zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix module tests

This commit is contained in:
Julio Castillo 2022-10-28 14:40:53 +02:00
parent b23d07b0c6
commit f44f4a74dc
14 changed files with 685 additions and 199 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
modules/folder/organization-policies.tf
View File

@ -100,7 +100,7 @@ resource "google_org_policy_policy" "default" {
title = rule.value.condition.title title = rule.value.condition.title
} }
dynamic "values" { dynamic "values" {
for_each = rule.value.has_values ? [1] : [0] for_each = rule.value.has_values ? [1] : []
content { content {
allowed_values = try(rule.value.allow.values, null) allowed_values = try(rule.value.allow.values, null)
denied_values = try(rule.value.deny.values, null) denied_values = try(rule.value.deny.values, null)

8
modules/organization/organization-policies.tf
View File

@ -1,4 +1,4 @@
s/** /**
* Copyright 2022 Google LLC * Copyright 2022 Google LLC
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
@ -59,8 +59,8 @@ locals {
resource "google_org_policy_policy" "default" { resource "google_org_policy_policy" "default" {
for_each = local.org_policies for_each = local.org_policies
name = "${local.organization_id}/policies/${each.key}" name = "${var.organization_id}/policies/${each.key}"
parent = "${local.organiza}" parent = var.organization_id
spec { spec {
inherit_from_parent = each.value.inherit_from_parent inherit_from_parent = each.value.inherit_from_parent
@ -101,7 +101,7 @@ resource "google_org_policy_policy" "default" {
title = rule.value.condition.title title = rule.value.condition.title
} }
dynamic "values" { dynamic "values" {
for_each = rule.value.has_values ? [1] : [0] for_each = rule.value.has_values ? [1] : []
content { content {
allowed_values = try(rule.value.allow.values, null) allowed_values = try(rule.value.allow.values, null)
denied_values = try(rule.value.deny.values, null) denied_values = try(rule.value.deny.values, null)

3
modules/organization/outputs.tf
View File

@ -52,8 +52,7 @@ output "organization_id" {
google_organization_iam_custom_role.roles, google_organization_iam_custom_role.roles,
google_organization_iam_member.additive, google_organization_iam_member.additive,
google_organization_iam_policy.authoritative, google_organization_iam_policy.authoritative,
google_organization_policy.boolean, google_org_policy_policy.default,
google_organization_policy.list,
google_tags_tag_key.default, google_tags_tag_key.default,
google_tags_tag_key_iam_binding.default, google_tags_tag_key_iam_binding.default,
google_tags_tag_value.default, google_tags_tag_value.default,

2
modules/project/organization-policies.tf
View File

@ -82,7 +82,7 @@ resource "google_org_policy_policy" "default" {
title = rule.value.condition.title title = rule.value.condition.title
} }
dynamic "values" { dynamic "values" {
for_each = rule.value.has_values ? [1] : [0] for_each = rule.value.has_values ? [1] : []
content { content {
allowed_values = try(rule.value.allow.values, null) allowed_values = try(rule.value.allow.values, null)
denied_values = try(rule.value.deny.values, null) denied_values = try(rule.value.deny.values, null)

3
tests/modules/folder/fixture/main.tf
View File

@ -22,10 +22,9 @@ module "test" {
iam = var.iam iam = var.iam
iam_additive = var.iam_additive iam_additive = var.iam_additive
iam_additive_members = var.iam_additive_members iam_additive_members = var.iam_additive_members
policy_boolean = var.policy_boolean
policy_list = var.policy_list
firewall_policies = var.firewall_policies firewall_policies = var.firewall_policies
firewall_policy_association = var.firewall_policy_association firewall_policy_association = var.firewall_policy_association
logging_sinks = var.logging_sinks logging_sinks = var.logging_sinks
logging_exclusions = var.logging_exclusions logging_exclusions = var.logging_exclusions
org_policies = var.org_policies
} }

