zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update factories and apigee tests

This commit is contained in:
Julio Castillo 2023-02-24 18:28:55 +01:00
parent b186365cab
commit edce6edd28
41 changed files with 629 additions and 736 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
blueprints/apigee/bigquery-analytics/README.md
View File

@ -76,3 +76,35 @@ Do the following to verify that everything works as expected.
| [ip_address](outputs.tf#L17) | IP address. | |
<!-- END TFDOC -->
## Test
```hcl
module "test" {
source = "./fabric/blueprints/apigee/bigquery-analytics"
project_create = {
billing_account_id = "12345-12345-12345"
parent = "folders/123456789"
}
project_id = "my-project"
envgroups = {
test = ["test.cool-demos.space"]
}
environments = {
apis-test = {
envgroups = ["test"]
}
}
instances = {
instance-ew1 = {
region = "europe-west1"
environments = ["apis-test"]
runtime_ip_cidr_range = "10.0.4.0/22"
troubleshooting_ip_cidr_range = "10.1.0.0/28"
}
}
psc_config = {
europe-west1 = "10.0.0.0/28"
}
}
# tftest modules=10 resources=62
```

17
blueprints/apigee/hybrid-gke/README.md
View File

@ -29,7 +29,7 @@ The diagram below depicts the architecture.
5. Install Apigee hybrid using de ansible playbook that is in the ansible folder by running this command
ansible-playbook playbook.yaml -vvvß
ansible-playbook playbook.yaml -vvv
## Testing the blueprint
@ -67,3 +67,18 @@ The diagram below depicts the architecture.
| [ip_address](outputs.tf#L17) | GLB IP address. | |
<!-- END TFDOC -->
## Test
```hcl
module "test" {
source = "./fabric/blueprints/apigee/hybrid-gke"
project_create = {
billing_account_id = "12345-12345-12345"
parent = "folders/123456789"
}
project_id = "my-project"
hostname = "test.myorg.org"
}
# tftest modules=18 resources=59
```

14
blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/README.md
View File

@ -67,3 +67,17 @@ Do the following to verify that everything works as expected.
| [ip_address](outputs.tf#L17) | GLB IP address. | |
<!-- END TFDOC -->
## Test
```hcl
module "test" {
source = "./fabric/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg"
billing_account_id = "12345-12345-12345"
parent = "folders/123456789"
apigee_project_id = "my-apigee-project"
onprem_project_id = "my-onprem-project"
hostname = "test.myorg.org"
}
# tftest modules=14 resources=73
```

1
blueprints/data-solutions/vertex-mlops/README.md
View File

@ -74,6 +74,7 @@ This blueprint can be used as a building block for setting up an end2end ML Ops
| [project_id](outputs.tf#L49) | Project ID. | |
<!-- END TFDOC -->
## TODO
- Add support for User Managed Notebooks, SA permission option and non default SA for Single User mode.
- Improve default naming for local VPC and Cloud NAT

1
blueprints/factories/bigquery-factory/README.md
View File

@ -71,6 +71,7 @@ module "bq" {
| [views_path](variables.tf#L27) | Relative path for the folder storing view data. | <code>string</code> | ✓ | |
<!-- END TFDOC -->
## TODO
- [ ] add external table support

15
blueprints/factories/cloud-identity-group-factory/README.md
View File

@ -9,13 +9,22 @@ Yaml abstraction for Groups can simplify groups creation and members management.
### Terraform code
```hcl
module "prod-firewall" {
module "groups" {
source = "./fabric/blueprints/factories/cloud-identity-group-factory"
customer_id = "customers/C0xxxxxxx"
data_dir = "data"
}
# tftest skip
# tftest modules=2 resources=3 files=group1 inventory=example.yaml
```
```yaml
# tftest-file id=group1 path=data/group1@example.com.yaml
display_name: Group 1
description: Group 1
members:
- user1@example.com
managers:
- user2@example.com
```
### Configuration Structure

