Clean up tests and make dev tools work better.

terraform-google-modules · Oct 11, 2019 · cc60a19 · cc60a19
1 parent c5af2f6
commit cc60a19
Show file tree

Hide file tree

Showing 12 changed files with 91 additions and 95 deletions.
diff --git a/Makefile b/Makefile
@@ -18,7 +18,7 @@
 # Make will use bash instead of sh
 SHELL := /usr/bin/env bash
 
-DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 0.1.0
+DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 0.4.0
 DOCKER_IMAGE_DEVELOPER_TOOLS := cft/developer-tools
 REGISTRY_URL := gcr.io/cloud-foundation-cicd
 
@@ -76,7 +76,7 @@ docker_test_integration:
 		-e GOOGLE_APPLICATION_CREDENTIALS \
 		-v $(CURDIR):/workspace \
 		$(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \
-		/bin/bash -c 'cd test/integration/boolean_constraints && bash launch.sh; cd ../list_constraints && bash launch.sh'
+		/usr/local/bin/test_integration.sh
 
 # Generate documentation
 .PHONY: docker_generate_docs

diff --git a/build/int.cloudbuild.yaml b/build/int.cloudbuild.yaml
@@ -23,14 +23,14 @@ steps:
   - 'TF_VAR_billing_account=$_BILLING_ACCOUNT'
 - id: test_list_constraints
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'cd test/integration/list_constraints && bash launch.sh']
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && test_list_constraints']
   env:
     - 'TF_VAR_org_id=$_ORG_ID'
     - 'TF_VAR_folder_id=$_FOLDER_ID'
     - 'TF_VAR_billing_account=$_BILLING_ACCOUNT'
 - id: test_boolean_constraints
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'cd test/integration/boolean_constraints && bash launch.sh']
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && test_boolean_constraints']
   env:
     - 'TF_VAR_org_id=$_ORG_ID'
     - 'TF_VAR_folder_id=$_FOLDER_ID'

diff --git a/test/integration/boolean_constraints/helpers.bash b/test/integration/boolean_constraints/helpers.bash
@@ -13,6 +13,10 @@ function check_boolean_policy {
   ENFORCED="$3"
   RESULT="false"
 
+  DEBUG=$(echo "$POLICY" | jq '.')
+  >&2 echo Test "$CONSTRAINT" is "$ENFORCED"
+  >&2 echo "$DEBUG"
+
   if [[ "$ENFORCED" = "true" ]]
   then
     RESULT=$(echo "$POLICY" | jq -r --arg const "$CONSTRAINT" '(.[]) | select(.constraint==$const) | .booleanPolicy.enforced==true')

diff --git a/test/integration/boolean_constraints/integration.bats b/test/integration/boolean_constraints/integration.bats
@@ -67,13 +67,13 @@ load helpers
 @test "Test constraints on organization $ORGANIZATION_ID and folder $FOLDER_EXCLUDE" {
 
   POLICY=$(gcloud beta resource-manager org-policies list --organization "$ORGANIZATION_ID" --format="json")
-  RESULT=$(check_boolean_policy "$ORG_CONSTRAINT" "$POLICY" "true")
+  RESULT=$(check_boolean_policy "$ORG_CONSTRAINT_BOOL" "$POLICY" "true")
   run echo "$RESULT"
   [ "$status" -eq 0 ]
   [[ "$output" = "true" ]]
 
   POLICY=$(gcloud beta resource-manager org-policies list --folder "$FOLDER_EXCLUDE" --format="json")
-  RESULT=$(check_boolean_policy "$ORG_CONSTRAINT" "$POLICY" "false")
+  RESULT=$(check_boolean_policy "$ORG_CONSTRAINT_BOOL" "$POLICY" "false")
   run echo "$RESULT"
   [ "$status" -eq 0 ]
   [[ "$output" = "true" ]]

diff --git a/test/integration/boolean_constraints/launch.sh b/test/integration/boolean_constraints/launch.sh
@@ -16,14 +16,9 @@
 # VARIABLES
 