15
tests/modules/folder/fixture/variables.tf
View File

@ -34,16 +34,6 @@ variable "iam_additive_members" {
default = {} default = {}
} }
variable "policy_boolean" {
type = any
default = {}
}
variable "policy_list" {
type = any
default = {}
}
variable "firewall_policies" { variable "firewall_policies" {
type = any type = any
default = {} default = {}
@ -63,3 +53,8 @@ variable "logging_exclusions" {
type = any type = any
default = {} default = {}
} }
variable "org_policies" {
type = any
default = {}
}

256
tests/modules/folder/test_plan_org_policies.py
View File

@ -12,56 +12,214 @@
# See the License for the specific language governing permissions and # See the License for the specific language governing permissions and
# limitations under the License. # limitations under the License.
def test_sink(plan_runner):
"Test folder-level sink."
policy_boolean = '{policy-a = true, policy-b = false, policy-c = null}'
_, resources = plan_runner(policy_boolean=policy_boolean)
def test_policy_boolean(plan_runner):
"Test boolean org policy."
policies = '''{
"iam.disableServiceAccountKeyCreation" = {
enforce = true
}
"iam.disableServiceAccountKeyUpload" = {
enforce = false
rules = [
{
condition = {
expression = "resource.matchTagId(\\"tagKeys/1234\\", \\"tagValues/1234\\")"
title = "condition"
description = "test condition"
location = "xxx"
}
enforce = true
}
]
}
}'''
_, resources = plan_runner(org_policies=policies)
assert len(resources) == 3
policies = [r for r in resources if r['type'] == 'google_org_policy_policy']
from icecream import ic
ic(policies)
assert len(policies) == 2
p1 = [
r['values']['spec'][0]
for r in policies
if r['index'] == 'iam.disableServiceAccountKeyCreation'
][0]
assert p1['inherit_from_parent'] is None
assert p1['reset'] is None
assert p1['rules'] == [{
'allow_all': None,
'condition': [],
'deny_all': None,
'enforce': 'TRUE',
'values': []
}]
p2 = [
r['values']['spec'][0]
for r in policies
if r['index'] == 'iam.disableServiceAccountKeyUpload'
][0]
assert p2['inherit_from_parent'] is None
assert p2['reset'] is None
assert len(p2['rules']) == 2
assert p2['rules'][0] == {
'allow_all': None,
'condition': [],
'deny_all': None,
'enforce': 'FALSE',
'values': []
}
assert p2['rules'][1] == {
'allow_all': None,
'condition': [{
'description': 'test condition',
'expression': 'resource.matchTagId("tagKeys/1234", "tagValues/1234")',
'location': 'xxx',
'title': 'condition'
}],
'deny_all': None,
'enforce': 'TRUE',
'values': []
}
def test_policy_list(plan_runner):
"Test list org policy."
policies = '''{
"compute.vmExternalIpAccess" = {
deny = { all = true }
}
"iam.allowedPolicyMemberDomains" = {
allow = {
values = ["C0xxxxxxx", "C0yyyyyyy"]
}
}
"compute.restrictLoadBalancerCreationForTypes" = {
deny = { values = ["in:EXTERNAL"] }
rules = [
{
condition = {
expression = "resource.matchTagId(\\"tagKeys/1234\\", \\"tagValues/1234\\")"
title = "condition"
description = "test condition"
location = "xxx"
}
allow = {
values = ["EXTERNAL_1"]
}
},
{
condition = {
expression = "resource.matchTagId(\\"tagKeys/12345\\", \\"tagValues/12345\\")"
title = "condition2"
description = "test condition2"
location = "xxx"
}
allow = {
all = true
}
}
]
}
}'''
_, resources = plan_runner(org_policies=policies)
assert len(resources) == 4 assert len(resources) == 4