131
blueprints/factories/net-vpc-firewall-yaml/README.md
View File

@ -17,8 +17,8 @@ module "prod-firewall" {
project_id = "my-prod-project"
network = "my-prod-network"
config_directories = [
"./prod",
"./common"
"./firewall/prod",
"./firewall/common"
]
log_config = {
@ -32,13 +32,86 @@ module "dev-firewall" {
project_id = "my-dev-project"
network = "my-dev-network"
config_directories = [
"./dev",
"./common"
"./firewall/dev",
"./firewall/common"
]
}
# tftest skip
# tftest modules=2 resources=16 files=common,dev,prod inventory=example.yaml
```
```yaml
# tftest-file id=common path=firewall/common/common.yaml
# allow ingress from GCLB to all instances in the network
lb-health-checks:
allow:
- ports: []
protocol: tcp
direction: INGRESS
priority: 1001
source_ranges:
- 35.191.0.0/16
- 130.211.0.0/22
# deny all egress
deny-all:
deny:
- ports: []
protocol: all
direction: EGRESS
priority: 65535
destination_ranges:
- 0.0.0.0/0
```
```yaml
# tftest-file id=dev path=firewall/dev/app.yaml
# Myapp egress
web-app-dev-egress:
allow:
- ports: [443]
protocol: tcp
direction: EGRESS
destination_ranges:
- 192.168.0.0/24
target_service_accounts:
- myapp@myproject-dev.iam.gserviceaccount.com
# Myapp ingress
web-app-dev-ingress:
allow:
- ports: [1234]
protocol: tcp
direction: INGRESS
source_service_accounts:
- frontend-sa@myproject-dev.iam.gserviceaccount.com
target_service_accounts:
- web-app-a@myproject-dev.iam.gserviceaccount.com
```
```yaml
# tftest-file id=prod path=firewall/prod/app.yaml
# Myapp egress
web-app-prod-egress:
allow:
- ports: [443]
protocol: tcp
direction: EGRESS
destination_ranges:
- 192.168.10.0/24
target_service_accounts:
- myapp@myproject-prod.iam.gserviceaccount.com
# Myapp ingress
web-app-prod-ingress:
allow:
- ports: [1234]
protocol: tcp
direction: INGRESS
source_service_accounts:
- frontend-sa@myproject-prod.iam.gserviceaccount.com
target_service_accounts:
- web-app-a@myproject-prod.iam.gserviceaccount.com
```
### Configuration Structure
```bash
@ -86,54 +159,6 @@ rule-name: # descriptive name, naming convention is adjusted by the module
- myapp@myproject-id.iam.gserviceaccount.com
```
Firewall rules example yaml configuration
```bash
cat ./prod/core-network/common-rules.yaml
# allow ingress from GCLB to all instances in the network
lb-health-checks:
allow:
- ports: []
protocol: tcp
direction: INGRESS
priority: 1001
source_ranges:
- 35.191.0.0/16
- 130.211.0.0/22
# deny all egress
deny-all:
deny:
- ports: []
protocol: all
direction: EGRESS
priority: 65535
destination_ranges:
- 0.0.0.0/0
cat ./dev/team-a/web-app-a.yaml
# Myapp egress
web-app-a-egress:
allow:
- ports: [443]
protocol: tcp
direction: EGRESS
destination_ranges:
- 192.168.0.0/24
target_service_accounts:
- myapp@myproject-id.iam.gserviceaccount.com
# Myapp ingress
web-app-a-ingress:
allow:
- ports: [1234]
protocol: tcp
direction: INGRESS
source_service_accounts:
- frontend-sa@myproject-id.iam.gserviceaccount.com
target_service_accounts:
- web-app-a@myproject-id.iam.gserviceaccount.com
```
<!-- BEGIN TFDOC -->
## Variables

2
blueprints/factories/project-factory/README.md
View File

@ -76,7 +76,7 @@ module "projects" {
service_identities_iam = try(each.value.service_identities_iam, {})
vpc = try(each.value.vpc, null)
}
# tftest modules=7 resources=29
# tftest modules=7 resources=30 inventory=example.yaml
```
### Projects configuration

2
blueprints/factories/project-factory/main.tf
View File

@ -1,5 +1,5 @@
/**
* Copyright 2022 Google LLC
* Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

7
blueprints/factories/project-factory/sample-data/projects/project.yaml
View File

@ -44,7 +44,8 @@ kms_service_agents:
# [opt] Labels for the project - merged with the ones defined in defaults
labels:
environment: dev
environment: dev2
costcenter: apps
# [opt] Org policy overrides defined at project level
org_policies:
@ -70,7 +71,7 @@ service_accounts:
another-service-account:
- roles/compute.admin
my-service-account:
- roles/compute.admin
- roles/compute.adminv1
# [opt] APIs to enable on the project.
services:
@ -103,4 +104,4 @@ vpc:
subnets_iam:
europe-west1/dev-default-ew1:
- user:foobar@example.com
- serviceAccount:service-account1
- serviceAccount:my-service-account

