From 890022e02a7347d6db9a8ce3bbb83b954cdd7e98 Mon Sep 17 00:00:00 2001 From: Luke Pezet Date: Thu, 1 Aug 2024 22:36:03 -0600 Subject: [PATCH 1/3] Commented out/removed sourcerepo.googleapis.com API. --- 0-bootstrap/cb.tf | 2 +- .../shared/example_infra_pipeline.tf | 2 +- .../serviceusage_allow_basic_apis.yaml | 87 +++++++++---------- test/integration/bootstrap/bootstrap_test.go | 32 +++---- .../projects-shared/projects_shared_test.go | 2 +- test/setup/main.tf | 2 +- 6 files changed, 64 insertions(+), 63 deletions(-) diff --git a/0-bootstrap/cb.tf b/0-bootstrap/cb.tf index 8c2ba91b4..700d2bd68 100644 --- a/0-bootstrap/cb.tf +++ b/0-bootstrap/cb.tf @@ -103,7 +103,7 @@ module "tf_source" { "logging.googleapis.com", "iam.googleapis.com", "admin.googleapis.com", - "sourcerepo.googleapis.com", + // "sourcerepo.googleapis.com", // issue #1309: Docker tests fail due to CSR dependency "workflows.googleapis.com", "artifactregistry.googleapis.com", "cloudbuild.googleapis.com", diff --git a/4-projects/business_unit_1/shared/example_infra_pipeline.tf b/4-projects/business_unit_1/shared/example_infra_pipeline.tf index 7b09e6cd6..2cb1ec1ff 100644 --- a/4-projects/business_unit_1/shared/example_infra_pipeline.tf +++ b/4-projects/business_unit_1/shared/example_infra_pipeline.tf @@ -30,7 +30,7 @@ module "app_infra_cloudbuild_project" { project_prefix = local.project_prefix activate_apis = [ "cloudbuild.googleapis.com", - "sourcerepo.googleapis.com", + // "sourcerepo.googleapis.com", "cloudkms.googleapis.com", "iam.googleapis.com", "artifactregistry.googleapis.com", diff --git a/policy-library/policies/constraints/serviceusage_allow_basic_apis.yaml b/policy-library/policies/constraints/serviceusage_allow_basic_apis.yaml index 9e42f0e4c..97eda5d12 100644 --- a/policy-library/policies/constraints/serviceusage_allow_basic_apis.yaml +++ b/policy-library/policies/constraints/serviceusage_allow_basic_apis.yaml @@ -23,51 +23,50 @@ spec: severity: high match: target: # {"$ref":"#/definitions/io.k8s.cli.setters.target"} - - "organizations/**" + - "organizations/**" exclude: [] parameters: mode: allow services: - - "accesscontextmanager.googleapis.com" - - "admin.googleapis.com" - - "appengine.googleapis.com" - - "artifactregistry.googleapis.com" - - "bigquery-json.googleapis.com" - - "bigquery.googleapis.com" - - "billingbudgets.googleapis.com" - - "cloudapis.googleapis.com" - - "cloudasset.googleapis.com" - - "cloudbilling.googleapis.com" - - "cloudbuild.googleapis.com" - - "clouddebugger.googleapis.com" - - "cloudkms.googleapis.com" - - "cloudresourcemanager.googleapis.com" - - "cloudscheduler.googleapis.com" - - "cloudtrace.googleapis.com" - - "compute.googleapis.com" - - "container.googleapis.com" - - "datastore.googleapis.com" - - "dns.googleapis.com" - - "essentialcontacts.googleapis.com" - - "iam.googleapis.com" - - "iamcredentials.googleapis.com" - - "logging.googleapis.com" - - "monitoring.googleapis.com" - - "oslogin.googleapis.com" - - "pubsub.googleapis.com" - - "secretmanager.googleapis.com" - - "securitycenter.googleapis.com" - - "servicemanagement.googleapis.com" - - "servicenetworking.googleapis.com" - - "serviceusage.googleapis.com" - - "sourcerepo.googleapis.com" - - "sql-component.googleapis.com" - - "storage-api.googleapis.com" - - "storage-component.googleapis.com" - - "workflows.googleapis.com" - - "assuredworkloads.googleapis.com" - - "sts.googleapis.com" - - "cloudfunctions.googleapis.com" - - "storage.googleapis.com" - - "run.googleapis.com" - - "eventarc.googleapis.com" + - "accesscontextmanager.googleapis.com" + - "admin.googleapis.com" + - "appengine.googleapis.com" + - "artifactregistry.googleapis.com" + - "bigquery-json.googleapis.com" + - "bigquery.googleapis.com" + - "billingbudgets.googleapis.com" + - "cloudapis.googleapis.com" + - "cloudasset.googleapis.com" + - "cloudbilling.googleapis.com" + - "cloudbuild.googleapis.com" + - "clouddebugger.googleapis.com" + - "cloudkms.googleapis.com" + - "cloudresourcemanager.googleapis.com" + - "cloudscheduler.googleapis.com" + - "cloudtrace.googleapis.com" + - "compute.googleapis.com" + - "container.googleapis.com" + - "datastore.googleapis.com" + - "dns.googleapis.com" + - "essentialcontacts.googleapis.com" + - "iam.googleapis.com" + - "iamcredentials.googleapis.com" + - "logging.googleapis.com" + - "monitoring.googleapis.com" + - "oslogin.googleapis.com" + - "pubsub.googleapis.com" + - "secretmanager.googleapis.com" + - "securitycenter.googleapis.com" + - "servicemanagement.googleapis.com" + - "servicenetworking.googleapis.com" + - "serviceusage.googleapis.com" + - "sql-component.googleapis.com" + - "storage-api.googleapis.com" + - "storage-component.googleapis.com" + - "workflows.googleapis.com" + - "assuredworkloads.googleapis.com" + - "sts.googleapis.com" + - "cloudfunctions.googleapis.com" + - "storage.googleapis.com" + - "run.googleapis.com" + - "eventarc.googleapis.com" diff --git a/test/integration/bootstrap/bootstrap_test.go b/test/integration/bootstrap/bootstrap_test.go index 41e46466b..b49bcd32c 100644 --- a/test/integration/bootstrap/bootstrap_test.go +++ b/test/integration/bootstrap/bootstrap_test.go @@ -62,15 +62,16 @@ func TestBootstrap(t *testing.T) { tft.WithPolicyLibraryPath("/workspace/policy-library", temp.GetTFSetupStringOutput("project_id")), ) - cloudSourceRepos := []string{ - "gcp-org", - "gcp-environments", - "gcp-networks", - "gcp-projects", - "gcp-policies", - "tf-cloudbuilder", - "gcp-bootstrap", - } + // issue #1309: Docker tests fail due to CSR dependency + // cloudSourceRepos := []string{ + // "gcp-org", + // "gcp-environments", + // "gcp-networks", + // "gcp-projects", + // "gcp-policies", + // "tf-cloudbuilder", + // "gcp-bootstrap", + // } triggerRepos := []string{ "gcp-bootstrap", @@ -111,7 +112,7 @@ func TestBootstrap(t *testing.T) { "storage-api.googleapis.com", "serviceusage.googleapis.com", "cloudbuild.googleapis.com", - "sourcerepo.googleapis.com", + // "sourcerepo.googleapis.com", // issue #1309: Docker tests fail due to CSR dependency "cloudkms.googleapis.com", "bigquery.googleapis.com", "accesscontextmanager.googleapis.com", @@ -207,11 +208,12 @@ func TestBootstrap(t *testing.T) { assert.Equal(logsBktName[bkts.env], fmt.Sprintf("bkt-%s-%s-build-logs", cbProjectID, bkts.repo)) } - for _, repo := range cloudSourceRepos { - sourceRepoFullName := fmt.Sprintf("projects/%s/repos/%s", cbProjectID, repo) - sourceRepo := gcloud.Runf(t, "source repos describe %s --project %s", repo, cbProjectID) - assert.Equal(sourceRepoFullName, sourceRepo.Get("name").String(), fmt.Sprintf("repository %s should exist", repo)) - } + // issue #1309: Docker tests fail due to