resources = [r for r in resources if r['type']
== 'google_folder_organization_policy']
assert sorted([r['index'] for r in resources]) == [
'policy-a',
'policy-b',
'policy-c',
]
policy_values = []
for resource in resources:
for policy in ('boolean_policy', 'restore_policy'):
value = resource['values'][policy]
if value:
policy_values.append((resource['index'], policy,) + value[0].popitem())
assert sorted(policy_values) == [
('policy-a', 'boolean_policy', 'enforced', True),
('policy-b', 'boolean_policy', 'enforced', False),
('policy-c', 'restore_policy', 'default', True),
]
policies = [r for r in resources if r['type'] == 'google_org_policy_policy']
assert len(policies) == 3
def test_exclussions(plan_runner): p1 = [
"Test folder-level logging exclusions." r['values']['spec'][0]
policy_list = ( for r in policies
'{' if r['index'] == 'compute.vmExternalIpAccess'
'policy-a = {inherit_from_parent = true, suggested_value = null, status = true, values = []}, ' ][0]
'policy-b = {inherit_from_parent = null, suggested_value = "foo", status = false, values = ["bar"]}, ' assert p1['inherit_from_parent'] is None
'policy-c = {inherit_from_parent = null, suggested_value = true, status = null, values = null}' assert p1['reset'] is None
'}' assert p1['rules'] == [{
) 'allow_all': None,
_, resources = plan_runner(policy_list=policy_list) 'condition': [],
assert len(resources) == 4 'deny_all': 'TRUE',
resources = [r for r in resources if r['type'] 'enforce': None,
== 'google_folder_organization_policy'] 'values': []
assert sorted([r['index'] for r in resources]) == [ }]
'policy-a',
'policy-b', p2 = [
'policy-c', r['values']['spec'][0]
] for r in policies
values = [r['values'] for r in resources] if r['index'] == 'iam.allowedPolicyMemberDomains'
assert [r['constraint'] for r in values] == [ ][0]
'policy-a', 'policy-b', 'policy-c' assert p2['inherit_from_parent'] is None
] assert p2['reset'] is None
assert values[0]['list_policy'][0]['allow'] == [ assert p2['rules'] == [{
{'all': True, 'values': None}] 'allow_all':
assert values[1]['list_policy'][0]['deny'] == [ None,
{'all': False, 'values': ["bar"]}] 'condition': [],
assert values[2]['restore_policy'] == [{'default': True}] 'deny_all':
None,
'enforce':
None,
'values': [{
'allowed_values': [
'C0xxxxxxx',
'C0yyyyyyy',
],
'denied_values': None
}]
}]
p3 = [
r['values']['spec'][0]
for r in policies
if r['index'] == 'compute.restrictLoadBalancerCreationForTypes'
][0]
assert p3['inherit_from_parent'] is None
assert p3['reset'] is None
assert len(p3['rules']) == 3
assert p3['rules'][0] == {
'allow_all': None,
'condition': [],
'deny_all': None,
'enforce': None,
'values': [{
'allowed_values': None,
'denied_values': ['in:EXTERNAL']
}]
}
assert p3['rules'][1] == {
'allow_all': None,
'condition': [{
'description': 'test condition',
'expression': 'resource.matchTagId("tagKeys/1234", "tagValues/1234")',
'location': 'xxx',
'title': 'condition'
}],
'deny_all': None,
'enforce': None,
'values': [{
'allowed_values': ['EXTERNAL_1'],
'denied_values': None
}]
}
assert p3['rules'][2] == {
'allow_all': 'TRUE',
'condition': [{
'description':
'test condition2',
'expression':
'resource.matchTagId("tagKeys/12345", "tagValues/12345")',
'location':
'xxx',
'title':
'condition2'
}],
'deny_all': None,
'enforce': None,
'values': []
}

