Update factories and apigee tests
This commit is contained in:
parent
b186365cab
commit
edce6edd28
|
@ -76,3 +76,35 @@ Do the following to verify that everything works as expected.
|
|||
| [ip_address](outputs.tf#L17) | IP address. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
## Test
|
||||
|
||||
```hcl
|
||||
module "test" {
|
||||
source = "./fabric/blueprints/apigee/bigquery-analytics"
|
||||
project_create = {
|
||||
billing_account_id = "12345-12345-12345"
|
||||
parent = "folders/123456789"
|
||||
}
|
||||
project_id = "my-project"
|
||||
envgroups = {
|
||||
test = ["test.cool-demos.space"]
|
||||
}
|
||||
environments = {
|
||||
apis-test = {
|
||||
envgroups = ["test"]
|
||||
}
|
||||
}
|
||||
instances = {
|
||||
instance-ew1 = {
|
||||
region = "europe-west1"
|
||||
environments = ["apis-test"]
|
||||
runtime_ip_cidr_range = "10.0.4.0/22"
|
||||
troubleshooting_ip_cidr_range = "10.1.0.0/28"
|
||||
}
|
||||
}
|
||||
psc_config = {
|
||||
europe-west1 = "10.0.0.0/28"
|
||||
}
|
||||
}
|
||||
# tftest modules=10 resources=62
|
||||
```
|
||||
|
|
|
@ -25,11 +25,11 @@ The diagram below depicts the architecture.
|
|||
terraform apply
|
||||
```
|
||||
|
||||
Create an A record in your DNS registrar to point the environment group hostname to the public IP address returned after the terraform configuration was applied. You might need to wait some time until the certificate is provisioned.
|
||||
|
||||
Create an A record in your DNS registrar to point the environment group hostname to the public IP address returned after the terraform configuration was applied. You might need to wait some time until the certificate is provisioned.
|
||||
|
||||
5. Install Apigee hybrid using de ansible playbook that is in the ansible folder by running this command
|
||||
|
||||
ansible-playbook playbook.yaml -vvvß
|
||||
ansible-playbook playbook.yaml -vvv
|
||||
|
||||
## Testing the blueprint
|
||||
|
||||
|
@ -67,3 +67,18 @@ The diagram below depicts the architecture.
|
|||
| [ip_address](outputs.tf#L17) | GLB IP address. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
## Test
|
||||
|
||||
```hcl
|
||||
module "test" {
|
||||
source = "./fabric/blueprints/apigee/hybrid-gke"
|
||||
project_create = {
|
||||
billing_account_id = "12345-12345-12345"
|
||||
parent = "folders/123456789"
|
||||
}
|
||||
project_id = "my-project"
|
||||
hostname = "test.myorg.org"
|
||||
}
|
||||
# tftest modules=18 resources=59
|
||||
```
|
||||
|
|
|
@ -67,3 +67,17 @@ Do the following to verify that everything works as expected.
|
|||
| [ip_address](outputs.tf#L17) | GLB IP address. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
## Test
|
||||
|
||||
```hcl
|
||||
module "test" {
|
||||
source = "./fabric/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg"
|
||||
billing_account_id = "12345-12345-12345"
|
||||
parent = "folders/123456789"
|
||||
apigee_project_id = "my-apigee-project"
|
||||
onprem_project_id = "my-onprem-project"
|
||||
hostname = "test.myorg.org"
|
||||
}
|
||||
# tftest modules=14 resources=73
|
||||
```
|
||||
|
|
|
@ -74,6 +74,7 @@ This blueprint can be used as a building block for setting up an end2end ML Ops
|
|||
| [project_id](outputs.tf#L49) | Project ID. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
## TODO
|
||||
- Add support for User Managed Notebooks, SA permission option and non default SA for Single User mode.
|
||||
- Improve default naming for local VPC and Cloud NAT
|
||||
|
|
|
@ -71,6 +71,7 @@ module "bq" {
|
|||
| [views_path](variables.tf#L27) | Relative path for the folder storing view data. | <code>string</code> | ✓ | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
||||
## TODO
|
||||
|
||||
- [ ] add external table support
|
||||
|
|
|
@ -9,13 +9,22 @@ Yaml abstraction for Groups can simplify groups creation and members management.
|
|||
### Terraform code
|
||||
|
||||
```hcl
|
||||
module "prod-firewall" {
|
||||
source = "./fabric/blueprints/factories/cloud-identity-group-factory"
|
||||
|
||||
module "groups" {
|
||||
source = "./fabric/blueprints/factories/cloud-identity-group-factory"
|
||||
customer_id = "customers/C0xxxxxxx"
|
||||
data_dir = "data"
|
||||
}
|
||||
# tftest skip
|
||||
# tftest modules=2 resources=3 files=group1 inventory=example.yaml
|
||||
```
|
||||
|
||||
```yaml
|
||||
# tftest-file id=group1 path=data/group1@example.com.yaml
|
||||
display_name: Group 1
|
||||
description: Group 1
|
||||
members:
|
||||
- user1@example.com
|
||||
managers:
|
||||
- user2@example.com
|
||||
```
|
||||
|
||||
### Configuration Structure
|
||||
|
|
|
@ -17,8 +17,8 @@ module "prod-firewall" {
|
|||
project_id = "my-prod-project"
|
||||
network = "my-prod-network"
|
||||
config_directories = [
|
||||
"./prod",
|
||||
"./common"
|
||||
