From c5af2f6a7ad179a9d0d34054a7da459f45f9bbd0 Mon Sep 17 00:00:00 2001 From: Morgante Pell Date: Thu, 10 Oct 2019 21:36:14 -0400 Subject: [PATCH 1/2] Add docker_test_prepare and docker_test_cleanup to Makefile --- Makefile | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/Makefile b/Makefile index 01f9d26..98dad2f 100644 --- a/Makefile +++ b/Makefile @@ -31,6 +31,30 @@ docker_run: $(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \ /bin/bash +# Execute prepare tests within the docker container +.PHONY: docker_test_prepare +docker_test_prepare: + docker run --rm -it \ + -e SERVICE_ACCOUNT_JSON \ + -e TF_VAR_org_id \ + -e TF_VAR_folder_id \ + -e TF_VAR_billing_account \ + -v $(CURDIR):/workspace \ + $(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \ + /usr/local/bin/execute_with_credentials.sh prepare_environment + +# Clean up test environment within the docker container +.PHONY: docker_test_cleanup +docker_test_cleanup: + docker run --rm -it \ + -e SERVICE_ACCOUNT_JSON \ + -e TF_VAR_org_id \ + -e TF_VAR_folder_id \ + -e TF_VAR_billing_account \ + -v $(CURDIR):/workspace \ + $(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \ + /usr/local/bin/execute_with_credentials.sh cleanup_environment + # Execute lint tests within the docker container .PHONY: docker_test_lint docker_test_lint: From cc60a19d730e52a238c212107aebe3eb1cd984ab Mon Sep 17 00:00:00 2001 From: Morgante Pell Date: Thu, 10 Oct 2019 22:04:53 -0400 Subject: [PATCH 2/2] Clean up tests and make dev tools work better. --- Makefile | 4 +- build/int.cloudbuild.yaml | 4 +- .../boolean_constraints/helpers.bash | 4 ++ .../boolean_constraints/integration.bats | 4 +- .../integration/boolean_constraints/launch.sh | 28 +++-------- .../list_constraints/integration.bats | 16 ++----- test/integration/list_constraints/launch.sh | 47 ++++--------------- test/setup/iam.tf | 13 ----- test/setup/main.tf | 14 ++++++ test/setup/make_source.sh | 2 + test/setup/outputs.tf | 8 +++- test/task_helper_functions.sh | 42 +++++++++++++++++ 12 files changed, 91 insertions(+), 95 deletions(-) create mode 100644 test/task_helper_functions.sh diff --git a/Makefile b/Makefile index 98dad2f..e53fdd3 100644 --- a/Makefile +++ b/Makefile @@ -18,7 +18,7 @@ # Make will use bash instead of sh SHELL := /usr/bin/env bash -DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 0.1.0 +DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 0.4.0 DOCKER_IMAGE_DEVELOPER_TOOLS := cft/developer-tools REGISTRY_URL := gcr.io/cloud-foundation-cicd @@ -76,7 +76,7 @@ docker_test_integration: -e GOOGLE_APPLICATION_CREDENTIALS \ -v $(CURDIR):/workspace \ $(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \ - /bin/bash -c 'cd test/integration/boolean_constraints && bash launch.sh; cd ../list_constraints && bash launch.sh' + /usr/local/bin/test_integration.sh # Generate documentation .PHONY: docker_generate_docs diff --git a/build/int.cloudbuild.yaml b/build/int.cloudbuild.yaml index 45b7e83..1aed1ae 100644 --- a/build/int.cloudbuild.yaml +++ b/build/int.cloudbuild.yaml @@ -23,14 +23,14 @@ steps: - 'TF_VAR_billing_account=$_BILLING_ACCOUNT' - id: test_list_constraints name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', 'cd test/integration/list_constraints && bash launch.sh'] + args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && test_list_constraints'] env: - 'TF_VAR_org_id=$_ORG_ID' - 'TF_VAR_folder_id=$_FOLDER_ID' - 'TF_VAR_billing_account=$_BILLING_ACCOUNT' - id: test_boolean_constraints name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', 'cd test/integration/boolean_constraints && bash launch.sh'] + args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && test_boolean_constraints'] env: - 'TF_VAR_org_id=$_ORG_ID' - 'TF_VAR_folder_id=$_FOLDER_ID' diff --git a/test/integration/boolean_constraints/helpers.bash b/test/integration/boolean_constraints/helpers.bash index 0d0394b..dd402a4 100644 --- a/test/integration/boolean_constraints/helpers.bash +++ b/test/integration/boolean_constraints/helpers.bash @@ -13,6 +13,10 @@ function check_boolean_policy { ENFORCED="$3" RESULT="false" + DEBUG=$(echo "$POLICY" | jq '.') + >&2 echo Test "$CONSTRAINT" is "$ENFORCED" + >&2 echo "$DEBUG" + if [[ "$ENFORCED" = "true" ]] then RESULT=$(echo "$POLICY" | jq -r --arg const "$CONSTRAINT" '(.