CSR dependency + // for _, repo := range cloudSourceRepos { + // sourceRepoFullName := fmt.Sprintf("projects/%s/repos/%s", cbProjectID, repo) + // sourceRepo := gcloud.Runf(t, "source repos describe %s --project %s", repo, cbProjectID) + // assert.Equal(sourceRepoFullName, sourceRepo.Get("name").String(), fmt.Sprintf("repository %s should exist", repo)) + // } for _, triggerRepo := range triggerRepos { for _, filter := range []string{ diff --git a/test/integration/projects-shared/projects_shared_test.go b/test/integration/projects-shared/projects_shared_test.go index 71c14681d..05ef12a45 100644 --- a/test/integration/projects-shared/projects_shared_test.go +++ b/test/integration/projects-shared/projects_shared_test.go @@ -46,7 +46,7 @@ func TestProjectsShared(t *testing.T) { var sharedApisEnabled = []string{ "cloudbuild.googleapis.com", - "sourcerepo.googleapis.com", + // "sourcerepo.googleapis.com", "cloudkms.googleapis.com", } diff --git a/test/setup/main.tf b/test/setup/main.tf index 7b85df91d..3921670d8 100644 --- a/test/setup/main.tf +++ b/test/setup/main.tf @@ -62,7 +62,7 @@ module "project" { "storage-api.googleapis.com", "serviceusage.googleapis.com", "cloudbuild.googleapis.com", - "sourcerepo.googleapis.com", + // "sourcerepo.googleapis.com", // issue #1309: Docker tests fail due to CSR dependency "cloudkms.googleapis.com", "bigquery.googleapis.com", "accesscontextmanager.googleapis.com", From bb6385526688bccbe6cd5d95bd3640fb5f9d661e Mon Sep 17 00:00:00 2001 From: Luke Pezet Date: Thu, 1 Aug 2024 22:40:02 -0600 Subject: [PATCH 2/3] Comments added. --- 4-projects/business_unit_1/shared/example_infra_pipeline.tf | 2 +- test/integration/projects-shared/projects_shared_test.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/4-projects/business_unit_1/shared/example_infra_pipeline.tf b/4-projects/business_unit_1/shared/example_infra_pipeline.tf index 2cb1ec1ff..e23e042f9 100644 --- a/4-projects/business_unit_1/shared/example_infra_pipeline.tf +++ b/4-projects/business_unit_1/shared/example_infra_pipeline.tf @@ -30,7 +30,7 @@ module "app_infra_cloudbuild_project" { project_prefix = local.project_prefix activate_apis = [ "cloudbuild.googleapis.com", - // "sourcerepo.googleapis.com", + // "sourcerepo.googleapis.com", // issue #1309: Docker tests fail due to CSR dependency "cloudkms.googleapis.com", "iam.googleapis.com", "artifactregistry.googleapis.com", diff --git a/test/integration/projects-shared/projects_shared_test.go b/test/integration/projects-shared/projects_shared_test.go index 05ef12a45..fddc72f76 100644 --- a/test/integration/projects-shared/projects_shared_test.go +++ b/test/integration/projects-shared/projects_shared_test.go @@ -46,7 +46,7 @@ func TestProjectsShared(t *testing.T) { var sharedApisEnabled = []string{ "cloudbuild.googleapis.com", - // "sourcerepo.googleapis.com", + // "sourcerepo.googleapis.com", // issue #1309: Docker tests fail due to CSR dependency "cloudkms.googleapis.com", } From 7f68fcc9b4ff379167e0c99d9dd27ce20aafc57c Mon Sep 17 00:00:00 2001 From: Luke Pezet Date: Tue, 6 Aug 2024 20:53:47 -0600 Subject: [PATCH 3/3] Reverted changes to policy-library/policies/constraints/serviceusage_allow_basic_apis.yaml. --- .../serviceusage_allow_basic_apis.yaml | 87 ++++++++++--------- 1 file changed, 44 insertions(+), 43 deletions(-) diff --git