 # Constraints
-PROJECT_CONSTRAINT='constraints/compute.disableSerialPortAccess'
-FOLDER_CONSTRAINT='constraints/compute.restrictXpnProjectLienRemval'
-ORG_CONSTRAINT_BOOL='constraints/compute.disableSerialPortAccess'
-
-# Dynamic vars, generated by `maeke_source.sh`
-# shellcheck disable=SC1091
-. ../../source.sh
-grep -v "qazwsk" ../../source.sh
+export PROJECT_CONSTRAINT='constraints/compute.disableSerialPortAccess'
+export FOLDER_CONSTRAINT='constraints/compute.restrictXpnProjectLienRemoval'
+export ORG_CONSTRAINT_BOOL='constraints/compute.disableSerialPortAccess'
 
 # Make sure required vars are defined
 # shellcheck disable=SC2153
@@ -32,17 +27,11 @@ if [[ -z "$FOLDER_1_ID" || -z "$PROJECT_ID" || -z "$PROJECT_EXCLUDE" || -z "$FOL
     env
     exit 3
 fi
+
 # shellcheck disable=SC2155,SC2153
 export FOLDER_ID=$(echo "${FOLDER_1_ID}" | awk -F / '{print $2}')
-# shellcheck disable=SC2154
-export ORGANIZATION_ID="${TF_VAR_org_id}"
 # shellcheck disable=SC2155,SC2153
-export FOLDER_EXCLUDE=$(echo "${FOLDER_2_ID}" | awk -F / '{print $2}')
-
-# initialize helpers and set credentials
-source /usr/local/bin/task_helper_functions.sh && init_credentials_if_found
-
-[[ -z "$GOOGLE_CREDENTIALS" || -z "$GOOGLE_APPLICATION_CREDENTIALS" ]] && echo "Please define Google credentials" && exit 3
+export FOLDER_EXCLUDE=$(echo "${FOLDER_EXCLUDE}" | awk -F / '{print $2}')
 
 #################################################################
 #   FUNCTIONS FOR PREPARING WORKSPACE AND CALLING BATS          #
@@ -86,6 +75,7 @@ module "org-policy-boolean-folder" {
   exclude_projects = ["$PROJECT_EXCLUDE"]
 }
 
+
 module "org-policy-boolean-org" {
   source = "../../../"
 
@@ -108,17 +98,11 @@ EOF
 clean_workdir
 create_main_tf_file
 
-# Make sure bats is installed
-bats -v || (git clone https://github.com/sstephenson/bats.git && cd bats && ./install.sh /usr/local && cd - && rm -rf bats)
-
 # Call to bats
 echo "Test to execute: $(bats integration.bats -c)"
 bats integration.bats
 bats_exitcode=$?
 
-export CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE=""
-unset CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE
-
 # Clean the environment
 clean_workdir
 echo "Integration test finished"

diff --git a/test/integration/list_constraints/integration.bats b/test/integration/list_constraints/integration.bats
@@ -22,7 +22,7 @@ load helpers
 
   run terraform plan
   [ "$status" -eq 0 ]
-  [[ "$output" =~ 7\ to\ add ]]
+  [[ "$output" =~ 6\ to\ add ]]
   [[ "$output" =~ 0\ to\ change ]]
   [[ "$output" =~ 0\ to\ destroy ]]
 }
@@ -32,7 +32,7 @@ load helpers
   run terraform apply -auto-approve -parallelism=1
 
   [ "$status" -eq 0 ]
-  [[ "$output" =~ 7\ added ]]
+  [[ "$output" =~ 6\ added ]]
   [[ "$output" =~ 0\ changed ]]
   [[ "$output" =~ 0\ destroyed ]]
 }
@@ -59,16 +59,6 @@ load helpers
   [[ "$output" = "true" ]]
 }
 
-@test "Test constraints on organization $ORGANIZATION_ID (restrict values) constraining $ORG_RESTRICT_DOMAIN_CONSTRAINT to $ORG_RESTRICT_DOMAIN_CONSTRAINT_VALUE_1" {
-
-  POLICY=$(gcloud beta resource-manager org-policies list --organization "$ORGANIZATION_ID" --format="json")
-  RESULT=$(check_list_policy_values "$ORG_RESTRICT_DOMAIN_CONSTRAINT" "$POLICY" "allow" "$ORG_RESTRICT_DOMAIN_CONSTRAINT_VALUE_1")
-  run echo "$RESULT"
-  [ "$status" -eq 0 ]
-  [[ "$output" = "true" ]]
-
-}
-
 @test "Test constraints on organization $ORGANIZATION_ID (deny values) and project $PROJECT_EXCLUDE and folder $FOLDER_EXCLUDE (exclusions)" {
 