3
tests/modules/organization/fixture/main.tf
View File

@ -28,8 +28,7 @@ module "test" {
iam_audit_config = var.iam_audit_config iam_audit_config = var.iam_audit_config
logging_sinks = var.logging_sinks logging_sinks = var.logging_sinks
logging_exclusions = var.logging_exclusions logging_exclusions = var.logging_exclusions
policy_boolean = var.policy_boolean org_policies = var.org_policies
policy_list = var.policy_list
tag_bindings = var.tag_bindings tag_bindings = var.tag_bindings
tags = var.tags tags = var.tags
} }

15
tests/modules/organization/fixture/variables.tf
View File

@ -44,16 +44,6 @@ variable "iam_audit_config" {
default = {} default = {}
} }
variable "policy_boolean" {
type = any
default = {}
}
variable "policy_list" {
type = any
default = {}
}
variable "firewall_policies" { variable "firewall_policies" {
type = any type = any
default = {} default = {}
@ -79,6 +69,11 @@ variable "logging_exclusions" {
default = {} default = {}
} }
variable "org_policies" {
type = any
default = {}
}
variable "tag_bindings" { variable "tag_bindings" {
type = any type = any
default = null default = null

78
tests/modules/organization/test_plan.py
View File

@ -12,13 +12,14 @@
# See the License for the specific language governing permissions and # See the License for the specific language governing permissions and
# limitations under the License. # limitations under the License.
def test_audit_config(plan_runner): def test_audit_config(plan_runner):
"Test audit config." "Test audit config."
iam_audit_config = '{allServices={DATA_READ=[], DATA_WRITE=["user:me@example.org"]}}' iam_audit_config = '{allServices={DATA_READ=[], DATA_WRITE=["user:me@example.org"]}}'
_, resources = plan_runner(iam_audit_config=iam_audit_config) _, resources = plan_runner(iam_audit_config=iam_audit_config)
assert len(resources) == 1 assert len(resources) == 1
log_types = set(r['log_type'] log_types = set(
for r in resources[0]['values']['audit_log_config']) r['log_type'] for r in resources[0]['values']['audit_log_config'])
assert log_types == set(['DATA_READ', 'DATA_WRITE']) assert log_types == set(['DATA_READ', 'DATA_WRITE'])
@ -28,21 +29,21 @@ def test_iam(plan_runner):
'{' '{'
'"owners@example.org" = ["roles/owner", "roles/resourcemanager.folderAdmin"],' '"owners@example.org" = ["roles/owner", "roles/resourcemanager.folderAdmin"],'
'"viewers@example.org" = ["roles/viewer"]' '"viewers@example.org" = ["roles/viewer"]'
'}' '}')
) iam = ('{'
iam = (
'{'
'"roles/owner" = ["user:one@example.org", "user:two@example.org"],' '"roles/owner" = ["user:one@example.org", "user:two@example.org"],'
'"roles/browser" = ["domain:example.org"]' '"roles/browser" = ["domain:example.org"]'
'}' '}')
)
_, resources = plan_runner(group_iam=group_iam, iam=iam) _, resources = plan_runner(group_iam=group_iam, iam=iam)
roles = sorted([(r['values']['role'], sorted(r['values']['members'])) roles = sorted([(r['values']['role'], sorted(r['values']['members']))
for r in resources if r['type'] == 'google_organization_iam_binding']) for r in resources
if r['type'] == 'google_organization_iam_binding'])