13
tests/blueprints/apigee/bigquery-analytics/__init__.py
View File

@ -1,13 +0,0 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

24
tests/blueprints/apigee/bigquery-analytics/basic.tfvars
View File

@ -1,24 +0,0 @@
project_create = {
billing_account_id = "12345-12345-12345"
parent = "folders/123456789"
}
project_id = "my-project"
envgroups = {
test = ["test.cool-demos.space"]
}
environments = {
apis-test = {
envgroups = ["test"]
}
}
instances = {
instance-ew1 = {
region = "europe-west1"
environments = ["apis-test"]
runtime_ip_cidr_range = "10.0.4.0/22"
troubleshooting_ip_cidr_range = "10.1.0.0/28"
}
}
psc_config = {
europe-west1 = "10.0.0.0/28"
}

17
tests/blueprints/apigee/bigquery-analytics/basic.yaml
View File

@ -1,17 +0,0 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
counts:
modules: 9
resources: 62

18
tests/blueprints/apigee/bigquery-analytics/tftest.yaml
View File

@ -1,18 +0,0 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
module: blueprints/apigee/bigquery-analytics
tests:
basic:

13
tests/blueprints/apigee/hybrid-gke/__init__.py
View File

@ -1,13 +0,0 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

6
tests/blueprints/apigee/hybrid-gke/basic.tfvars
View File

@ -1,6 +0,0 @@
project_create = {
billing_account_id = "12345-12345-12345"
parent = "folders/123456789"
}
project_id = "my-project"
hostname = "test.myorg.org"

17
tests/blueprints/apigee/hybrid-gke/basic.yaml
View File

@ -1,17 +0,0 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
counts:
modules: 17
resources: 59

18
tests/blueprints/apigee/hybrid-gke/tftest.yaml
View File

@ -1,18 +0,0 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
module: blueprints/apigee/hybrid-gke
tests:
basic:

13
tests/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/__init__.py
View File

@ -1,13 +0,0 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

5
tests/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/basic.tfvars
View File

@ -1,5 +0,0 @@
billing_account_id = "12345-12345-12345"
parent = "folders/123456789"
apigee_project_id = "my-apigee-project"
onprem_project_id = "my-onprem-project"
hostname = "test.myorg.org"

17
tests/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/basic.yaml
View File

@ -1,17 +0,0 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
counts:
modules: 13
resources: 73

18
tests/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/tftest.yaml
View File

@ -1,18 +0,0 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
module: blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg
tests:
basic:

13
tests/blueprints/factories/cloud_identity_group_factory/__init__.py
View File

@ -1,13 +0,0 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

42
tests/blueprints/factories/cloud_identity_group_factory/examples/example.yaml Normal file
View File

@ -0,0 +1,42 @@
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
module.groups.module.group["group1@example.com"].google_cloud_identity_group.group:
description: Group 1
display_name: Group 1
group_key:
- id: group1@example.com
namespace: null
initial_group_config: EMPTY
labels:
cloudidentity.googleapis.com/groups.discussion_forum: ''
parent: customers/C0xxxxxxx
module.groups.module.group["group1@example.com"].google_cloud_identity_group_membership.managers["user2@example.com"]:
preferred_member_key:
- id: user2@example.com
namespace: null
roles:
- name: MANAGER
- name: MEMBER
module.groups.module.group["group1@example.com"].google_cloud_identity_group_membership.members["user1@example.com"]:
preferred_member_key:
- id: user1@example.com
namespace: null
roles:
- name: MEMBER
counts:
google_cloud_identity_group: 1
google_cloud_identity_group_membership: 2

8
tests/blueprints/factories/cloud_identity_group_factory/fixture/data/group1@example.com.yaml
View File

@ -1,8 +0,0 @@
# skip boilerplate check
display_name: Group 1
description: Group 1
members:
- user1@example.com
managers:
- user2@example.com

21
tests/blueprints/factories/cloud_identity_group_factory/fixture/main.tf
View File

@ -1,21 +0,0 @@
/**
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
module "test" {
source = "../../../../../blueprints/factories/cloud-identity-group-factory/"
customer_id = "customers/C01234567"
data_dir = "data"
}

19
tests/blueprints/factories/cloud_identity_group_factory/test_plan.py
View File

@ -1,19 +0,0 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
def test_resources(e2e_plan_runner):
"Test that plan works and the numbers of resources is as expected."
modules, resources = e2e_plan_runner()
assert len(modules) == 1
assert len(resources) == 3

