feat: Add apache and nginx integration test and outputs (GoogleCloudP…

…latform#39)
romanini-ciandt · May 29, 2024 · bb99a9f · bb99a9f
1 parent 5133efd
commit bb99a9f
Show file tree

Hide file tree

Showing 15 changed files with 160 additions and 1 deletion.
diff --git a/examples/oss-apache-web-server/outputs.tf b/examples/oss-apache-web-server/outputs.tf
@@ -23,3 +23,8 @@ output "vm_hostname" {
   description = "Name of the hostname created."
   value       = module.apache_web_server.vm_hostname
 }
+
+output "service_account_email" {
+  description = "Service Account created and managed by Terraform."
+  value       = module.apache_web_server.service_account_email
+}
diff --git a/examples/oss-cng-provider/outputs.tf b/examples/oss-cng-provider/outputs.tf
@@ -23,3 +23,8 @@ output "vm_hostname" {
   description = "Name of the hostname created."
   value       = module.cng_provider.vm_hostname
 }
+
+output "service_account_email" {
+  description = "Service Account created and managed by Terraform."
+  value       = module.cng_provider.service_account_email
+}
diff --git a/examples/oss-nginx-web-server/main.tf → examples/oss-nginx-ssl-offloading/main.tf b/examples/oss-nginx-web-server/main.tf → examples/oss-nginx-ssl-offloading/main.tf
diff --git a/examples/oss-nginx-web-server/outputs.tf → examples/oss-nginx-ssl-offloading/outputs.tf b/examples/oss-nginx-web-server/outputs.tf → examples/oss-nginx-ssl-offloading/outputs.tf
@@ -23,3 +23,8 @@ output "vm_hostname" {
   description = "Name of the hostname created."
   value       = module.nginx_ssl_offloading.vm_hostname
 }
+
+output "service_account_email" {
+  description = "Service Account created and managed by Terraform."
+  value       = module.nginx_ssl_offloading.service_account_email
+}
diff --git a/examples/oss-nginx-web-server/variables.tf → ...les/oss-nginx-ssl-offloading/variables.tf b/examples/oss-nginx-web-server/variables.tf → ...les/oss-nginx-ssl-offloading/variables.tf
diff --git a/oss-terraform-automation/1-apache-web-server/README.md b/oss-terraform-automation/1-apache-web-server/README.md
@@ -85,6 +85,7 @@ This guide provides instructions for setting up a GCP infrastructure with Apache
 | keyring | Name of the keyring. |
 | location | Location of the keyring created. |
 | project\_id | ID of the GCP project being used. |
+| service\_account\_email | Service Account created and managed by Terraform. |
 | vm\_hostname | Name of the hostname created. |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/oss-terraform-automation/1-apache-web-server/outputs.tf b/oss-terraform-automation/1-apache-web-server/outputs.tf
@@ -38,3 +38,8 @@ output "vm_hostname" {
   description = "Name of the hostname created."
   value       = module.bootstrap-kms-hsm.vm_hostname
 }
+
+output "service_account_email" {
+  description = "Service Account created and managed by Terraform."
+  value       = module.bootstrap-kms-hsm.custom_service_account_email
+}
diff --git a/oss-terraform-automation/2-nginx-ssl-offloading/Dockerfile b/oss-terraform-automation/2-nginx-ssl-offloading/Dockerfile
@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM nginx:1.25.0-bullseye
+FROM nginx
 
 # Install the OpenSSL PKCS #11 library
 RUN apt-get update && apt-get install -y libengine-pkcs11-openssl wget curl opensc