assert roles == [ assert roles == [
('roles/browser', ['domain:example.org']), ('roles/browser', ['domain:example.org']),
('roles/owner', ['group:owners@example.org', 'user:one@example.org', ('roles/owner', [
'user:two@example.org']), 'group:owners@example.org', 'user:one@example.org',
'user:two@example.org'
]),
('roles/resourcemanager.folderAdmin', ['group:owners@example.org']), ('roles/resourcemanager.folderAdmin', ['group:owners@example.org']),
('roles/viewer', ['group:viewers@example.org']), ('roles/viewer', ['group:viewers@example.org']),
] ]
@ -50,55 +51,12 @@ def test_iam(plan_runner):
def test_iam_additive_members(plan_runner): def test_iam_additive_members(plan_runner):
"Test IAM additive members." "Test IAM additive members."
iam = ( iam = ('{"user:one@example.org" = ["roles/owner"],'
'{"user:one@example.org" = ["roles/owner"],' '"user:two@example.org" = ["roles/owner", "roles/editor"]}')
'"user:two@example.org" = ["roles/owner", "roles/editor"]}'
)
_, resources = plan_runner(iam_additive_members=iam) _, resources = plan_runner(iam_additive_members=iam)
roles = set((r['values']['role'], r['values']['member']) roles = set((r['values']['role'], r['values']['member'])
for r in resources if r['type'] == 'google_organization_iam_member') for r in resources
assert roles == set([ if r['type'] == 'google_organization_iam_member')
('roles/owner', 'user:one@example.org'), assert roles == set([('roles/owner', 'user:one@example.org'),
('roles/owner', 'user:two@example.org'), ('roles/owner', 'user:two@example.org'),
('roles/editor', 'user:two@example.org') ('roles/editor', 'user:two@example.org')])
])
def test_policy_boolean(plan_runner):
"Test boolean org policy."
policy_boolean = '{policy-a = true, policy-b = false, policy-c = null}'
_, resources = plan_runner(policy_boolean=policy_boolean)
assert len(resources) == 3
constraints = set(r['values']['constraint'] for r in resources)
assert set(constraints) == set(['policy-a', 'policy-b', 'policy-c'])
policies = []
for resource in resources:
for policy in ('boolean_policy', 'restore_policy'):
value = resource['values'][policy]
if value:
policies.append((policy,) + value[0].popitem())
assert set(policies) == set([
('boolean_policy', 'enforced', True),
('boolean_policy', 'enforced', False),
('restore_policy', 'default', True)])
def test_policy_list(plan_runner):
"Test list org policy."
policy_list = (
'{'
'policy-a = {inherit_from_parent = true, suggested_value = null, status = true, values = []}, '
'policy-b = {inherit_from_parent = null, suggested_value = "foo", status = false, values = ["bar"]}, '
'policy-c = {inherit_from_parent = null, suggested_value = true, status = null, values = null}'
'}'
)
_, resources = plan_runner(policy_list=policy_list)
assert len(resources) == 3
values = [r['values'] for r in resources]
assert [r['constraint']
for r in values] == ['policy-a', 'policy-b', 'policy-c']
assert values[0]['list_policy'][0]['allow'] == [
{'all': True, 'values': None}]
assert values[1]['list_policy'][0]['deny'] == [
{'all': False, 'values': ["bar"]}]
assert values[2]['restore_policy'] == [{'default': True}]