13
tests/blueprints/factories/net_vpc_firewall_yaml/__init__.py
View File

@ -1,13 +0,0 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

188
tests/blueprints/factories/net_vpc_firewall_yaml/examples/example.yaml Normal file
View File

@ -0,0 +1,188 @@
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
module.dev-firewall.google_compute_firewall.rules["deny-all"]:
allow: []
deny:
- ports: []
protocol: all
destination_ranges:
- 0.0.0.0/0
direction: EGRESS
disabled: null
log_config: []
name: fwr-my-dev-network-all-e-deny-all
network: my-dev-network
priority: 65535
project: my-dev-project
source_ranges: null
source_service_accounts: null
source_tags: null
target_service_accounts: null
target_tags: null
timeouts: null
module.dev-firewall.google_compute_firewall.rules["lb-health-checks"]:
allow:
- ports: []
protocol: tcp
deny: []
direction: INGRESS
disabled: null
log_config: []
name: fwr-my-dev-network-all-i-lb-health-checks
network: my-dev-network
priority: 1001
project: my-dev-project
source_ranges:
- 130.211.0.0/22
- 35.191.0.0/16
source_service_accounts: null
source_tags: null
target_service_accounts: null
target_tags: null
timeouts: null
module.dev-firewall.google_compute_firewall.rules["web-app-dev-egress"]:
allow:
- ports:
- '443'
protocol: tcp
deny: []
destination_ranges:
- 192.168.0.0/24
direction: EGRESS
disabled: null
log_config: []
name: fwr-my-dev-network-sac-e-web-app-dev-egress
network: my-dev-network
priority: 1000
project: my-dev-project
source_ranges: null
source_service_accounts: null
source_tags: null
target_service_accounts:
- myapp@myproject-dev.iam.gserviceaccount.com
target_tags: null
timeouts: null
module.dev-firewall.google_compute_firewall.rules["web-app-dev-ingress"]:
allow:
- ports:
- '1234'
protocol: tcp
deny: []
direction: INGRESS
disabled: null
log_config: []
name: fwr-my-dev-network-sac-i-web-app-dev-ingress
network: my-dev-network
priority: 1000
project: my-dev-project
source_ranges: null
source_service_accounts:
- frontend-sa@myproject-dev.iam.gserviceaccount.com
source_tags: null
target_service_accounts:
- web-app-a@myproject-dev.iam.gserviceaccount.com
target_tags: null
timeouts: null
module.prod-firewall.google_compute_firewall.rules["deny-all"]:
allow: []
deny:
- ports: []
protocol: all
destination_ranges:
- 0.0.0.0/0
direction: EGRESS
disabled: null
log_config:
- metadata: INCLUDE_ALL_METADATA
name: fwr-my-prod-network-all-e-deny-all
network: my-prod-network
priority: 65535
project: my-prod-project
source_ranges: null
source_service_accounts: null
source_tags: null
target_service_accounts: null
target_tags: null
timeouts: null
module.prod-firewall.google_compute_firewall.rules["lb-health-checks"]:
allow:
- ports: []
protocol: tcp
deny: []
direction: INGRESS
disabled: null
log_config:
- metadata: INCLUDE_ALL_METADATA
name: fwr-my-prod-network-all-i-lb-health-checks
network: my-prod-network
priority: 1001
project: my-prod-project
source_ranges:
- 130.211.0.0/22
- 35.191.0.0/16
source_service_accounts: null
source_tags: null
target_service_accounts: null
target_tags: null
timeouts: null
module.prod-firewall.google_compute_firewall.rules["web-app-prod-egress"]:
allow:
- ports:
- '443'
protocol: tcp
deny: []
destination_ranges:
- 192.168.10.0/24
direction: EGRESS
disabled: null
log_config:
- metadata: INCLUDE_ALL_METADATA
name: fwr-my-prod-network-sac-e-web-app-prod-egress
network: my-prod-network
priority: 1000
project: my-prod-project
source_ranges: null
source_service_accounts: null
source_tags: null
target_service_accounts:
- myapp@myproject-prod.iam.gserviceaccount.com
target_tags: null
timeouts: null
module.prod-firewall.google_compute_firewall.rules["web-app-prod-ingress"]:
allow:
- ports:
- '1234'
protocol: tcp
deny: []
direction: INGRESS
disabled: null
log_config:
- metadata: INCLUDE_ALL_METADATA
name: fwr-my-prod-network-sac-i-web-app-prod-ingress
network: my-prod-network
priority: 1000
project: my-prod-project
source_ranges: null
source_service_accounts:
- frontend-sa@myproject-prod.iam.gserviceaccount.com
source_tags: null
target_service_accounts:
- web-app-a@myproject-prod.iam.gserviceaccount.com
target_tags: null
timeouts: null
counts:
google_compute_firewall: 8