"./firewall/prod",
|
||||
"./firewall/common"
|
||||
]
|
||||
|
||||
log_config = {
|
||||
|
@ -32,13 +32,86 @@ module "dev-firewall" {
|
|||
project_id = "my-dev-project"
|
||||
network = "my-dev-network"
|
||||
config_directories = [
|
||||
"./dev",
|
||||
"./common"
|
||||
"./firewall/dev",
|
||||
"./firewall/common"
|
||||
]
|
||||
}
|
||||
# tftest skip
|
||||
# tftest modules=2 resources=16 files=common,dev,prod inventory=example.yaml
|
||||
```
|
||||
|
||||
```yaml
|
||||
# tftest-file id=common path=firewall/common/common.yaml
|
||||
# allow ingress from GCLB to all instances in the network
|
||||
lb-health-checks:
|
||||
allow:
|
||||
- ports: []
|
||||
protocol: tcp
|
||||
direction: INGRESS
|
||||
priority: 1001
|
||||
source_ranges:
|
||||
- 35.191.0.0/16
|
||||
- 130.211.0.0/22
|
||||
|
||||
# deny all egress
|
||||
deny-all:
|
||||
deny:
|
||||
- ports: []
|
||||
protocol: all
|
||||
direction: EGRESS
|
||||
priority: 65535
|
||||
destination_ranges:
|
||||
- 0.0.0.0/0
|
||||
```
|
||||
|
||||
```yaml
|
||||
# tftest-file id=dev path=firewall/dev/app.yaml
|
||||
# Myapp egress
|
||||
web-app-dev-egress:
|
||||
allow:
|
||||
- ports: [443]
|
||||
protocol: tcp
|
||||
direction: EGRESS
|
||||
destination_ranges:
|
||||
- 192.168.0.0/24
|
||||
target_service_accounts:
|
||||
- myapp@myproject-dev.iam.gserviceaccount.com
|
||||
# Myapp ingress
|
||||
web-app-dev-ingress:
|
||||
allow:
|
||||
- ports: [1234]
|
||||
protocol: tcp
|
||||
direction: INGRESS
|
||||
source_service_accounts:
|
||||
- frontend-sa@myproject-dev.iam.gserviceaccount.com
|
||||
target_service_accounts:
|
||||
- web-app-a@myproject-dev.iam.gserviceaccount.com
|
||||
```
|
||||
|
||||
```yaml
|
||||
# tftest-file id=prod path=firewall/prod/app.yaml
|
||||
# Myapp egress
|
||||
web-app-prod-egress:
|
||||
allow:
|
||||
- ports: [443]
|
||||
protocol: tcp
|
||||
direction: EGRESS
|
||||
destination_ranges:
|
||||
- 192.168.10.0/24
|
||||
target_service_accounts:
|
||||
- myapp@myproject-prod.iam.gserviceaccount.com
|
||||
# Myapp ingress
|
||||
web-app-prod-ingress:
|
||||
allow:
|
||||
- ports: [1234]
|
||||
protocol: tcp
|
||||
direction: INGRESS
|
||||
source_service_accounts:
|
||||
- frontend-sa@myproject-prod.iam.gserviceaccount.com
|
||||
target_service_accounts:
|
||||
- web-app-a@myproject-prod.iam.gserviceaccount.com
|
||||
```
|
||||
|
||||
|
||||
### Configuration Structure
|
||||
|
||||
```bash
|
||||
|
@ -86,54 +159,6 @@ rule-name: # descriptive name, naming convention is adjusted by the module
|
|||
- myapp@myproject-id.iam.gserviceaccount.com
|
||||
```
|
||||
|
||||
|
||||
Firewall rules example yaml configuration
|
||||
|
||||
```bash
|
||||
cat ./prod/core-network/common-rules.yaml
|
||||
# allow ingress from GCLB to all instances in the network
|
||||
lb-health-checks:
|
||||
allow:
|
||||
- ports: []
|
||||
protocol: tcp
|
||||
direction: INGRESS
|
||||
priority: 1001
|
||||
source_ranges:
|
||||
- 35.191.0.0/16
|
||||
- 130.211.0.0/22
|
||||
|
||||
# deny all egress
|
||||
deny-all:
|
||||
deny:
|
||||
- ports: []
|
||||
protocol: all
|
||||
direction: EGRESS
|
||||
priority: 65535
|
||||
destination_ranges:
|
||||
- 0.0.0.0/0
|
||||
|
||||
cat ./dev/team-a/web-app-a.yaml
|
||||
# Myapp egress
|
||||
web-app-a-egress:
|
||||
allow:
|
||||
- ports: [443]
|
||||
protocol: tcp
|
||||
direction: EGRESS
|
||||
destination_ranges:
|
||||
- 192.168.0.0/24
|
||||
target_service_accounts:
|
||||
- myapp@myproject-id.iam.gserviceaccount.com
|
||||
# Myapp ingress
|
||||
web-app-a-ingress:
|
||||
allow:
|
||||
- ports: [1234]
|
||||
protocol: tcp
|
||||
direction: INGRESS
|
||||
source_service_accounts:
|
||||
- frontend-sa@myproject-id.iam.gserviceaccount.com
|
||||
target_service_accounts:
|
||||
- web-app-a@myproject-id.iam.gserviceaccount.com
|
||||
```
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
|
|
@ -76,7 +76,7 @@ module "projects" {
|
|||
service_identities_iam = try(each.value.service_identities_iam, {})
|
||||
vpc = try(each.value.vpc, null)
|
||||
}
|
||||
# tftest modules=7 resources=29
|
||||
# tftest modules=7 resources=30 inventory=example.yaml
|
||||
```
|
||||
|
||||
### Projects configuration
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/**
|
||||
* Copyright 2022 Google LLC
|
||||
* Copyright 2023 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
|
|
|
@ -44,7 +44,8 @@ kms_service_agents:
|
|||
|
||||
# [opt] Labels for the project - merged with the ones defined in defaults
|
||||
labels:
|
||||
environment: dev
|
||||
environment: dev2
|
||||
costcenter: apps
|
||||
|
||||
# [opt] Org policy overrides defined at project level
|
||||
org_policies:
|
||||
|
@ -70,7 +71,7 @@ service_accounts:
|
|||
another-service-account:
|
||||
- roles/compute.admin
|
||||
my-service-account:
|
||||
- roles/compute.admin
|
||||
- roles/compute.adminv1
|
||||
|
||||
# [opt] APIs to enable on the project.
|
||||
services:
|
||||
|
@ -103,4 +104,4 @@ vpc:
|
|||
subnets_iam:
|
||||
europe-west1/dev-default-ew1:
|
||||
- user:foobar@example.com
|
||||
- serviceAccount:service-account1
|
||||
- serviceAccount:my-service-account
|
||||
|
|
|
@ -1,13 +0,0 @@
|
|||
# Copyright 2022 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
|
@ -1,24 +0,0 @@
|
|||
project_create = {
|
||||
billing_account_id = "12345-12345-12345"
|
||||
parent = "folders/123456789"
|
||||
}
|
||||
project_id = "my-project"
|
||||
envgroups = {
|
||||
test = ["test.cool-demos.space"]
|
||||
}
|
||||
environments = {
|
||||
apis-test = {
|
||||
envgroups = ["test"]
|
||||
}
|
||||
}
|
||||
instances = {
|
||||
instance-ew1 = {
|
||||
region = "europe-west1"
|
||||
environments = ["apis-test"]
|
||||
runtime_ip_cidr_range = "10.0.4.0/22"
|
||||
troubleshooting_ip_cidr_range = "10.1.0.0/28"
|
||||
}
|
||||
}
|
||||
psc_config = {
|
||||
europe-west1 = "10.0.0.0/28"
|
||||
}
|
|
@ -1,17 +0,0 @@
|
|||
# Copyright 2022 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
counts:
|
||||
modules: 9
|
||||
resources: 62
|
|
@ -1,18 +0,0 @@
|
|||
# Copyright 2022 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
module: blueprints/apigee/bigquery-analytics
|
||||
|
||||
tests:
|
||||
basic:
|
|
@ -1,13 +0,0 @@
|
|||
# Copyright 2022 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
|
@ -1,6 +0,0 @@
|
|||
project_create = {
|
||||
billing_account_id = "12345-12345-12345"
|
||||
parent = "folders/123456789"
|
||||
}
|
||||
project_id = "my-project"
|
||||
hostname = "test.myorg.org"
|
|
@ -1,17 +0,0 @@
|
|||
# Copyright 2022 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
counts:
|
||||
modules: 17
|
||||
resources: 59
|
|
@ -1,18 +0,0 @@
|
|||
# Copyright 2022 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
module: blueprints/apigee/hybrid-gke
|
||||
|
||||
tests:
|
||||
basic:
|
|
@ -1,13 +0,0 @@
|
|||
# Copyright 2022 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
|
@ -1,5 +0,0 @@
|
|||
billing_account_id = "12345-12345-12345"
|
||||
parent = "folders/123456789"
|
||||
apigee_project_id = "my-apigee-project"
|
||||
onprem_project_id = "my-onprem-project"
|
||||
hostname = "test.myorg.org"
|
|
@ -1,17 +0,0 @@
|
|||
# Copyright 2022 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
counts:
|
||||
modules: 13
|
||||
resources: 73
|
|
@ -1,18 +0,0 @@
|
|||
# Copyright 2022 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
module: blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg
|
||||
|
||||
tests:
|
||||
basic:
|
|
@ -1,13 +0,0 @@
|
|||
# Copyright 2022 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
|
@ -0,0 +1,42 @@
|
|||
# Copyright 2023 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
values:
|
||||
module.groups.module.group["group1@example.com"].google_cloud_identity_group.group:
|
||||
description: Group 1
|
||||
display_name: Group 1
|
||||
group_key:
|
||||
- id: group1@example.com
|
||||
namespace: null
|
||||
initial_group_config: EMPTY
|
||||
labels:
|
||||
cloudidentity.googleapis.com/groups.discussion_forum: ''
|
||||
parent: customers/C0xxxxxxx
|
||||
module.groups.module.group["group1@example.com"].google_cloud_identity_group_membership.managers["user2@example.com"]:
|
||||
preferred_member_key:
|
||||
- id: user2@example.com
|
||||
namespace: null
|
||||
roles:
|
||||
- name: MANAGER
|
||||
- name: MEMBER
|
||||
module.groups.module.group["group1@example.com"].google_cloud_identity_group_membership.members["user1@example.com"]:
|
||||
preferred_member_key:
|
||||
- id: user1@example.com
|
||||
namespace: null
|
||||
roles:
|
||||
- name: MEMBER
|
||||
|
||||
counts:
|
||||
google_cloud_identity_group: 1
|
||||
google_cloud_identity_group_membership: 2
|
|
@ -1,8 +0,0 @@
|
|||
# skip boilerplate check
|
||||
|
||||
display_name: Group 1
|
||||
description: Group 1
|
||||
members:
|
||||
- user1@example.com
|
||||
managers:
|
||||
- user2@example.com
|
|
@ -1,21 +0,0 @@
|
|||
/**
|
||||
* Copyright 2022 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
module "test" {
|
||||
source = "../../../../../blueprints/factories/cloud-identity-group-factory/"
|
||||
customer_id = "customers/C01234567"
|
||||
data_dir = "data"
|
||||
}
|
|
@ -1,19 +0,0 @@
|
|||
# Copyright 2022 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
def test_resources(e2e_plan_runner):
|
||||
"Test that plan works and the numbers of resources is as expected."