228
tests/modules/organization/test_plan_org_policies.py Normal file
View File

@ -0,0 +1,228 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
def test_policy_boolean(plan_runner):
"Test boolean org policy."
policies = '''{
"iam.disableServiceAccountKeyCreation" = {
enforce = true
}
"iam.disableServiceAccountKeyUpload" = {
enforce = false
rules = [
{
condition = {
expression = "resource.matchTagId(\\"tagKeys/1234\\", \\"tagValues/1234\\")"
title = "condition"
description = "test condition"
location = "xxx"
}
enforce = true
}
]
}
}'''
_, resources = plan_runner(org_policies=policies)
assert len(resources) == 2
policies = [r for r in resources if r['type'] == 'google_org_policy_policy']
assert len(policies) == 2
from icecream import ic
assert all(
x['values']['parent'] == 'organizations/1234567890' for x in policies)
p1 = [
r['values']['spec'][0]
for r in policies
if r['index'] == 'iam.disableServiceAccountKeyCreation'
][0]
assert p1['inherit_from_parent'] is None
assert p1['reset'] is None
assert p1['rules'] == [{
'allow_all': None,
'condition': [],
'deny_all': None,
'enforce': 'TRUE',
'values': []
}]
p2 = [
r['values']['spec'][0]
for r in policies
if r['index'] == 'iam.disableServiceAccountKeyUpload'
][0]
assert p2['inherit_from_parent'] is None
assert p2['reset'] is None
assert len(p2['rules']) == 2
assert p2['rules'][0] == {
'allow_all': None,
'condition': [],
'deny_all': None,
'enforce': 'FALSE',
'values': []
}
assert p2['rules'][1] == {
'allow_all': None,
'condition': [{
'description': 'test condition',
'expression': 'resource.matchTagId("tagKeys/1234", "tagValues/1234")',
'location': 'xxx',
'title': 'condition'
}],
'deny_all': None,
'enforce': 'TRUE',
'values': []
}
def test_policy_list(plan_runner):
"Test list org policy."
policies = '''{
"compute.vmExternalIpAccess" = {
deny = { all = true }
}
"iam.allowedPolicyMemberDomains" = {
allow = {
values = ["C0xxxxxxx", "C0yyyyyyy"]
}
}
"compute.restrictLoadBalancerCreationForTypes" = {
deny = { values = ["in:EXTERNAL"] }
rules = [
{
condition = {
expression = "resource.matchTagId(\\"tagKeys/1234\\", \\"tagValues/1234\\")"
title = "condition"
description = "test condition"
location = "xxx"
}
allow = {
values = ["EXTERNAL_1"]
}
},
{
condition = {
expression = "resource.matchTagId(\\"tagKeys/12345\\", \\"tagValues/12345\\")"
title = "condition2"
description = "test condition2"
location = "xxx"
}
allow = {
all = true
}
}
]
}
}'''
_, resources = plan_runner(org_policies=policies)
assert len(resources) == 3
policies = [r for r in resources if r['type'] == 'google_org_policy_policy']
assert len(policies) == 3
assert all(
x['values']['parent'] == 'organizations/1234567890' for x in policies)
p1 = [
r['values']['spec'][0]
for r in policies
if r['index'] == 'compute.vmExternalIpAccess'
][0]
assert p1['inherit_from_parent'] is None
assert p1['reset'] is None
assert p1['rules'] == [{
'allow_all': None,
'condition': [],
'deny_all': 'TRUE',
'enforce': None,
'values': []
}]
p2 = [
r['values']['spec'][0]
for r in policies
if r['index'] == 'iam.allowedPolicyMemberDomains'
][0]
assert p2['inherit_from_parent'] is None
assert p2['reset'] is None
assert p2['rules'] == [{
'allow_all':
None,
'condition': [],
'deny_all':
None,
'enforce':
None,
'values': [{
'allowed_values': [
'C0xxxxxxx',
'C0yyyyyyy',
],
'denied_values': None
}]
}]
p3 = [
r['values']['spec'][0]
for r in policies
if r['index'] == 'compute.restrictLoadBalancerCreationForTypes'
][0]
assert p3['inherit_from_parent'] is None
assert p3['reset'] is None
assert len(p3['rules']) == 3
assert p3['rules'][0] == {
'allow_all': None,
'condition': [],
'deny_all': None,
'enforce': None,
'values': [{
'allowed_values': None,
'denied_values': ['in:EXTERNAL']
}]
}
assert p3['rules'][1] == {
'allow_all': None,
'condition': [{
'description': 'test condition',
'expression': 'resource.matchTagId("tagKeys/1234", "tagValues/1234")',
'location': 'xxx',
'title': 'condition'
}],
'deny_all': None,
'enforce': None,
'values': [{
'allowed_values': ['EXTERNAL_1'],
'denied_values': None
}]
}
assert p3['rules'][2] == {
'allow_all': 'TRUE',
'condition': [{
'description':
'test condition2',
'expression':
'resource.matchTagId("tagKeys/12345", "tagValues/12345")',
'location':
'xxx',
'title':
'condition2'
}],
'deny_all': None,
'enforce': None,
'values': []
}

4
tests/modules/project/fixture/main.tf
View File

@ -25,12 +25,11 @@ module "test" {
iam_additive_members = var.iam_additive_members iam_additive_members = var.iam_additive_members
labels = var.labels labels = var.labels
lien_reason = var.lien_reason lien_reason = var.lien_reason
org_policies = var.org_policies
oslogin = var.oslogin oslogin = var.oslogin
oslogin_admins = var.oslogin_admins oslogin_admins = var.oslogin_admins
oslogin_users = var.oslogin_users oslogin_users = var.oslogin_users
parent = var.parent parent = var.parent
policy_boolean = var.policy_boolean
policy_list = var.policy_list
prefix = var.prefix prefix = var.prefix
service_encryption_key_ids = var.service_encryption_key_ids service_encryption_key_ids = var.service_encryption_key_ids
services = var.services services = var.services
@ -63,4 +62,3 @@ module "test-svpc-service" {
} }
} }
} }