25
tests/blueprints/factories/net_vpc_firewall_yaml/fixture/main.tf
View File

@ -1,25 +0,0 @@
/**
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
module "firewall" {
source = "../../../../../blueprints/factories/net-vpc-firewall-yaml"
project_id = "my-project"
network = "my-network"
config_directories = [
"./rules"
]
log_config = var.log_config
}

34
tests/blueprints/factories/net_vpc_firewall_yaml/fixture/rules/common.yaml
View File

@ -1,34 +0,0 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# allow ingress from GCLB to all instances in the network
lb-health-checks:
allow:
- ports: []
protocol: tcp
direction: INGRESS
priority: 1001
source_ranges:
- 35.191.0.0/16
- 130.211.0.0/22
# deny all egress
deny-all:
deny:
- ports: []
protocol: all
direction: EGRESS
priority: 65535
destination_ranges:
- 0.0.0.0/0

23
tests/blueprints/factories/net_vpc_firewall_yaml/fixture/variables.tf
View File

@ -1,23 +0,0 @@
/**
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
variable "log_config" {
description = "Log configuration. Possible values for `metadata` are `EXCLUDE_ALL_METADATA` and `INCLUDE_ALL_METADATA`. Set to `null` for disabling firewall logging."
type = object({
metadata = string
})
default = null
}

42
tests/blueprints/factories/net_vpc_firewall_yaml/test_plan.py
View File

@ -1,42 +0,0 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
def test_firewall_simple(plan_runner):
"Test firewall rules from rules/common.yaml with no extra options."
_, resources = plan_runner()
assert len(resources) == 4
assert set(r['type'] for r in resources) == set([
'google_compute_firewall', 'time_static'
])
firewall_values = [r['values'] for r in resources if r['type']
== 'google_compute_firewall']
assert set([f['project'] for f in firewall_values]) == set(['my-project'])
assert set([f['network'] for f in firewall_values]) == set(['my-network'])
def test_firewall_log_config(plan_runner):
"Test firewall rules log configuration."
log_config = """ {
metadata = "INCLUDE_ALL_METADATA"
}
"""
log_config_value = [{"metadata": "INCLUDE_ALL_METADATA"}]
_, resources = plan_runner(log_config=log_config)
assert len(resources) == 4
assert set(r['type'] for r in resources) == set([
'google_compute_firewall', 'time_static'
])
firewall_values = [r['values'] for r in resources if r['type']
== 'google_compute_firewall']
assert all(f['log_config'] == log_config_value for f in firewall_values)

13
tests/blueprints/factories/project_factory/__init__.py
View File

@ -1,13 +0,0 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

25
tests/blueprints/factories/project_factory/fixture/defaults.yaml
View File

@ -1,25 +0,0 @@
# skip boilerplate check
billing_account_id: 012345-67890A-BCDEF0
# [opt] Setup for billing alerts
billing_alert:
amount: 1000
thresholds:
current: [0.5, 0.8]
forecasted: [0.5, 0.8]
credit_treatment: INCLUDE_ALL_CREDITS
# [opt] Contacts for billing alerts and important notifications
essential_contacts: ["team-contacts@example.com"]
# [opt] Labels set for all projects
labels:
environment: prod
department: accounting
application: example-app
foo: bar
# [opt] Additional notification channels for billing
notification_channels: []
prefix: test

52
tests/blueprints/factories/project_factory/fixture/main.tf
View File

@ -1,52 +0,0 @@
/**
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
locals {
_defaults = yamldecode(file(var.defaults_file))
_defaults_net = {
billing_account_id = var.billing_account_id
environment_dns_zone = var.environment_dns_zone
shared_vpc_self_link = var.shared_vpc_self_link
vpc_host_project = var.vpc_host_project
}
defaults = merge(local._defaults, local._defaults_net)
projects = {
for f in fileset("${var.data_dir}", "**/*.yaml") :
trimsuffix(f, ".yaml") => yamldecode(file("${var.data_dir}/${f}"))
}
}
module "projects" {
source = "../../../../../blueprints/factories/project-factory"
for_each = local.projects
defaults = local.defaults
project_id = each.key
billing_account_id = try(each.value.billing_account_id, null)
billing_alert = try(each.value.billing_alert, null)
dns_zones = try(each.value.dns_zones, [])
essential_contacts = try(each.value.essential_contacts, [])
folder_id = each.value.folder_id
group_iam = try(each.value.group_iam, {})
iam = try(each.value.iam, {})
kms_service_agents = try(each.value.kms, {})
labels = try(each.value.labels, {})
org_policies = try(each.value.org_policies, null)
prefix = each.value.prefix
service_accounts = try(each.value.service_accounts, {})
services = try(each.value.services, [])
service_identities_iam = try(each.value.service_identities_iam, {})
vpc = try(each.value.vpc, null)
}

103
tests/blueprints/factories/project_factory/fixture/projects/project.yaml
View File

@ -1,103 +0,0 @@
# skip boilerplate check
# [opt] Billing account id - overrides default if set
billing_account_id: 012345-67890A-BCDEF0
# [opt] Billing alerts config - overrides default if set
billing_alert:
amount: 10
thresholds:
current:
- 0.5
- 0.8
forecasted: []
credit_treatment: INCLUDE_ALL_CREDITS
# [opt] DNS zones to be created as children of the environment_dns_zone defined in defaults
dns_zones:
- lorem
- ipsum
# [opt] Contacts for billing alerts and important notifications
essential_contacts:
- team-a-contacts@example.com
# Folder the project will be created as children of
folder_id: folders/012345678901
# [opt] Authoritative IAM bindings in group => [roles] format
group_iam:
test-team-foobar@fast-lab-0.gcp-pso-italy.net:
- roles/compute.admin
# [opt] Authoritative IAM bindings in role => [principals] format
# Generally used to grant roles to service accounts external to the project
iam:
roles/compute.admin:
- serviceAccount:service-account
# [opt] Service robots and keys they will be assigned as cryptoKeyEncrypterDecrypter
# in service => [keys] format
kms_service_agents:
compute: [key1, key2]
storage: [key1, key2]
# [opt] Labels for the project - merged with the ones defined in defaults
labels:
environment: prod
# [opt] Org policy overrides defined at project level
org_policies:
compute.disableGuestAttributesAccess:
rules:
- enforce: true
compute.trustedImageProjects:
rules:
- allow:
values:
- projects/fast-prod-iac-core-0
# [opt] Prefix - overrides default if set
prefix: test1
# [opt] Service account to create for the project and their roles on the project
# in name => [roles] format
service_accounts:
another-service-account:
- roles/compute.admin
my-service-account:
- roles/compute.admin
# [opt] APIs to enable on the project.
services:
- storage.googleapis.com
- stackdriver.googleapis.com
- compute.googleapis.com
# [opt] Roles to assign to the service identities in service => [roles] format
service_identities_iam:
compute:
- roles/storage.objectViewer
# [opt] VPC setup.
# If set enables the `compute.googleapis.com` service and configures
# service project attachment
vpc:
# [opt] If set, enables the container API
gke_setup:
# Grants "roles/container.hostServiceAgentUser" to the container robot if set
enable_host_service_agent: false
# Grants "roles/compute.securityAdmin" to the container robot if set
enable_security_admin: true
# Host project the project will be service project of
host_project: fast-prod-net-spoke-0
# [opt] Subnets in the host project where principals will be granted networkUser
# in region/subnet-name => [principals]
subnets_iam:
europe-west1/prod-default-ew1:
- user:foobar@example.com
- serviceAccount:service-account1@example.com
- my-service-account

64
tests/blueprints/factories/project_factory/fixture/variables.tf
View File

@ -1,64 +0,0 @@
/**
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
variable "billing_account_id" {
description = "Billing account id."
type = string
default = "012345-67890A-BCDEF0"
}
variable "data_dir" {
description = "Relative path for the folder storing configuration data."
type = string
default = "./projects/"
}
variable "environment_dns_zone" {
description = "DNS zone suffix for environment."
type = string
default = "prod.gcp.example.com"
}
variable "defaults_file" {
description = "Relative path for the file storing the project factory configuration."
type = string
default = "./defaults.yaml"
}
variable "service_accounts" {
description = "Service accounts to be created, and roles assigned them on the project."
type = map(list(string))
default = {}
}
variable "service_accounts_iam" {
description = "IAM bindings on service account resources. Format is KEY => {ROLE => [MEMBERS]}"
type = map(map(list(string)))
default = {}
nullable = false
}
variable "shared_vpc_self_link" {
description = "Self link for the shared VPC."
type = string
default = "self-link"
}
variable "vpc_host_project" {
description = "Host project for the shared VPC."
type = string
default = "host-project"
}