|
||||
modules, resources = e2e_plan_runner()
|
||||
assert len(modules) == 1
|
||||
assert len(resources) == 3
|
|
@ -1,13 +0,0 @@
|
|||
# Copyright 2022 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
|
@ -0,0 +1,188 @@
|
|||
# Copyright 2023 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
values:
|
||||
module.dev-firewall.google_compute_firewall.rules["deny-all"]:
|
||||
allow: []
|
||||
deny:
|
||||
- ports: []
|
||||
protocol: all
|
||||
destination_ranges:
|
||||
- 0.0.0.0/0
|
||||
direction: EGRESS
|
||||
disabled: null
|
||||
log_config: []
|
||||
name: fwr-my-dev-network-all-e-deny-all
|
||||
network: my-dev-network
|
||||
priority: 65535
|
||||
project: my-dev-project
|
||||
source_ranges: null
|
||||
source_service_accounts: null
|
||||
source_tags: null
|
||||
target_service_accounts: null
|
||||
target_tags: null
|
||||
timeouts: null
|
||||
module.dev-firewall.google_compute_firewall.rules["lb-health-checks"]:
|
||||
allow:
|
||||
- ports: []
|
||||
protocol: tcp
|
||||
deny: []
|
||||
direction: INGRESS
|
||||
disabled: null
|
||||
log_config: []
|
||||
name: fwr-my-dev-network-all-i-lb-health-checks
|
||||
network: my-dev-network
|
||||
priority: 1001
|
||||
project: my-dev-project
|
||||
source_ranges:
|
||||
- 130.211.0.0/22
|
||||
- 35.191.0.0/16
|
||||
source_service_accounts: null
|
||||
source_tags: null
|
||||
target_service_accounts: null
|
||||
target_tags: null
|
||||
timeouts: null
|
||||
module.dev-firewall.google_compute_firewall.rules["web-app-dev-egress"]:
|
||||
allow:
|
||||
- ports:
|
||||
- '443'
|
||||
protocol: tcp
|
||||
deny: []
|
||||
destination_ranges:
|
||||
- 192.168.0.0/24
|
||||
direction: EGRESS
|
||||
disabled: null
|
||||
log_config: []
|
||||
name: fwr-my-dev-network-sac-e-web-app-dev-egress
|
||||
network: my-dev-network
|
||||
priority: 1000
|
||||
project: my-dev-project
|
||||
source_ranges: null
|
||||
source_service_accounts: null
|
||||
source_tags: null
|
||||
target_service_accounts:
|
||||
- myapp@myproject-dev.iam.gserviceaccount.com
|
||||
target_tags: null
|
||||
timeouts: null
|
||||
module.dev-firewall.google_compute_firewall.rules["web-app-dev-ingress"]:
|
||||
allow:
|
||||
- ports:
|
||||
- '1234'
|
||||
protocol: tcp
|
||||
deny: []
|
||||
direction: INGRESS
|
||||
disabled: null
|
||||
log_config: []
|
||||
name: fwr-my-dev-network-sac-i-web-app-dev-ingress
|
||||
network: my-dev-network
|
||||
priority: 1000
|
||||
project: my-dev-project
|
||||
source_ranges: null
|
||||
source_service_accounts:
|
||||
- frontend-sa@myproject-dev.iam.gserviceaccount.com
|
||||
source_tags: null
|
||||
target_service_accounts:
|
||||
- web-app-a@myproject-dev.iam.gserviceaccount.com
|
||||
target_tags: null
|
||||
timeouts: null
|
||||
module.prod-firewall.google_compute_firewall.rules["deny-all"]:
|
||||
allow: []
|
||||
deny:
|
||||
- ports: []
|
||||
protocol: all
|
||||
destination_ranges:
|
||||
- 0.0.0.0/0
|
||||
direction: EGRESS
|
||||
disabled: null
|
||||
log_config:
|
||||
- metadata: INCLUDE_ALL_METADATA
|
||||
name: fwr-my-prod-network-all-e-deny-all
|
||||
network: my-prod-network
|
||||
priority: 65535
|
||||
project: my-prod-project
|
||||
source_ranges: null
|
||||
source_service_accounts: null
|
||||
source_tags: null
|
||||
target_service_accounts: null
|
||||
target_tags: null
|
||||
timeouts: null
|
||||
module.prod-firewall.google_compute_firewall.rules["lb-health-checks"]:
|
||||
allow:
|
||||
- ports: []
|
||||
protocol: tcp
|
||||
deny: []
|
||||
direction: INGRESS
|
||||
disabled: null
|
||||
log_config:
|
||||
- metadata: INCLUDE_ALL_METADATA
|
||||
name: fwr-my-prod-network-all-i-lb-health-checks
|
||||
network: my-prod-network
|
||||
priority: 1001
|
||||
project: my-prod-project
|
||||
source_ranges:
|
||||
- 130.211.0.0/22
|
||||
- 35.191.0.0/16
|
||||
source_service_accounts: null
|
||||
source_tags: null
|
||||
target_service_accounts: null
|
||||
target_tags: null
|
||||
timeouts: null
|
||||
module.prod-firewall.google_compute_firewall.rules["web-app-prod-egress"]:
|
||||
allow:
|
||||
- ports:
|
||||
- '443'
|
||||
protocol: tcp
|
||||
deny: []
|
||||
destination_ranges:
|
||||
- 192.168.10.0/24
|
||||
direction: EGRESS
|
||||
disabled: null
|
||||
log_config:
|
||||
- metadata: INCLUDE_ALL_METADATA
|
||||
name: fwr-my-prod-network-sac-e-web-app-prod-egress
|
||||
network: my-prod-network
|
||||
priority: 1000
|
||||
project: my-prod-project
|
||||
source_ranges: null
|
||||
source_service_accounts: null
|
||||
source_tags: null
|
||||
target_service_accounts:
|
||||
- myapp@myproject-prod.iam.gserviceaccount.com
|
||||
target_tags: null
|
||||
timeouts: null
|
||||
module.prod-firewall.google_compute_firewall.rules["web-app-prod-ingress"]:
|
||||
allow:
|
||||
- ports:
|
||||
- '1234'
|
||||
protocol: tcp
|
||||
deny: []
|
||||
direction: INGRESS
|
||||
disabled: null
|
||||
log_config:
|
||||
- metadata: INCLUDE_ALL_METADATA
|
||||
name: fwr-my-prod-network-sac-i-web-app-prod-ingress
|
||||
network: my-prod-network
|
||||
priority: 1000
|
||||
project: my-prod-project
|
||||
source_ranges: null
|
||||
source_service_accounts:
|
||||
- frontend-sa@myproject-prod.iam.gserviceaccount.com
|
||||
source_tags: null
|
||||
target_service_accounts:
|
||||
- web-app-a@myproject-prod.iam.gserviceaccount.com
|
||||
target_tags: null
|
||||
timeouts: null
|
||||
|
||||
counts:
|
||||
google_compute_firewall: 8
|
|
@ -1,25 +0,0 @@
|
|||
/**
|
||||
* Copyright 2022 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
module "firewall" {
|
||||
source = "../../../../../blueprints/factories/net-vpc-firewall-yaml"
|
||||
project_id = "my-project"
|
||||
network = "my-network"
|
||||
config_directories = [
|
||||
"./rules"
|
||||
]
|
||||
log_config = var.log_config
|
||||
}
|
|
@ -1,34 +0,0 @@
|
|||
# Copyright 2022 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
# allow ingress from GCLB to all instances in the network
|
||||
lb-health-checks:
|
||||
allow:
|
||||
- ports: []
|
||||
protocol: tcp
|
||||
direction: INGRESS
|
||||
priority: 1001
|
||||
source_ranges:
|
||||
- 35.191.0.0/16
|
||||
- 130.211.0.0/22
|
||||
|
||||
# deny all egress
|
||||
deny-all:
|
||||
deny:
|
||||
- ports: []
|
||||
protocol: all
|
||||
direction: EGRESS
|
||||
priority: 65535
|
||||
destination_ranges:
|
||||
- 0.0.0.0/0
|
|
@ -1,23 +0,0 @@
|
|||
/**
|
||||
* Copyright 2022 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
variable "log_config" {
|
||||
description = "Log configuration. Possible values for `metadata` are `EXCLUDE_ALL_METADATA` and `INCLUDE_ALL_METADATA`. Set to `null` for disabling firewall logging."
