dns_zone - shared_vpc_self_link = var.shared_vpc_self_link - vpc_host_project = var.vpc_host_project - } - defaults = merge(local._defaults, local._defaults_net) - projects = { - for f in fileset("${var.data_dir}", "**/*.yaml") : - trimsuffix(f, ".yaml") => yamldecode(file("${var.data_dir}/${f}")) - } -} - -module "projects" { - source = "../../../../../blueprints/factories/project-factory" - for_each = local.projects - defaults = local.defaults - project_id = each.key - billing_account_id = try(each.value.billing_account_id, null) - billing_alert = try(each.value.billing_alert, null) - dns_zones = try(each.value.dns_zones, []) - essential_contacts = try(each.value.essential_contacts, []) - folder_id = each.value.folder_id - group_iam = try(each.value.group_iam, {}) - iam = try(each.value.iam, {}) - kms_service_agents = try(each.value.kms, {}) - labels = try(each.value.labels, {}) - org_policies = try(each.value.org_policies, null) - prefix = each.value.prefix - service_accounts = try(each.value.service_accounts, {}) - services = try(each.value.services, []) - service_identities_iam = try(each.value.service_identities_iam, {}) - vpc = try(each.value.vpc, null) -} diff --git a/tests/blueprints/factories/project_factory/fixture/projects/project.yaml b/tests/blueprints/factories/project_factory/fixture/projects/project.yaml deleted file mode 100644 index b8d6e663..00000000 --- a/tests/blueprints/factories/project_factory/fixture/projects/project.yaml +++ /dev/null @@ -1,103 +0,0 @@ -# skip boilerplate check - -# [opt] Billing account id - overrides default if set -billing_account_id: 012345-67890A-BCDEF0 - -# [opt] Billing alerts config - overrides default if set -billing_alert: - amount: 10 - thresholds: - current: - - 0.5 - - 0.8 - forecasted: [] - credit_treatment: INCLUDE_ALL_CREDITS - -# [opt] DNS zones to be created as children of the environment_dns_zone defined in defaults -dns_zones: - - lorem - - ipsum - -# [opt] Contacts for billing alerts and important notifications -essential_contacts: - - team-a-contacts@example.com - -# Folder the project will be created as children of -folder_id: folders/012345678901 - -# [opt] Authoritative IAM bindings in group => [roles] format -group_iam: - test-team-foobar@fast-lab-0.gcp-pso-italy.net: - - roles/compute.admin - -# [opt] Authoritative IAM bindings in role => [principals] format -# Generally used to grant roles to service accounts external to the project -iam: - roles/compute.admin: - - serviceAccount:service-account - -# [opt] Service robots and keys they will be assigned as cryptoKeyEncrypterDecrypter -# in service => [keys] format -kms_service_agents: - compute: [key1, key2] - storage: [key1, key2] - -# [opt] Labels for the project - merged with the ones defined in defaults -labels: - environment: prod - -# [opt] Org policy overrides defined at project level -org_policies: - compute.disableGuestAttributesAccess: - rules: - - enforce: true - compute.trustedImageProjects: - rules: - - allow: - values: - - projects/fast-prod-iac-core-0 - -# [opt] Prefix - overrides default if set -prefix: test1 - -# [opt] Service account to create for the project and their roles on the project -# in name => [roles] format -service_accounts: - another-service-account: - - roles/compute.admin - my-service-account: - - roles/compute.admin - -# [opt] APIs to enable on the project. -services: - - storage.googleapis.com - - stackdriver.googleapis.com - - compute.googleapis.com - -# [opt] Roles to assign to the service identities in service => [roles] format -service_identities_iam: - compute: - - roles/storage.objectViewer - - # [opt] VPC setup. - # If set enables the `compute.googleapis.com` service and configures - # service project attachment -vpc: - # [opt] If set, enables the container API - gke_setup: - # Grants "roles/container.hostServiceAgentUser" to the container robot if set - enable_host_service_agent: false - - # Grants "roles/compute.securityAdmin" to the container robot if set - enable_security_admin: true - - # Host project the project will be service project of - host_project: fast-prod-net-spoke-0 - - # [opt] Subnets in the host project where principals will be granted networkUser - # in region/subnet-name => [principals] - subnets_iam: - europe-west1/prod-default-ew1: - - user:foobar@example.com - - serviceAccount:service-account1@example.com - - my-service-account diff --git a/tests/blueprints/factories/project_factory/fixture/variables.tf b/tests/blueprints/factories/project_factory/fixture/variables.tf deleted file mode 100644 index d0d6759b..00000000 --- a/tests/blueprints/factories/project_factory/fixture/variables.tf +++ /dev/null @@ -1,64 +0,0 @@ -/** - * Copyright 2022 Google LLC - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -variable "billing_account_id" { - description = "Billing account id." - type = string - default = "012345-67890A-BCDEF0" -} - -variable "data_dir" { - description = "Relative path for the folder storing configuration data." - type = string - default = "./projects/" -} - -variable "environment_dns_zone" { - description = "DNS zone suffix for environment." - type = string - default = "prod.gcp.example.com" -} - -variable "defaults_file" { - description = "Relative path for the file storing the project factory configuration." - type = string - default = "./defaults.yaml" -} - -variable "service_accounts" { - description = "Service accounts to be created, and roles assigned them on the project." - type = map(list(string)) - default = {} -} - -variable "service_accounts_iam" { - description = "IAM bindings on service account resources. Format is KEY => {ROLE => [MEMBERS]}" - type = map(map(list(string))) - default = {} - nullable = false -} - -variable "shared_vpc_self_link" { - description = "Self link for the shared VPC." - type = string - default = "self-link" -} - -variable "vpc_host_project" { - description = "Host project for the shared VPC." - type = string - default = "host-project" -} diff --git a/tests/blueprints/factories/project_factory/test_plan.py b/tests/blueprints/factories/project_factory/test_plan.py deleted file mode 100644 index 4c8e8641..00000000 --- a/tests/blueprints/factories/project_factory/test_plan.py +++ /dev/null @@ -1,36 +0,0 @@ -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - - -def test_plan(e2e_plan_runner): - "Check for a clean plan" - modules, resources = e2e_plan_runner() - assert len(modules) > 0 and len(resources) > 0 - - -def test_plan_service_accounts(e2e_plan_runner): - "Check for a clean plan" - service_accounts = '''{ - sa-001 = [] - sa-002 = ["roles/owner"] - }''' - service_accounts_iam = '''{ - sa-002 = { - "roles/iam.serviceAccountTokenCreator" = ["group:team-1@example.com"] - } - }''' - modules, resources = e2e_plan_runner( - service_accounts=service_accounts, - service_accounts_iam=service_accounts_iam) - assert len(modules) > 0 and len(resources) > 0 diff --git a/tests/examples/test_plan.py b/tests/examples/test_plan.py index 261276f7..b12d82fc 100644 --- a/tests/examples/test_plan.py +++ b/tests/examples/test_plan.py @@ -18,7 +18,7 @@ from pathlib import Path BASE_PATH = Path(__file__).parent COUNT_TEST_RE = re.compile(r'# tftest +modules=(\d+) +resources=(\d+)' + - r'(?: +files=([\w,_-]+))?' + + r'(?: +files=([\w@,_-]+))?' + r'(?: +inventory=([\w\-.]+))?') diff --git a/tests/modules/project_factory/examples/example.yaml b/tests/modules/project_factory/examples/example.yaml new file mode 100644 index 00000000..fc166a0e --- /dev/null +++ b/tests/modules/project_factory/examples/example.yaml @@ -0,0 +1,235 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# This is one of the few modules where it actually makes sense to be +# very verbose with values + +values: + module.projects["project"].google_compute_subnetwork_iam_member.default["dev-default-ew1:serviceAccount:my-service-account"]: + condition: [] + member: serviceAccount:my-service-account + project: fast-dev-net-spoke-0 + region: europe-west1 + role: roles/compute.networkUser + subnetwork: projects/fast-dev-net-spoke-0/regions/europe-west1/subnetworks/dev-default-ew1 + module.projects["project"].google_compute_subnetwork_iam_member.default["dev-default-ew1:user:foobar@example.com"]: + condition: [] + member: user:foobar@example.com + project: fast-dev-net-spoke-0 + region: europe-west1 + role: roles/compute.networkUser + subnetwork: projects/fast-dev-net-spoke-0/regions/europe-west1/subnetworks/dev-default-ew1 + module.projects["project"].module.billing-alert["1"].google_billing_budget.budget: + all_updates_rule: + - disable_default_iam_recipients: false + pubsub_topic: null + schema_version: '1.0' + amount: + - last_period_amount: null + specified_amount: + - nanos: null + units: '10' + billing_account: 012345-67890A-BCDEF0 + budget_filter: + - calendar_period: null + credit_types_treatment: INCLUDE_ALL_CREDITS + custom_period: [] + display_name: test1-project budget + threshold_rules: + - spend_basis: CURRENT_SPEND + threshold_percent: 0.5 + - spend_basis: CURRENT_SPEND + threshold_percent: 0.8 + module.projects["project"].module.billing-alert["1"].google_monitoring_notification_channel.email_channels["team-a-contacts@example.com"]: + display_name: test1-project budget budget email notification (team-a-contacts@example.com) + labels: + email_address: team-a-contacts@example.com + project: test1-project + sensitive_labels: [] + type: email + module.projects["project"].module.billing-alert["1"].google_monitoring_notification_channel.email_channels["team-contacts@example.com"]: + display_name: test1-project budget budget email notification (team-contacts@example.com) + labels: + email_address: team-contacts@example.com + project: test1-project + sensitive_labels: [] + type: email + module.projects["project"].module.dns["ipsum"].google_dns_managed_zone.non-public[0]: + dns_name: ipsum.dev.example.org + name: ipsum + private_visibility_config: + - gke_clusters: [] + networks: + - network_url: projects/foo/networks/bar + project: fast-dev-net-spoke-0 + visibility: private + module.projects["project"].module.dns["lorem"].google_dns_managed_zone.non-public[0]: + dns_name: lorem.dev.example.org + name: lorem + private_visibility_config: + - gke_clusters: [] + networks: + - network_url: projects/foo/networks/bar + project: fast-dev-net-spoke-0 + module.projects["project"].module.project.google_compute_shared_vpc_service_project.shared_vpc_service[0]: + host_project: fast-dev-net-spoke-0 + service_project: test1-project + module.projects["project"].module.project.google_essential_contacts_contact.contact["team-a-contacts@example.com"]: + email: team-a-contacts@example.com + language_tag: en + notification_category_subscriptions: + - ALL + parent: projects/test1-project + module.projects["project"].module.project.google_essential_contacts_contact.contact["team-contacts@example.com"]: + email: team-contacts@example.com + language_tag: en + notification_category_subscriptions: + - ALL + parent: projects/test1-project + module.projects["project"].module.project.google_org_policy_policy.default["constraints/compute.disableGuestAttributesAccess"]: + name: projects/test1-project/policies/constraints/compute.disableGuestAttributesAccess + parent: projects/test1-project + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: 'TRUE' + values: [] + module.projects["project"].module.project.google_org_policy_policy.default["constraints/compute.trustedImageProjects"]: + name: projects/test1-project/policies/constraints/compute.trustedImageProjects + parent: projects/test1-project + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: null + enforce: null + values: + - allowed_values: + - projects/fast-dev-iac-core-0 + denied_values: null + module.projects["project"].module.project.google_org_policy_policy.default["constraints/compute.vmExternalIpAccess"]: + name: projects/test1-project/policies/constraints/compute.vmExternalIpAccess + parent: projects/test1-project + spec: + - inherit_from_parent: null + reset: null + rules: + - allow_all: null + condition: [] + deny_all: 'TRUE' + enforce: null + values: [] + module.projects["project"].module.project.google_project.project[0]: + auto_create_network: false + billing_account: 012345-67890A-BCDEF0 + folder_id: 012345678901 + labels: + application: example-app + costcenter: apps + department: accounting + environment: dev + foo: bar + name: test1-project + org_id: null + project_id: test1-project + skip_delete: false + module.projects["project"].module.project.google_project_iam_binding.authoritative["roles/compute.admin"]: + condition: [] + project: test1-project + role: roles/compute.admin + module.projects["project"].module.project.google_project_iam_binding.authoritative["roles/compute.adminv1"]: + condition: [] + project: test1-project + role: roles/compute.adminv1 + module.projects["project"].module.project.google_project_iam_binding.authoritative["roles/storage.objectViewer"]: + condition: [] + project: test1-project + role: roles/storage.objectViewer + module.projects["project"].module.project.google_project_iam_member.shared_vpc_host_robots["roles/compute.networkUser:cloudservices"]: + condition: [] + project: fast-dev-net-spoke-0 + role: roles/compute.networkUser + module.projects["project"].module.project.google_project_iam_member.shared_vpc_host_robots["roles/compute.securityAdmin:container-engine"]: + condition: [] + project: fast-dev-net-spoke-0 + role: roles/compute.securityAdmin + module.projects["project"].module.project.google_project_service.project_services["billingbudgets.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: test1-project + service: billingbudgets.googleapis.com + module.projects["project"].module.project.google_project_service.project_services["compute.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: test1-project + service: compute.googleapis.com + module.projects["project"].module.project.google_project_service.project_services["container.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: test1-project + service: container.googleapis.com + module.projects["project"].module.project.google_project_service.project_services["dns.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: test1-project + service: dns.googleapis.com + module.projects["project"].module.project.google_project_service.project_services["essentialcontacts.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: test1-project + service: essentialcontacts.googleapis.com + module.projects["project"].module.project.google_project_service.project_services["orgpolicy.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: test1-project + service: orgpolicy.googleapis.com + module.projects["project"].module.project.google_project_service.project_services["stackdriver.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: test1-project + service: stackdriver.googleapis.com + module.projects["project"].module.project.google_project_service.project_services["storage.googleapis.com"]: + disable_dependent_services: false + disable_on_destroy: false + project: test1-project + service: storage.googleapis.com + module.projects["project"].module.service-accounts["another-service-account"].google_service_account.service_account[0]: + account_id: another-service-account + display_name: Terraform-managed. + project: test1-project + module.projects["project"].module.service-accounts["my-service-account"].google_service_account.service_account[0]: + account_id: my-service-account + display_name: Terraform-managed. + project: test1-project + +counts: + google_billing_budget: 1 + google_compute_shared_vpc_service_project: 1 + google_compute_subnetwork_iam_member: 2 + google_dns_managed_zone: 2 + google_essential_contacts_contact: 2 + google_monitoring_notification_channel: 2 + google_org_policy_policy: 3 + google_project: 1 + google_project_iam_binding: 3 + google_project_iam_member: 2 + google_project_service: 8 + google_service_account: 2 + google_storage_project_service_account: 1