a/policy-library/policies/constraints/serviceusage_allow_basic_apis.yaml b/policy-library/policies/constraints/serviceusage_allow_basic_apis.yaml index 97eda5d12..9e42f0e4c 100644 --- a/policy-library/policies/constraints/serviceusage_allow_basic_apis.yaml +++ b/policy-library/policies/constraints/serviceusage_allow_basic_apis.yaml @@ -23,50 +23,51 @@ spec: severity: high match: target: # {"$ref":"#/definitions/io.k8s.cli.setters.target"} - - "organizations/**" + - "organizations/**" exclude: [] parameters: mode: allow services: - - "accesscontextmanager.googleapis.com" - - "admin.googleapis.com" - - "appengine.googleapis.com" - - "artifactregistry.googleapis.com" - - "bigquery-json.googleapis.com" - - "bigquery.googleapis.com" - - "billingbudgets.googleapis.com" - - "cloudapis.googleapis.com" - - "cloudasset.googleapis.com" - - "cloudbilling.googleapis.com" - - "cloudbuild.googleapis.com" - - "clouddebugger.googleapis.com" - - "cloudkms.googleapis.com" - - "cloudresourcemanager.googleapis.com" - - "cloudscheduler.googleapis.com" - - "cloudtrace.googleapis.com" - - "compute.googleapis.com" - - "container.googleapis.com" - - "datastore.googleapis.com" - - "dns.googleapis.com" - - "essentialcontacts.googleapis.com" - - "iam.googleapis.com" - - "iamcredentials.googleapis.com" - - "logging.googleapis.com" - - "monitoring.googleapis.com" - - "oslogin.googleapis.com" - - "pubsub.googleapis.com" - - "secretmanager.googleapis.com" - - "securitycenter.googleapis.com" - - "servicemanagement.googleapis.com" - - "servicenetworking.googleapis.com" - - "serviceusage.googleapis.com" - - "sql-component.googleapis.com" - - "storage-api.googleapis.com" - - "storage-component.googleapis.com" - - "workflows.googleapis.com" - - "assuredworkloads.googleapis.com" - - "sts.googleapis.com" - - "cloudfunctions.googleapis.com" - - "storage.googleapis.com" - - "run.googleapis.com" - - "eventarc.googleapis.com" + - "accesscontextmanager.googleapis.com" + - "admin.googleapis.com" + - "appengine.googleapis.com" + - "artifactregistry.googleapis.com" + - "bigquery-json.googleapis.com" + - "bigquery.googleapis.com" + - "billingbudgets.googleapis.com" + - "cloudapis.googleapis.com" + - "cloudasset.googleapis.com" + - "cloudbilling.googleapis.com" + - "cloudbuild.googleapis.com" + - "clouddebugger.googleapis.com" + - "cloudkms.googleapis.com" + - "cloudresourcemanager.googleapis.com" + - "cloudscheduler.googleapis.com" + - "cloudtrace.googleapis.com" + - "compute.googleapis.com" + - "container.googleapis.com" + - "datastore.googleapis.com" + - "dns.googleapis.com" + - "essentialcontacts.googleapis.com" + - "iam.googleapis.com" + - "iamcredentials.googleapis.com" + - "logging.googleapis.com" + - "monitoring.googleapis.com" + - "oslogin.googleapis.com" + - "pubsub.googleapis.com" + - "secretmanager.googleapis.com" + - "securitycenter.googleapis.com" + - "servicemanagement.googleapis.com" + - "servicenetworking.googleapis.com" + - "serviceusage.googleapis.com" + - "sourcerepo.googleapis.com" + - "sql-component.googleapis.com" + - "storage-api.googleapis.com" + - "storage-component.googleapis.com" + - "workflows.googleapis.com" + - "assuredworkloads.googleapis.com" + - "sts.googleapis.com" + - "cloudfunctions.googleapis.com" + - "storage.googleapis.com" + - "run.googleapis.com" + - "eventarc.googleapis.com"