|
||||
type = object({
|
||||
metadata = string
|
||||
})
|
||||
default = null
|
||||
}
|
|
@ -1,42 +0,0 @@
|
|||
# Copyright 2022 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
def test_firewall_simple(plan_runner):
|
||||
"Test firewall rules from rules/common.yaml with no extra options."
|
||||
_, resources = plan_runner()
|
||||
assert len(resources) == 4
|
||||
assert set(r['type'] for r in resources) == set([
|
||||
'google_compute_firewall', 'time_static'
|
||||
])
|
||||
firewall_values = [r['values'] for r in resources if r['type']
|
||||
== 'google_compute_firewall']
|
||||
assert set([f['project'] for f in firewall_values]) == set(['my-project'])
|
||||
assert set([f['network'] for f in firewall_values]) == set(['my-network'])
|
||||
|
||||
|
||||
def test_firewall_log_config(plan_runner):
|
||||
"Test firewall rules log configuration."
|
||||
log_config = """ {
|
||||
metadata = "INCLUDE_ALL_METADATA"
|
||||
}
|
||||
"""
|
||||
log_config_value = [{"metadata": "INCLUDE_ALL_METADATA"}]
|
||||
_, resources = plan_runner(log_config=log_config)
|
||||
assert len(resources) == 4
|
||||
assert set(r['type'] for r in resources) == set([
|
||||
'google_compute_firewall', 'time_static'
|
||||
])
|
||||
firewall_values = [r['values'] for r in resources if r['type']
|
||||
== 'google_compute_firewall']
|
||||
assert all(f['log_config'] == log_config_value for f in firewall_values)
|
|
@ -1,13 +0,0 @@
|
|||
# Copyright 2022 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
|
@ -1,25 +0,0 @@
|
|||
# skip boilerplate check
|
||||
|
||||
billing_account_id: 012345-67890A-BCDEF0
|
||||
|
||||
# [opt] Setup for billing alerts
|
||||
billing_alert:
|
||||
amount: 1000
|
||||
thresholds:
|
||||
current: [0.5, 0.8]
|
||||
forecasted: [0.5, 0.8]
|
||||
credit_treatment: INCLUDE_ALL_CREDITS
|
||||
|
||||
# [opt] Contacts for billing alerts and important notifications
|
||||
essential_contacts: ["team-contacts@example.com"]
|
||||
|
||||
# [opt] Labels set for all projects
|
||||
labels:
|
||||
environment: prod
|
||||
department: accounting
|
||||
application: example-app
|
||||
foo: bar
|
||||
|
||||
# [opt] Additional notification channels for billing
|
||||
notification_channels: []
|
||||
prefix: test
|
|
@ -1,52 +0,0 @@
|
|||
/**
|
||||
* Copyright 2022 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
locals {
|
||||
_defaults = yamldecode(file(var.defaults_file))
|
||||
_defaults_net = {
|
||||
billing_account_id = var.billing_account_id
|
||||
environment_dns_zone = var.environment_dns_zone
|
||||
shared_vpc_self_link = var.shared_vpc_self_link
|
||||
vpc_host_project = var.vpc_host_project
|
||||
}
|
||||
defaults = merge(local._defaults, local._defaults_net)
|
||||
projects = {
|
||||
for f in fileset("${var.data_dir}", "**/*.yaml") :
|
||||
trimsuffix(f, ".yaml") => yamldecode(file("${var.data_dir}/${f}"))
|
||||
}
|
||||
}
|
||||
|
||||
module "projects" {
|
||||
source = "../../../../../blueprints/factories/project-factory"
|
||||
for_each = local.projects
|
||||
defaults = local.defaults
|
||||
project_id = each.key
|
||||
billing_account_id = try(each.value.billing_account_id, null)
|
||||
billing_alert = try(each.value.billing_alert, null)
|
||||
dns_zones = try(each.value.dns_zones, [])
|
||||
essential_contacts = try(each.value.essential_contacts, [])
|
||||
folder_id = each.value.folder_id
|
||||
group_iam = try(each.value.group_iam, {})
|
||||
iam = try(each.value.iam, {})
|
||||
kms_service_agents = try(each.value.kms, {})
|
||||
labels = try(each.value.labels, {})
|
||||
org_policies = try(each.value.org_policies, null)
|
||||
prefix = each.value.prefix
|
||||
service_accounts = try(each.value.service_accounts, {})
|
||||
services = try(each.value.services, [])
|
||||
service_identities_iam = try(each.value.service_identities_iam, {})
|
||||
vpc = try(each.value.vpc, null)
|
||||
}
|
|
@ -1,103 +0,0 @@
|
|||
# skip boilerplate check
|
||||
|
||||
# [opt] Billing account id - overrides default if set
|
||||
billing_account_id: 012345-67890A-BCDEF0
|
||||
|
||||
# [opt] Billing alerts config - overrides default if set
|
||||
billing_alert:
|
||||
amount: 10
|
||||
thresholds:
|
||||
current:
|
||||
- 0.5
|
||||
- 0.8
|
||||
forecasted: []
|
||||
credit_treatment: INCLUDE_ALL_CREDITS
|
||||
|
||||
# [opt] DNS zones to be created as children of the environment_dns_zone defined in defaults
|
||||
dns_zones:
|
||||