[]) | select(.constraint==$const) | .booleanPolicy.enforced==true') diff --git a/test/integration/boolean_constraints/integration.bats b/test/integration/boolean_constraints/integration.bats index 136b7bf..533ebcb 100644 --- a/test/integration/boolean_constraints/integration.bats +++ b/test/integration/boolean_constraints/integration.bats @@ -67,13 +67,13 @@ load helpers @test "Test constraints on organization $ORGANIZATION_ID and folder $FOLDER_EXCLUDE" { POLICY=$(gcloud beta resource-manager org-policies list --organization "$ORGANIZATION_ID" --format="json") - RESULT=$(check_boolean_policy "$ORG_CONSTRAINT" "$POLICY" "true") + RESULT=$(check_boolean_policy "$ORG_CONSTRAINT_BOOL" "$POLICY" "true") run echo "$RESULT" [ "$status" -eq 0 ] [[ "$output" = "true" ]] POLICY=$(gcloud beta resource-manager org-policies list --folder "$FOLDER_EXCLUDE" --format="json") - RESULT=$(check_boolean_policy "$ORG_CONSTRAINT" "$POLICY" "false") + RESULT=$(check_boolean_policy "$ORG_CONSTRAINT_BOOL" "$POLICY" "false") run echo "$RESULT" [ "$status" -eq 0 ] [[ "$output" = "true" ]] diff --git a/test/integration/boolean_constraints/launch.sh b/test/integration/boolean_constraints/launch.sh index e57235f..875a134 100644 --- a/test/integration/boolean_constraints/launch.sh +++ b/test/integration/boolean_constraints/launch.sh @@ -16,14 +16,9 @@ # VARIABLES # Constraints -PROJECT_CONSTRAINT='constraints/compute.disableSerialPortAccess' -FOLDER_CONSTRAINT='constraints/compute.restrictXpnProjectLienRemval' -ORG_CONSTRAINT_BOOL='constraints/compute.disableSerialPortAccess' - -# Dynamic vars, generated by `maeke_source.sh` -# shellcheck disable=SC1091 -. ../../source.sh -grep -v "qazwsk" ../../source.sh +export PROJECT_CONSTRAINT='constraints/compute.disableSerialPortAccess' +export FOLDER_CONSTRAINT='constraints/compute.restrictXpnProjectLienRemoval' +export ORG_CONSTRAINT_BOOL='constraints/compute.disableSerialPortAccess' # Make sure required vars are defined # shellcheck disable=SC2153 @@ -32,17 +27,11 @@ if [[ -z "$FOLDER_1_ID" || -z "$PROJECT_ID" || -z "$PROJECT_EXCLUDE" || -z "$FOL env exit 3 fi + # shellcheck disable=SC2155,SC2153 export FOLDER_ID=$(echo "${FOLDER_1_ID}" | awk -F / '{print $2}') -# shellcheck disable=SC2154 -export ORGANIZATION_ID="${TF_VAR_org_id}" # shellcheck disable=SC2155,SC2153 -export FOLDER_EXCLUDE=$(echo "${FOLDER_2_ID}" | awk -F / '{print $2}') - -# initialize helpers and set credentials -source /usr/local/bin/task_helper_functions.sh && init_credentials_if_found - -[[ -z "$GOOGLE_CREDENTIALS" || -z "$GOOGLE_APPLICATION_CREDENTIALS" ]] && echo "Please define Google credentials" && exit 3 +export FOLDER_EXCLUDE=$(echo "${FOLDER_EXCLUDE}" | awk -F / '{print $2}') ################################################################# # FUNCTIONS FOR PREPARING WORKSPACE AND CALLING BATS # @@ -86,6 +75,7 @@ module "org-policy-boolean-folder" { exclude_projects = ["$PROJECT_EXCLUDE"] } + module "org-policy-boolean-org" { source = "../../../" @@ -108,17 +98,11 @@ EOF clean_workdir create_main_tf_file -# Make sure bats is installed -bats -v || (git clone https://github.com/sstephenson/bats.git && cd bats && ./install.sh /usr/local && cd - && rm -rf bats) - # Call to bats echo "Test to execute: $(bats integration.bats -c)" bats integration.bats bats_exitcode=$? -export CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE="" -unset CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE - # Clean the environment clean_workdir echo "Integration test finished" diff --git a/test/integration/list_constraints/integration.bats b/test/integration/list_constraints/integration.bats index 3e5c4c1..b870e6c 100644 --- a/test/integration/list_constraints/integration.bats +++ b/test/integration/list_constraints/integration.bats @@ -22,7 +22,7 @@ load helpers run terraform plan [ "$status" -eq 0 ] - [[ "$output" =~ 7\ to\ add ]] + [[ "$output" =~ 6\ to\ add ]] [[ "$output" =~ 0\ to\ change ]] [[ "$output" =~ 0\ to\ destroy ]] } @@ -32,7 +32,7 @@ load helpers run terraform apply -auto-approve -parallelism=1 [ "$status" -eq 0 ] - [[ "$output" =~ 7\ added ]] + [[ "$output" =~ 6\ added ]] [[ "$output" =~ 0\ changed ]] [[ "$output" =~ 0\ destroyed ]] } @@ -59,16 +59,6 @@ load helpers [[ "$output" = "true" ]] } -@test "Test constraints on organization $ORGANIZATION_ID (restrict values) constraining $ORG_RESTRICT_DOMAIN_CONSTRAINT to $ORG_RESTRICT_DOMAIN_CONSTRAINT_VALUE_1" { - - POLICY=$(gcloud beta resource-manager org-policies list --organization "$ORGANIZATION_ID" --format="json") - RESULT=$(check_list_policy_values "$ORG_RESTRICT_DOMAIN_CONSTRAINT" "$POLICY" "allow" "$ORG_RESTRICT_DOMAIN_CONSTRAINT_VALUE_1") - run echo "$RESULT" - [ "$status" -eq 0 ] - [[ "$output" = "true" ]] - -} - @test "Test constraints on organization $ORGANIZATION_ID (deny values) and project $PROJECT_EXCLUDE and folder $FOLDER_EXCLUDE (exclusions)" { POLICY=$(gcloud beta resource-manager org-policies list --organization "$ORGANIZATION_ID" --format="json") @@ -107,5 +97,5 @@ load helpers run terraform destroy -force [ "$status" -eq 0 ] - [[ "$output" =~ 7\ destroyed ]] + [[ "$output" =~ 6\ destroyed ]] } diff --git a/test/integration/list_constraints/launch.sh b/test/integration/list_constraints/launch.sh index ad51085..0f31aad 100644 --- a/test/integration/list_constraints/launch.sh +++ b/test/integration/list_constraints/launch.sh @@ -16,20 +16,12 @@ # VARIABLES # Constraints -PROJECT_CONSTRAINT_DENY_ALL='constraints/compute.trustedImageProjects' -FOLDER_CONSTRAINT_ALLOW_ALL='constraints/compute.trustedImageProjects' -ORG_CONSTRAINT='constraints/serviceuser.services' -ORG_CONSTRAINT_VALUE_1='doubleclicksearch.googleapis.com' -ORG_CONSTRAINT_VALUE_2='resourceviews.googleapis.com' -ORG_RESTRICT_DOMAIN_CONSTRAINT='constraints/iam.allowedPolicyMemberDomains' -ORG_RESTRICT_DOMAIN_CONSTRAINT_VALUE_1='C00u46n4k' -FOLDER_2_CONSTRAINT='constraints/compute.trustedImageProjects' - -# Dynamic vars, generated by `maeke_source.sh` -# shellcheck disable=SC1091 -. ../../source.sh - -grep -v "qazwsk" ../../source.sh +export PROJECT_CONSTRAINT_DENY_ALL='constraints/compute.trustedImageProjects' +export FOLDER_CONSTRAINT_ALLOW_ALL='constraints/compute.trustedImageProjects' +export ORG_CONSTRAINT='constraints/serviceuser.services' +export ORG_CONSTRAINT_VALUE_1='doubleclicksearch.googleapis.com' +export ORG_CONSTRAINT_VALUE_2='resourceviews.googleapis.com' +export FOLDER_2_CONSTRAINT='constraints/compute.trustedImageProjects' # Make sure required vars are defined # shellcheck disable=SC2153 @@ -40,17 +32,10 @@ if [[ -z "$FOLDER_1_ID" || -z "$FOLDER_2_ID" || -z "$PROJECT_ID" || -z "$PROJECT fi # shellcheck disable=SC2155 export FOLDER_ID=$(echo "${FOLDER_1_ID}" | awk -F / '{print $2}') -# shellcheck disable=SC2154 -export ORGANIZATION_ID="${TF_VAR_org_id}" # shellcheck disable=SC2155,SC2153 export FOLDER_2_ID=$(echo "${FOLDER_2_ID}" | awk -F / '{print $2}') - -env - -# initialize helpers and set credentials -source /usr/local/bin/task_helper_functions.sh && init_credentials_if_found - -[[ -z "$GOOGLE_CREDENTIALS" || -z "$GOOGLE_APPLICATION_CREDENTIALS" ]] && echo "Please define Google credentials" && exit 3 +# shellcheck disable=SC2155,SC2153 +export FOLDER_EXCLUDE=$(echo "${FOLDER_EXCLUDE}" | awk -F / '{print $2}') ################################################################# # FUNCTIONS FOR PREPARING WORKSPACE AND CALLING BATS # @@ -74,16 +59,6 @@ provider "google" { version = "~> 2.5.0" } -module "org-policy-restrict-domain" { - source = "../../../" - - organization_id = "$ORGANIZATION_ID" - constraint = "$ORG_RESTRICT_DOMAIN_CONSTRAINT" - policy_type = "list" - allow = ["$ORG_RESTRICT_DOMAIN_CONSTRAINT_VALUE_1"] - allow_list_length = "1" -} - module "org-policy-list-project" { source = "../../../" @@ -139,17 +114,11 @@ EOF clean_workdir create_main_tf_file -# Make sure bats is installed -bats -v || (git clone https://github.com/sstephenson/bats.git && cd bats && ./install.sh /usr/local && cd - && rm -rf bats) - # Call to bats echo "Test to execute: $(bats integration.bats -c)" bats integration.bats bats_exitcode=$? -export CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE="" -unset CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE - # Clean the environment clean_workdir echo "Integration test finished" diff --git a/test/setup/iam.tf b/test/setup/iam.tf index e41fe3c..a21ea6f 100644 --- a/test/setup/iam.tf +++ b/test/setup/iam.tf @@ -22,21 +22,8 @@ locals { organization_roles = [ "roles/orgpolicy.policyAdmin" ] - - folders = [ - "1_0d419896c29", - "2_0d419896c29", - ] -} - -resource "google_folder" "org_policy" { - for_each = toset(local.folders) - - display_name = "ci-org-policy-${each.value}" - parent = "folders/${var.folder_id}" } - resource "google_service_account" "int_test" { project = module.project.project_id account_id = "ci-account" diff --git a/test/setup/main.tf b/test/setup/main.tf index 2fa1b30..8a4357d 100644 --- a/test/setup/main.tf +++ b/test/setup/main.tf @@ -48,6 +48,20 @@ module "project_exclude" { ] } +resource "random_id" "folders" { + byte_length = 8 +} + +resource "google_folder" "org_policy_1" { + display_name = "test-folder-1-${random_id.folders.hex}" + parent = "folders/${var.folder_id}" +} + +resource "google_folder" "org_policy_2" { + display_name = "test-folder-2-${random_id.folders.hex}" + parent = "folders/${var.folder_id}" +} + resource "null_resource" "wait_apis" { # Adding a pause as a workaround for of the provider issue # https://github.com/terraform-providers/terraform-provider-google/issues/1131 diff --git a/test/setup/make_source.sh b/test/setup/make_source.sh index 32fc17e..d036e39 100755 --- a/test/setup/make_source.sh +++ b/test/setup/make_source.sh @@ -14,6 +14,7 @@ # See the License for the specific language governing permissions and # limitations under the License. +organization_id=$(terraform output org_id) project_id=$(terraform output project_id) sa_json=$(terraform output sa_key) folder_1_id=$(terraform output folder_1_id) @@ -22,6 +23,7 @@ project_exclude=$(terraform output project_exclude_id) # shellcheck disable=SC2086,SC2154 { echo "export TF_VAR_project_id='$project_id'"; \ +echo "export ORGANIZATION_ID='$organization_id'"; \ echo "export FOLDER_EXCLUDE='$folder_2_id'"; \ echo "export FOLDER_1_ID='$folder_1_id'"; \ echo "export FOLDER_2_ID='$folder_2_id'"; \ diff --git a/test/setup/outputs.tf b/test/setup/outputs.tf index e0fec78..57d29a3 100644 --- a/test/setup/outputs.tf +++ b/test/setup/outputs.tf @@ -14,6 +14,10 @@ * limitations under the License. */ +output "org_id" { + value = var.org_id +} + output "project_id" { value = module.project.project_id } @@ -23,11 +27,11 @@ output "project_exclude_id" { } output "folder_1_id" { - value = google_folder.org_policy[local.folders[0]].id + value = google_folder.org_policy_1.id } output "folder_2_id" { - value = google_folder.org_policy[local.folders[1]].id + value = google_folder.org_policy_2.id } output "sa_key" { diff --git a/test/task_helper_functions.sh b/test/task_helper_functions.sh new file mode 100644 index 0000000..33ae677 --- /dev/null +++ b/test/task_helper_functions.sh @@ -0,0 +1,42 @@ +#!/usr/bin/env bash + +# Copyright 2019 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +test_list_constraints() { + source_test_env + init_credentials + cd test/integration/list_constraints + bash launch.sh + cd - +} + +test_boolean_constraints() { + source_test_env + init_credentials + cd test/integration/boolean_constraints + bash launch.sh + cd - +} + +run_integration_tests() { + test_list_constraints + test_boolean_constraints +} + +finish_integration() { + local rv=$? + finish + exit "${rv}" +}