36
tests/blueprints/factories/project_factory/test_plan.py
View File

@ -1,36 +0,0 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
def test_plan(e2e_plan_runner):
"Check for a clean plan"
modules, resources = e2e_plan_runner()
assert len(modules) > 0 and len(resources) > 0
def test_plan_service_accounts(e2e_plan_runner):
"Check for a clean plan"
service_accounts = '''{
sa-001 = []
sa-002 = ["roles/owner"]
}'''
service_accounts_iam = '''{
sa-002 = {
"roles/iam.serviceAccountTokenCreator" = ["group:team-1@example.com"]
}
}'''
modules, resources = e2e_plan_runner(
service_accounts=service_accounts,
service_accounts_iam=service_accounts_iam)
assert len(modules) > 0 and len(resources) > 0

2
tests/examples/test_plan.py
View File

@ -18,7 +18,7 @@ from pathlib import Path
BASE_PATH = Path(__file__).parent
COUNT_TEST_RE = re.compile(r'# tftest +modules=(\d+) +resources=(\d+)' +
r'(?: +files=([\w,_-]+))?' +
r'(?: +files=([\w@,_-]+))?' +
r'(?: +inventory=([\w\-.]+))?')

235
tests/modules/project_factory/examples/example.yaml Normal file
View File

@ -0,0 +1,235 @@
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# This is one of the few modules where it actually makes sense to be
# very verbose with values
values:
module.projects["project"].google_compute_subnetwork_iam_member.default["dev-default-ew1:serviceAccount:my-service-account"]:
condition: []
member: serviceAccount:my-service-account
project: fast-dev-net-spoke-0
region: europe-west1
role: roles/compute.networkUser
subnetwork: projects/fast-dev-net-spoke-0/regions/europe-west1/subnetworks/dev-default-ew1
module.projects["project"].google_compute_subnetwork_iam_member.default["dev-default-ew1:user:foobar@example.com"]:
condition: []
member: user:foobar@example.com
project: fast-dev-net-spoke-0
region: europe-west1
role: roles/compute.networkUser
subnetwork: projects/fast-dev-net-spoke-0/regions/europe-west1/subnetworks/dev-default-ew1
module.projects["project"].module.billing-alert["1"].google_billing_budget.budget:
all_updates_rule:
- disable_default_iam_recipients: false
pubsub_topic: null
schema_version: '1.0'
amount:
- last_period_amount: null
specified_amount:
- nanos: null
units: '10'
billing_account: 012345-67890A-BCDEF0
budget_filter:
- calendar_period: null
credit_types_treatment: INCLUDE_ALL_CREDITS
custom_period: []
display_name: test1-project budget
threshold_rules:
- spend_basis: CURRENT_SPEND
threshold_percent: 0.5
- spend_basis: CURRENT_SPEND
threshold_percent: 0.8
module.projects["project"].module.billing-alert["1"].google_monitoring_notification_channel.email_channels["team-a-contacts@example.com"]:
display_name: test1-project budget budget email notification (team-a-contacts@example.com)
labels:
email_address: team-a-contacts@example.com
project: test1-project
sensitive_labels: []
type: email
module.projects["project"].module.billing-alert["1"].google_monitoring_notification_channel.email_channels["team-contacts@example.com"]:
display_name: test1-project budget budget email notification (team-contacts@example.com)
labels:
email_address: team-contacts@example.com
project: test1-project
sensitive_labels: []
type: email
module.projects["project"].module.dns["ipsum"].google_dns_managed_zone.non-public[0]:
dns_name: ipsum.dev.example.org
name: ipsum
private_visibility_config:
- gke_clusters: []
networks:
- network_url: projects/foo/networks/bar
project: fast-dev-net-spoke-0
visibility: private
module.projects["project"].module.dns["lorem"].google_dns_managed_zone.non-public[0]:
dns_name: lorem.dev.example.org
name: lorem
private_visibility_config:
- gke_clusters: []
networks:
- network_url: projects/foo/networks/bar
project: fast-dev-net-spoke-0
module.projects["project"].module.project.google_compute_shared_vpc_service_project.shared_vpc_service[0]:
host_project: fast-dev-net-spoke-0
service_project: test1-project
module.projects["project"].module.project.google_essential_contacts_contact.contact["team-a-contacts@example.com"]:
email: team-a-contacts@example.com
language_tag: en
notification_category_subscriptions:
- ALL
parent: projects/test1-project
module.projects["project"].module.project.google_essential_contacts_contact.contact["team-contacts@example.com"]:
email: team-contacts@example.com
language_tag: en
notification_category_subscriptions:
- ALL
parent: projects/test1-project
module.projects["project"].module.project.google_org_policy_policy.default["constraints/compute.disableGuestAttributesAccess"]:
name: projects/test1-project/policies/constraints/compute.disableGuestAttributesAccess