- lorem
|
||||
- ipsum
|
||||
|
||||
# [opt] Contacts for billing alerts and important notifications
|
||||
essential_contacts:
|
||||
- team-a-contacts@example.com
|
||||
|
||||
# Folder the project will be created as children of
|
||||
folder_id: folders/012345678901
|
||||
|
||||
# [opt] Authoritative IAM bindings in group => [roles] format
|
||||
group_iam:
|
||||
test-team-foobar@fast-lab-0.gcp-pso-italy.net:
|
||||
- roles/compute.admin
|
||||
|
||||
# [opt] Authoritative IAM bindings in role => [principals] format
|
||||
# Generally used to grant roles to service accounts external to the project
|
||||
iam:
|
||||
roles/compute.admin:
|
||||
- serviceAccount:service-account
|
||||
|
||||
# [opt] Service robots and keys they will be assigned as cryptoKeyEncrypterDecrypter
|
||||
# in service => [keys] format
|
||||
kms_service_agents:
|
||||
compute: [key1, key2]
|
||||
storage: [key1, key2]
|
||||
|
||||
# [opt] Labels for the project - merged with the ones defined in defaults
|
||||
labels:
|
||||
environment: prod
|
||||
|
||||
# [opt] Org policy overrides defined at project level
|
||||
org_policies:
|
||||
compute.disableGuestAttributesAccess:
|
||||
rules:
|
||||
- enforce: true
|
||||
compute.trustedImageProjects:
|
||||
rules:
|
||||
- allow:
|
||||
values:
|
||||
- projects/fast-prod-iac-core-0
|
||||
|
||||
# [opt] Prefix - overrides default if set
|
||||
prefix: test1
|
||||
|
||||
# [opt] Service account to create for the project and their roles on the project
|
||||
# in name => [roles] format
|
||||
service_accounts:
|
||||
another-service-account:
|
||||
- roles/compute.admin
|
||||
my-service-account:
|
||||
- roles/compute.admin
|
||||
|
||||
# [opt] APIs to enable on the project.
|
||||
services:
|
||||
- storage.googleapis.com
|
||||
- stackdriver.googleapis.com
|
||||
- compute.googleapis.com
|
||||
|
||||
# [opt] Roles to assign to the service identities in service => [roles] format
|
||||
service_identities_iam:
|
||||
compute:
|
||||
- roles/storage.objectViewer
|
||||
|
||||
# [opt] VPC setup.
|
||||
# If set enables the `compute.googleapis.com` service and configures
|
||||
# service project attachment
|
||||
vpc:
|
||||
# [opt] If set, enables the container API
|
||||
gke_setup:
|
||||
# Grants "roles/container.hostServiceAgentUser" to the container robot if set
|
||||
enable_host_service_agent: false
|
||||
|
||||
# Grants "roles/compute.securityAdmin" to the container robot if set
|
||||
enable_security_admin: true
|
||||
|
||||
# Host project the project will be service project of
|
||||
host_project: fast-prod-net-spoke-0
|
||||
|
||||
# [opt] Subnets in the host project where principals will be granted networkUser
|
||||
# in region/subnet-name => [principals]
|
||||
subnets_iam:
|
||||
europe-west1/prod-default-ew1:
|
||||
- user:foobar@example.com
|
||||
- serviceAccount:service-account1@example.com
|
||||
- my-service-account
|
|
@ -1,64 +0,0 @@
|
|||
/**
|
||||
* Copyright 2022 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
variable "billing_account_id" {
|
||||
description = "Billing account id."
|
||||
type = string
|
||||
default = "012345-67890A-BCDEF0"
|
||||
}
|
||||
|
||||
variable "data_dir" {
|
||||
description = "Relative path for the folder storing configuration data."
|
||||
type = string
|
||||
default = "./projects/"
|
||||
}
|
||||
|
||||
variable "environment_dns_zone" {
|
||||
description = "DNS zone suffix for environment."
|
||||
type = string
|
||||
default = "prod.gcp.example.com"
|
||||
}
|
||||
|
||||
variable "defaults_file" {
|
||||
description = "Relative path for the file storing the project factory configuration."
|
||||
type = string
|
||||
default = "./defaults.yaml"
|
||||
}
|
||||
|
||||
variable "service_accounts" {
|
||||
description = "Service accounts to be created, and roles assigned them on the project."
|
||||
type = map(list(string))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "service_accounts_iam" {
|
||||
description = "IAM bindings on service account resources. Format is KEY => {ROLE => [MEMBERS]}"
|
||||
type = map(map(list(string)))
|
||||
default = {}
|
||||
nullable = false
|
||||
}
|
||||
|
||||
variable "shared_vpc_self_link" {
|
||||
description = "Self link for the shared VPC."
|
||||
type = string
|
||||
default = "self-link"
|
||||
}
|
||||
|
||||
variable "vpc_host_project" {
|
||||
description = "Host project for the shared VPC."