diff --git a/oss-terraform-automation/2-nginx-ssl-offloading/README.md b/oss-terraform-automation/2-nginx-ssl-offloading/README.md
@@ -91,6 +91,7 @@ This guide provides instructions for setting up a GCP infrastructure with NGINX
 | keyring | Name of the keyring. |
 | location | Location of the keyring created. |
 | project\_id | ID of the GCP project being used. |
+| service\_account\_email | Service Account created and managed by Terraform. |
 | vm\_hostname | Name of the hostname created. |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/oss-terraform-automation/2-nginx-ssl-offloading/outputs.tf b/oss-terraform-automation/2-nginx-ssl-offloading/outputs.tf
@@ -38,3 +38,8 @@ output "vm_hostname" {
   description = "Name of the hostname created."
   value       = module.bootstrap-kms-hsm.vm_hostname
 }
+
+output "service_account_email" {
+  description = "Service Account created and managed by Terraform."
+  value       = module.bootstrap-kms-hsm.custom_service_account_email
+}
diff --git a/oss-terraform-automation/3-cng-provider/README.md b/oss-terraform-automation/3-cng-provider/README.md
@@ -153,6 +153,7 @@ This guide provides instructions for creating a Cloud HSM key for Microsoft Auth
 | keyring | Name of the keyring. |
 | location | Location of the keyring created. |
 | project\_id | ID of the GCP project being used. |
+| service\_account\_email | Service Account created and managed by Terraform. |
 | vm\_hostname | Name of the hostname created. |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/oss-terraform-automation/3-cng-provider/outputs.tf b/oss-terraform-automation/3-cng-provider/outputs.tf
@@ -38,3 +38,8 @@ output "vm_hostname" {
   description = "Name of the hostname created."
   value       = module.bootstrap-kms-hsm.vm_hostname
 }
+
+output "service_account_email" {
+  description = "Service Account created and managed by Terraform."
+  value       = module.bootstrap-kms-hsm.custom_service_account_email
+}
diff --git a/oss-terraform-automation/common/modules/bootstrap-kms-hsm/sa.tf b/oss-terraform-automation/common/modules/bootstrap-kms-hsm/sa.tf
@@ -87,3 +87,15 @@ resource "google_project_iam_member" "sa_service_account_user" {
   role    = "roles/iam.serviceAccountUser"
   member  = "serviceAccount:${local.custom_sa_email}"
 }
+
+resource "google_project_iam_member" "sa_compute_admin" {
+  project = var.project_id
+  role    = "roles/compute.admin"
+  member  = "serviceAccount:${local.custom_sa_email}"
+}
+
+resource "google_project_iam_member" "sa_iap_accessor" {
+  project = var.project_id
+  role    = "roles/iap.tunnelResourceAccessor"
+  member  = "serviceAccount:${local.custom_sa_email}"
+}
diff --git a/test/integration/oss-apache-web-server/apache_web_server_test.go b/test/integration/oss-apache-web-server/apache_web_server_test.go
@@ -0,0 +1,56 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package apache_web_server
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft"
+	"github.com/gruntwork-io/terratest/modules/shell"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestFakeApacheWebServerModule(t *testing.T) {
+	apacheT := tft.NewTFBlueprintTest(t)
+	apacheT.DefineVerify(func(assert *assert.Assertions) {
+		apacheT.DefaultVerify(assert)
+
+		command := shell.Command{
+			Command: "gcloud",
+			Args: []string{
+				"compute",
+				"ssh",
+				"--zone",
+				"us-central1-a",
+				fmt.Sprintf("username@%s", apacheT.GetStringOutput("vm_hostname")),
+				"--tunnel-through-iap",
+				"--project",
+				apacheT.GetStringOutput("project_id"),
+				"--impersonate-service-account",
+				apacheT.GetStringOutput("service_account_email"),
+				"--command",
+				`curl -v --insecure https://127.0.0.1`,
+			},
+		}
+
+		op, err := shell.RunCommandAndGetOutputE(t, command)
+
+		assert.Contains(op, "HTTP/1.1 200 OK", "Request must return 200")
+		assert.Contains(op, "SSL certificate verify result: self-signed certificate", "SSL must be verified")
+		assert.Nil(err)
+	})
+	apacheT.Test()
+}
diff --git a/test/integration/oss-nginx-ssl-offloading/ssl_offloading_test.go b/test/integration/oss-nginx-ssl-offloading/ssl_offloading_test.go
@@ -0,0 +1,58 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package nginx_ssl_offloading
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft"
+	"github.com/gruntwork-io/terratest/modules/shell"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestNginxSslOffloadingModule(t *testing.T) {
+	nginxT := tft.NewTFBlueprintTest(t)
+	nginxT.DefineVerify(func(assert *assert.Assertions) {
+		nginxT.DefaultVerify(assert)
+
+		command := shell.Command{
+			Command: "gcloud",
+			Args: []string{
+				"compute",
+				"ssh",
+				"--zone",
+				"us-central1-a",
+				fmt.Sprintf("username@%s", nginxT.GetStringOutput("vm_hostname")),
+				"--tunnel-through-iap",
+				"--project",
+				nginxT.GetStringOutput("project_id"),
+				"--impersonate-service-account",
+				nginxT.GetStringOutput("service_account_email"),
+				"--command",
+				`openssl s_client -connect localhost:443 2>&1 <<< "GET /"`,
+			},
+		}
+
+		shell.RunCommandAndGetOutputE(t, command) // GET does not output in the first execution
+		op, err := shell.RunCommandAndGetOutputE(t, command)
+
+		assert.Contains(op, "Welcome to nginx!", "GET request failed")
+		assert.Contains(op, "self-signed certificate", "SSL must be verified")
+		assert.Contains(op, "SSL handshake has read", "SSL handshake failed")
+		assert.Nil(err)
+	})
+	nginxT.Test()
+}