parent: projects/test1-project
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'TRUE'
values: []
module.projects["project"].module.project.google_org_policy_policy.default["constraints/compute.trustedImageProjects"]:
name: projects/test1-project/policies/constraints/compute.trustedImageProjects
parent: projects/test1-project
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: null
values:
- allowed_values:
- projects/fast-dev-iac-core-0
denied_values: null
module.projects["project"].module.project.google_org_policy_policy.default["constraints/compute.vmExternalIpAccess"]:
name: projects/test1-project/policies/constraints/compute.vmExternalIpAccess
parent: projects/test1-project
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: 'TRUE'
enforce: null
values: []
module.projects["project"].module.project.google_project.project[0]:
auto_create_network: false
billing_account: 012345-67890A-BCDEF0
folder_id: 012345678901
labels:
application: example-app
costcenter: apps
department: accounting
environment: dev
foo: bar
name: test1-project
org_id: null
project_id: test1-project
skip_delete: false
module.projects["project"].module.project.google_project_iam_binding.authoritative["roles/compute.admin"]:
condition: []
project: test1-project
role: roles/compute.admin
module.projects["project"].module.project.google_project_iam_binding.authoritative["roles/compute.adminv1"]:
condition: []
project: test1-project
role: roles/compute.adminv1
module.projects["project"].module.project.google_project_iam_binding.authoritative["roles/storage.objectViewer"]:
condition: []
project: test1-project
role: roles/storage.objectViewer
module.projects["project"].module.project.google_project_iam_member.shared_vpc_host_robots["roles/compute.networkUser:cloudservices"]:
condition: []
project: fast-dev-net-spoke-0
role: roles/compute.networkUser
module.projects["project"].module.project.google_project_iam_member.shared_vpc_host_robots["roles/compute.securityAdmin:container-engine"]:
condition: []
project: fast-dev-net-spoke-0
role: roles/compute.securityAdmin
module.projects["project"].module.project.google_project_service.project_services["billingbudgets.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
project: test1-project
service: billingbudgets.googleapis.com
module.projects["project"].module.project.google_project_service.project_services["compute.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
project: test1-project
service: compute.googleapis.com
module.projects["project"].module.project.google_project_service.project_services["container.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
project: test1-project
service: container.googleapis.com
module.projects["project"].module.project.google_project_service.project_services["dns.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
project: test1-project
service: dns.googleapis.com
module.projects["project"].module.project.google_project_service.project_services["essentialcontacts.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
project: test1-project
service: essentialcontacts.googleapis.com
module.projects["project"].module.project.google_project_service.project_services["orgpolicy.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
project: test1-project
service: orgpolicy.googleapis.com
module.projects["project"].module.project.google_project_service.project_services["stackdriver.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
project: test1-project
service: stackdriver.googleapis.com
module.projects["project"].module.project.google_project_service.project_services["storage.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
project: test1-project
service: storage.googleapis.com
module.projects["project"].module.service-accounts["another-service-account"].google_service_account.service_account[0]:
account_id: another-service-account
display_name: Terraform-managed.
project: test1-project
module.projects["project"].module.service-accounts["my-service-account"].google_service_account.service_account[0]:
account_id: my-service-account
display_name: Terraform-managed.
project: test1-project
counts:
google_billing_budget: 1
google_compute_shared_vpc_service_project: 1
google_compute_subnetwork_iam_member: 2
google_dns_managed_zone: 2
google_essential_contacts_contact: 2
google_monitoring_notification_channel: 2
google_org_policy_policy: 3
google_project: 1
google_project_iam_binding: 3
google_project_iam_member: 2
google_project_service: 8
google_service_account: 2
google_storage_project_service_account: 1