|
||||
type = string
|
||||
default = "host-project"
|
||||
}
|
|
@ -1,36 +0,0 @@
|
|||
# Copyright 2022 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
|
||||
def test_plan(e2e_plan_runner):
|
||||
"Check for a clean plan"
|
||||
modules, resources = e2e_plan_runner()
|
||||
assert len(modules) > 0 and len(resources) > 0
|
||||
|
||||
|
||||
def test_plan_service_accounts(e2e_plan_runner):
|
||||
"Check for a clean plan"
|
||||
service_accounts = '''{
|
||||
sa-001 = []
|
||||
sa-002 = ["roles/owner"]
|
||||
}'''
|
||||
service_accounts_iam = '''{
|
||||
sa-002 = {
|
||||
"roles/iam.serviceAccountTokenCreator" = ["group:team-1@example.com"]
|
||||
}
|
||||
}'''
|
||||
modules, resources = e2e_plan_runner(
|
||||
service_accounts=service_accounts,
|
||||
service_accounts_iam=service_accounts_iam)
|
||||
assert len(modules) > 0 and len(resources) > 0
|
|
@ -18,7 +18,7 @@ from pathlib import Path
|
|||
|
||||
BASE_PATH = Path(__file__).parent
|
||||
COUNT_TEST_RE = re.compile(r'# tftest +modules=(\d+) +resources=(\d+)' +
|
||||
r'(?: +files=([\w,_-]+))?' +
|
||||
r'(?: +files=([\w@,_-]+))?' +
|
||||
r'(?: +inventory=([\w\-.]+))?')
|
||||
|
||||
|
||||
|
|
|
@ -0,0 +1,235 @@
|
|||
# Copyright 2023 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
# This is one of the few modules where it actually makes sense to be
|
||||
# very verbose with values
|
||||
|
||||
values:
|
||||
module.projects["project"].google_compute_subnetwork_iam_member.default["dev-default-ew1:serviceAccount:my-service-account"]:
|
||||
condition: []
|
||||
member: serviceAccount:my-service-account
|
||||
project: fast-dev-net-spoke-0
|
||||
region: europe-west1
|
||||
role: roles/compute.networkUser
|
||||
subnetwork: projects/fast-dev-net-spoke-0/regions/europe-west1/subnetworks/dev-default-ew1
|
||||
module.projects["project"].google_compute_subnetwork_iam_member.default["dev-default-ew1:user:foobar@example.com"]:
|
||||
condition: []
|
||||
member: user:foobar@example.com
|
||||
project: fast-dev-net-spoke-0
|
||||
region: europe-west1
|
||||
role: roles/compute.networkUser
|
||||
subnetwork: projects/fast-dev-net-spoke-0/regions/europe-west1/subnetworks/dev-default-ew1
|
||||
module.projects["project"].module.billing-alert["1"].google_billing_budget.budget:
|
||||
all_updates_rule:
|
||||
- disable_default_iam_recipients: false
|
||||
pubsub_topic: null
|
||||
schema_version: '1.0'
|
||||
amount:
|
||||
- last_period_amount: null
|
||||
specified_amount:
|
||||
- nanos: null
|
||||
units: '10'
|
||||
billing_account: 012345-67890A-BCDEF0
|
||||
budget_filter:
|
||||
- calendar_period: null
|
||||
credit_types_treatment: INCLUDE_ALL_CREDITS
|
||||
custom_period: []
|
||||
display_name: test1-project budget
|
||||
threshold_rules:
|
||||
- spend_basis: CURRENT_SPEND
|
||||
threshold_percent: 0.5
|
||||
- spend_basis: CURRENT_SPEND
|
||||
threshold_percent: 0.8
|
||||
module.projects["project"].module.billing-alert["1"].google_monitoring_notification_channel.email_channels["team-a-contacts@example.com"]:
|
||||
display_name: test1-project budget budget email notification (team-a-contacts@example.com)
|
||||
labels:
|
||||
email_address: team-a-contacts@example.com
|
||||
project: test1-project
|
||||
sensitive_labels: []
|
||||
type: email
|
||||
module.projects["project"].module.billing-alert["1"].google_monitoring_notification_channel.email_channels["team-contacts@example.com"]:
|
||||
display_name: test1-project budget budget email notification (team-contacts@example.com)
|
||||
labels:
|
||||
email_address: team-contacts@example.com
|
||||
project: test1-project
|
||||
sensitive_labels: []
|
||||
type: email
|
||||
module.projects["project"].module.dns["ipsum"].google_dns_managed_zone.non-public[0]:
|
||||
dns_name: ipsum.dev.example.org
|
||||
name: ipsum
|
||||
private_visibility_config:
|
||||
- gke_clusters: []
|
||||
networks:
|
||||
- network_url: projects/foo/networks/bar
|
||||
project: fast-dev-net-spoke-0
|
||||
visibility: private
|
||||
module.projects["project"].module.dns["lorem"].google_dns_managed_zone.non-public[0]:
|
||||
dns_name: lorem.dev.example.org
|
||||
name: lorem
|
||||
private_visibility_config:
|
||||
- gke_clusters: []
|
||||
networks:
|
||||
- network_url: projects/foo/networks/bar
|
||||
project: fast-dev-net-spoke-0
|
||||
module.projects["project"].module.project.google_compute_shared_vpc_service_project.shared_vpc_service[0]:
|
||||
host_project: fast-dev-net-spoke-0
|
||||
service_project: test1-project
|
||||
module.projects["project"].module.project.google_essential_contacts_contact.contact["team-a-contacts@example.com"]:
|
||||
email: team-a-contacts@example.com
|
||||
language_tag: en
|
||||
notification_category_subscriptions:
|
||||
- ALL
|
||||
parent: projects/test1-project
|
||||
module.projects["project"].module.project.google_essential_contacts_contact.contact["team-contacts@example.com"]:
|
||||
email: team-contacts@example.com
|
||||
language_tag: en
|
||||
notification_category_subscriptions:
|
||||
- ALL
|
||||
parent: projects/test1-project
|
||||
module.projects["project"].module.project.google_org_policy_policy.default["constraints/compute.disableGuestAttributesAccess"]:
|
||||
name: projects/test1-project/policies/constraints/compute.disableGuestAttributesAccess
|
||||
parent: projects/test1-project
|
||||
spec:
|
||||
- inherit_from_parent: null
|
||||
reset: null
|
||||
rules:
|
||||
- allow_all: null
|
||||
condition: []
|
||||
deny_all: null
|
||||
enforce: 'TRUE'
|
||||
values: []
|
||||