   POLICY=$(gcloud beta resource-manager org-policies list --organization "$ORGANIZATION_ID" --format="json")
@@ -107,5 +97,5 @@ load helpers
 
   run terraform destroy -force
   [ "$status" -eq 0 ]
-  [[ "$output" =~ 7\ destroyed ]]
+  [[ "$output" =~ 6\ destroyed ]]
 }
diff --git a/test/integration/list_constraints/launch.sh b/test/integration/list_constraints/launch.sh
@@ -16,20 +16,12 @@
 # VARIABLES
 
 # Constraints
-PROJECT_CONSTRAINT_DENY_ALL='constraints/compute.trustedImageProjects'
-FOLDER_CONSTRAINT_ALLOW_ALL='constraints/compute.trustedImageProjects'
-ORG_CONSTRAINT='constraints/serviceuser.services'
-ORG_CONSTRAINT_VALUE_1='doubleclicksearch.googleapis.com'
-ORG_CONSTRAINT_VALUE_2='resourceviews.googleapis.com'
-ORG_RESTRICT_DOMAIN_CONSTRAINT='constraints/iam.allowedPolicyMemberDomains'
-ORG_RESTRICT_DOMAIN_CONSTRAINT_VALUE_1='C00u46n4k'
-FOLDER_2_CONSTRAINT='constraints/compute.trustedImageProjects'
-
-# Dynamic vars, generated by `maeke_source.sh`
-# shellcheck disable=SC1091
-. ../../source.sh
-
-grep -v "qazwsk" ../../source.sh
+export PROJECT_CONSTRAINT_DENY_ALL='constraints/compute.trustedImageProjects'
+export FOLDER_CONSTRAINT_ALLOW_ALL='constraints/compute.trustedImageProjects'
+export ORG_CONSTRAINT='constraints/serviceuser.services'
+export ORG_CONSTRAINT_VALUE_1='doubleclicksearch.googleapis.com'
+export ORG_CONSTRAINT_VALUE_2='resourceviews.googleapis.com'
+export FOLDER_2_CONSTRAINT='constraints/compute.trustedImageProjects'
 
 # Make sure required vars are defined
 # shellcheck disable=SC2153
@@ -40,17 +32,10 @@ if [[ -z "$FOLDER_1_ID" || -z "$FOLDER_2_ID" || -z "$PROJECT_ID" || -z "$PROJECT
 fi
 # shellcheck disable=SC2155
 export FOLDER_ID=$(echo "${FOLDER_1_ID}" | awk -F / '{print $2}')
-# shellcheck disable=SC2154
-export ORGANIZATION_ID="${TF_VAR_org_id}"
 # shellcheck disable=SC2155,SC2153
 export FOLDER_2_ID=$(echo "${FOLDER_2_ID}" | awk -F / '{print $2}')
-
-env
-
-# initialize helpers and set credentials
-source /usr/local/bin/task_helper_functions.sh && init_credentials_if_found
-
-[[ -z "$GOOGLE_CREDENTIALS" || -z "$GOOGLE_APPLICATION_CREDENTIALS" ]] && echo "Please define Google credentials" && exit 3
+# shellcheck disable=SC2155,SC2153
+export FOLDER_EXCLUDE=$(echo "${FOLDER_EXCLUDE}" | awk -F / '{print $2}')
 
 #################################################################
 #   FUNCTIONS FOR PREPARING WORKSPACE AND CALLING BATS          #
@@ -74,16 +59,6 @@ provider "google" {
   version     = "~> 2.5.0"
 }
 
-module "org-policy-restrict-domain" {
-  source = "../../../"
-
-  organization_id  = "$ORGANIZATION_ID"
-  constraint       = "$ORG_RESTRICT_DOMAIN_CONSTRAINT"
-  policy_type      = "list"
-  allow            = ["$ORG_RESTRICT_DOMAIN_CONSTRAINT_VALUE_1"]
-  allow_list_length = "1"
-}
-
 module "org-policy-list-project" {
   source = "../../../"
 
@@ -139,17 +114,11 @@ EOF
 clean_workdir
 create_main_tf_file
 
-# Make sure bats is installed
-bats -v || (git clone https://github.com/sstephenson/bats.git && cd bats && ./install.sh /usr/local && cd - && rm -rf bats)
-
 # Call to bats
 echo "Test to execute: $(bats integration.bats -c)"
 bats integration.bats
 bats_exitcode=$?
 