20
tests/modules/project/fixture/variables.tf
View File

@ -64,6 +64,11 @@ variable "lien_reason" {
default = "" default = ""
} }
variable "org_policies" {
type = any
default = {}
}
variable "oslogin" { variable "oslogin" {
type = bool type = bool
default = false default = false
@ -84,21 +89,6 @@ variable "parent" {
default = null default = null
} }
variable "policy_boolean" {
type = map(bool)
default = {}
}
variable "policy_list" {
type = map(object({
inherit_from_parent = bool
suggested_value = string
status = bool
values = list(string)
}))
default = {}
}
variable "prefix" { variable "prefix" {
type = string type = string
default = null default = null

239
tests/modules/project/test_plan_org_policies.py
View File

@ -12,47 +12,214 @@
# See the License for the specific language governing permissions and # See the License for the specific language governing permissions and
# limitations under the License. # limitations under the License.
def test_policy_boolean(plan_runner): def test_policy_boolean(plan_runner):
"Test boolean org policy." "Test boolean org policy."
policy_boolean = '{policy-a = true, policy-b = false, policy-c = null}' policies = '''{
_, resources = plan_runner(policy_boolean=policy_boolean) "iam.disableServiceAccountKeyCreation" = {
assert len(resources) == 7 enforce = true
resources = [r for r in resources if r['type'] }
== 'google_project_organization_policy'] "iam.disableServiceAccountKeyUpload" = {
assert sorted([r['index'] for r in resources]) == [ enforce = false
'policy-a', 'policy-b', 'policy-c' rules = [
] {
policy_values = [] condition = {
for resource in resources: expression = "resource.matchTagId(\\"tagKeys/1234\\", \\"tagValues/1234\\")"
for policy in ('boolean_policy', 'restore_policy'): title = "condition"
value = resource['values'][policy] description = "test condition"
if value: location = "xxx"
policy_values.append((policy,) + value[0].popitem()) }
assert sorted(policy_values) == [ enforce = true
('boolean_policy', 'enforced', False), }
('boolean_policy', 'enforced', True),
('restore_policy', 'default', True)
] ]
}
}'''
_, resources = plan_runner(org_policies=policies)
assert len(resources) == 6
policies = [r for r in resources if r['type'] == 'google_org_policy_policy']
assert len(policies) == 2
assert all(x['values']['parent'] == 'projects/my-project' for x in policies)
p1 = [
r['values']['spec'][0]
for r in policies
if r['index'] == 'iam.disableServiceAccountKeyCreation'
][0]
assert p1['inherit_from_parent'] is None
assert p1['reset'] is None
assert p1['rules'] == [{
'allow_all': None,
'condition': [],
'deny_all': None,
'enforce': 'TRUE',
'values': []
}]
p2 = [
r['values']['spec'][0]
for r in policies
if r['index'] == 'iam.disableServiceAccountKeyUpload'
][0]
assert p2['inherit_from_parent'] is None
assert p2['reset'] is None
assert len(p2['rules']) == 2
assert p2['rules'][0] == {
'allow_all': None,
'condition': [],
'deny_all': None,
'enforce': 'FALSE',
'values': []
}
assert p2['rules'][1] == {
'allow_all': None,
'condition': [{
'description': 'test condition',
'expression': 'resource.matchTagId("tagKeys/1234", "tagValues/1234")',
'location': 'xxx',
'title': 'condition'
}],
'deny_all': None,
'enforce': 'TRUE',
'values': []
}
def test_policy_list(plan_runner): def test_policy_list(plan_runner):
"Test list org policy." "Test list org policy."