module.projects["project"].module.project.google_org_policy_policy.default["constraints/compute.trustedImageProjects"]:
|
||||
name: projects/test1-project/policies/constraints/compute.trustedImageProjects
|
||||
parent: projects/test1-project
|
||||
spec:
|
||||
- inherit_from_parent: null
|
||||
reset: null
|
||||
rules:
|
||||
- allow_all: null
|
||||
condition: []
|
||||
deny_all: null
|
||||
enforce: null
|
||||
values:
|
||||
- allowed_values:
|
||||
- projects/fast-dev-iac-core-0
|
||||
denied_values: null
|
||||
module.projects["project"].module.project.google_org_policy_policy.default["constraints/compute.vmExternalIpAccess"]:
|
||||
name: projects/test1-project/policies/constraints/compute.vmExternalIpAccess
|
||||
parent: projects/test1-project
|
||||
spec:
|
||||
- inherit_from_parent: null
|
||||
reset: null
|
||||
rules:
|
||||
- allow_all: null
|
||||
condition: []
|
||||
deny_all: 'TRUE'
|
||||
enforce: null
|
||||
values: []
|
||||
module.projects["project"].module.project.google_project.project[0]:
|
||||
auto_create_network: false
|
||||
billing_account: 012345-67890A-BCDEF0
|
||||
folder_id: 012345678901
|
||||
labels:
|
||||
application: example-app
|
||||
costcenter: apps
|
||||
department: accounting
|
||||
environment: dev
|
||||
foo: bar
|
||||
name: test1-project
|
||||
org_id: null
|
||||
project_id: test1-project
|
||||
skip_delete: false
|
||||
module.projects["project"].module.project.google_project_iam_binding.authoritative["roles/compute.admin"]:
|
||||
condition: []
|
||||
project: test1-project
|
||||
role: roles/compute.admin
|
||||
module.projects["project"].module.project.google_project_iam_binding.authoritative["roles/compute.adminv1"]:
|
||||
condition: []
|
||||
project: test1-project
|
||||
role: roles/compute.adminv1
|
||||
module.projects["project"].module.project.google_project_iam_binding.authoritative["roles/storage.objectViewer"]:
|
||||
condition: []
|
||||
project: test1-project
|
||||
role: roles/storage.objectViewer
|
||||
module.projects["project"].module.project.google_project_iam_member.shared_vpc_host_robots["roles/compute.networkUser:cloudservices"]:
|
||||
condition: []
|
||||
project: fast-dev-net-spoke-0
|
||||
role: roles/compute.networkUser
|
||||
module.projects["project"].module.project.google_project_iam_member.shared_vpc_host_robots["roles/compute.securityAdmin:container-engine"]:
|
||||
condition: []
|
||||
project: fast-dev-net-spoke-0
|
||||
role: roles/compute.securityAdmin
|
||||
module.projects["project"].module.project.google_project_service.project_services["billingbudgets.googleapis.com"]:
|
||||
disable_dependent_services: false
|
||||
disable_on_destroy: false
|
||||
project: test1-project
|
||||
service: billingbudgets.googleapis.com
|
||||
module.projects["project"].module.project.google_project_service.project_services["compute.googleapis.com"]:
|
||||
disable_dependent_services: false
|
||||
disable_on_destroy: false
|
||||
project: test1-project
|
||||
service: compute.googleapis.com
|
||||
module.projects["project"].module.project.google_project_service.project_services["container.googleapis.com"]:
|
||||
disable_dependent_services: false
|
||||
disable_on_destroy: false
|
||||
project: test1-project
|
||||
service: container.googleapis.com
|
||||
module.projects["project"].module.project.google_project_service.project_services["dns.googleapis.com"]:
|
||||
disable_dependent_services: false
|
||||
disable_on_destroy: false
|
||||
project: test1-project
|
||||
service: dns.googleapis.com
|
||||
module.projects["project"].module.project.google_project_service.project_services["essentialcontacts.googleapis.com"]:
|
||||
disable_dependent_services: false
|
||||
disable_on_destroy: false
|
||||
project: test1-project
|
||||
service: essentialcontacts.googleapis.com
|
||||
module.projects["project"].module.project.google_project_service.project_services["orgpolicy.googleapis.com"]:
|
||||
disable_dependent_services: false
|
||||
disable_on_destroy: false
|
||||
project: test1-project
|
||||
service: orgpolicy.googleapis.com
|
||||
module.projects["project"].module.project.google_project_service.project_services["stackdriver.googleapis.com"]:
|
||||
disable_dependent_services: false
|
||||
disable_on_destroy: false
|
||||
project: test1-project
|
||||
service: stackdriver.googleapis.com
|
||||
module.projects["project"].module.project.google_project_service.project_services["storage.googleapis.com"]:
|
||||
disable_dependent_services: false
|
||||
disable_on_destroy: false
|
||||
project: test1-project
|
||||
service: storage.googleapis.com
|
||||
module.projects["project"].module.service-accounts["another-service-account"].google_service_account.service_account[0]:
|
||||
account_id: another-service-account
|
||||
display_name: Terraform-managed.
|
||||
project: test1-project
|
||||
module.projects["project"].module.service-accounts["my-service-account"].google_service_account.service_account[0]:
|
||||
account_id: my-service-account
|
||||
display_name: Terraform-managed.
|
||||
project: test1-project
|
||||
|
||||
counts:
|
||||
google_billing_budget: 1
|
||||
google_compute_shared_vpc_service_project: 1
|
||||
google_compute_subnetwork_iam_member: 2
|
||||
google_dns_managed_zone: 2
|
||||
google_essential_contacts_contact: 2
|
||||
google_monitoring_notification_channel: 2
|
||||
google_org_policy_policy: 3
|
||||
google_project: 1
|
||||
google_project_iam_binding: 3
|
||||
google_project_iam_member: 2
|
||||
google_project_service: 8
|
||||
google_service_account: 2
|
||||
google_storage_project_service_account: 1
|
Loading…
Reference in New Issue