-export CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE=""
-unset CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE
-
 # Clean the environment
 clean_workdir
 echo "Integration test finished"

diff --git a/test/setup/iam.tf b/test/setup/iam.tf
@@ -22,21 +22,8 @@ locals {
   organization_roles = [
     "roles/orgpolicy.policyAdmin"
   ]
-
-  folders = [
-    "1_0d419896c29",
-    "2_0d419896c29",
-  ]
-}
-
-resource "google_folder" "org_policy" {
-  for_each = toset(local.folders)
-
-  display_name = "ci-org-policy-${each.value}"
-  parent       = "folders/${var.folder_id}"
 }
 
-
 resource "google_service_account" "int_test" {
   project      = module.project.project_id
   account_id   = "ci-account"

diff --git a/test/setup/main.tf b/test/setup/main.tf
@@ -48,6 +48,20 @@ module "project_exclude" {
   ]
 }
 
+resource "random_id" "folders" {
+  byte_length = 8
+}
+
+resource "google_folder" "org_policy_1" {
+  display_name = "test-folder-1-${random_id.folders.hex}"
+  parent       = "folders/${var.folder_id}"
+}
+
+resource "google_folder" "org_policy_2" {
+  display_name = "test-folder-2-${random_id.folders.hex}"
+  parent       = "folders/${var.folder_id}"
+}
+
 resource "null_resource" "wait_apis" {
   # Adding a pause as a workaround for of the provider issue
   # https://github.com/terraform-providers/terraform-provider-google/issues/1131

diff --git a/test/setup/make_source.sh b/test/setup/make_source.sh
@@ -14,6 +14,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+organization_id=$(terraform output org_id)
 project_id=$(terraform output project_id)
 sa_json=$(terraform output sa_key)
 folder_1_id=$(terraform output folder_1_id)
@@ -22,6 +23,7 @@ project_exclude=$(terraform output project_exclude_id)
 
 # shellcheck disable=SC2086,SC2154
 { echo "export TF_VAR_project_id='$project_id'"; \
+echo "export ORGANIZATION_ID='$organization_id'"; \
 echo "export FOLDER_EXCLUDE='$folder_2_id'"; \
 echo "export FOLDER_1_ID='$folder_1_id'"; \
 echo "export FOLDER_2_ID='$folder_2_id'"; \

diff --git a/test/setup/outputs.tf b/test/setup/outputs.tf
@@ -14,6 +14,10 @@
  * limitations under the License.
  */
 
+output "org_id" {
+  value = var.org_id
+}
+
 output "project_id" {
   value = module.project.project_id
 }
@@ -23,11 +27,11 @@ output "project_exclude_id" {
 }
 
 output "folder_1_id" {
-  value = google_folder.org_policy[local.folders[0]].id
+  value = google_folder.org_policy_1.id
 }
 
 output "folder_2_id" {
-  value = google_folder.org_policy[local.folders[1]].id
+  value = google_folder.org_policy_2.id
 }
 
 output "sa_key" {

diff --git a/test/task_helper_functions.sh b/test/task_helper_functions.sh
@@ -0,0 +1,42 @@
+#!/usr/bin/env bash
+
+# Copyright 2019 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+test_list_constraints() {
+  source_test_env
+  init_credentials
+  cd test/integration/list_constraints
+  bash launch.sh
+  cd -
+}
+
+test_boolean_constraints() {
+  source_test_env
+  init_credentials
+  cd test/integration/boolean_constraints
+  bash launch.sh
+  cd -
+}
+
+run_integration_tests() {
+  test_list_constraints
+  test_boolean_constraints
+}
+
+finish_integration() {
+  local rv=$?
+  finish
+  exit "${rv}"
+}