policy_list = ( policies = '''{
'{' "compute.vmExternalIpAccess" = {
'policy-a = {inherit_from_parent = true, suggested_value = null, status = true, values = []}, ' deny = { all = true }
'policy-b = {inherit_from_parent = null, suggested_value = "foo", status = false, values = ["bar"]}, ' }
'policy-c = {inherit_from_parent = null, suggested_value = true, status = null, values = null}' "iam.allowedPolicyMemberDomains" = {
'}' allow = {
) values = ["C0xxxxxxx", "C0yyyyyyy"]
_, resources = plan_runner(policy_list=policy_list) }
assert len(resources) == 7 }
values = [r['values'] for r in resources if r['type'] "compute.restrictLoadBalancerCreationForTypes" = {
== 'google_project_organization_policy'] deny = { values = ["in:EXTERNAL"] }
assert [r['constraint'] for r in values] == [ rules = [
'policy-a', 'policy-b', 'policy-c' {
condition = {
expression = "resource.matchTagId(\\"tagKeys/1234\\", \\"tagValues/1234\\")"
title = "condition"
description = "test condition"
location = "xxx"
}
allow = {
values = ["EXTERNAL_1"]
}
},
{
condition = {
expression = "resource.matchTagId(\\"tagKeys/12345\\", \\"tagValues/12345\\")"
title = "condition2"
description = "test condition2"
location = "xxx"
}
allow = {
all = true
}
}
] ]
assert values[0]['list_policy'][0]['allow'] == [ }
{'all': True, 'values': None}] }'''
assert values[1]['list_policy'][0]['deny'] == [ _, resources = plan_runner(org_policies=policies)
{'all': False, 'values': ["bar"]}] assert len(resources) == 7
assert values[2]['restore_policy'] == [{'default': True}]
policies = [r for r in resources if r['type'] == 'google_org_policy_policy']
assert len(policies) == 3
assert all(x['values']['parent'] == 'projects/my-project' for x in policies)
p1 = [
r['values']['spec'][0]
for r in policies
if r['index'] == 'compute.vmExternalIpAccess'
][0]
assert p1['inherit_from_parent'] is None
assert p1['reset'] is None
assert p1['rules'] == [{
'allow_all': None,
'condition': [],
'deny_all': 'TRUE',
'enforce': None,
'values': []
}]
p2 = [
r['values']['spec'][0]
for r in policies
if r['index'] == 'iam.allowedPolicyMemberDomains'
][0]
assert p2['inherit_from_parent'] is None
assert p2['reset'] is None
assert p2['rules'] == [{
'allow_all':
None,
'condition': [],
'deny_all':
None,
'enforce':
None,
'values': [{
'allowed_values': [
'C0xxxxxxx',
'C0yyyyyyy',
],
'denied_values': None
}]
}]
p3 = [
r['values']['spec'][0]
for r in policies
if r['index'] == 'compute.restrictLoadBalancerCreationForTypes'
][0]
assert p3['inherit_from_parent'] is None
assert p3['reset'] is None
assert len(p3['rules']) == 3
assert p3['rules'][0] == {
'allow_all': None,
'condition': [],
'deny_all': None,
'enforce': None,
'values': [{
'allowed_values': None,
'denied_values': ['in:EXTERNAL']
}]
}
assert p3['rules'][1] == {
'allow_all': None,
'condition': [{
'description': 'test condition',
'expression': 'resource.matchTagId("tagKeys/1234", "tagValues/1234")',
'location': 'xxx',
'title': 'condition'
}],
'deny_all': None,
'enforce': None,
'values': [{
'allowed_values': ['EXTERNAL_1'],
'denied_values': None
}]
}
assert p3['rules'][2] == {
'allow_all': 'TRUE',
'condition': [{
'description':
'test condition2',
'expression':
'resource.matchTagId("tagKeys/12345", "tagValues/12345")',
'location':
'xxx',
'title':
'condition2'
}],
'deny_all': None,
'enforce': None,
'values': []
}