Merge pull request #28 from bharathkkb/bug/bridge

fixed bridge dependency issue, added test

.kitchen.yml

@@ -40,3 +40,18 @@ suites:
             - big_query_vpc_negative_test
     provisioner:
       name: terraform
+  - name: "simple_example_bridge"
+    driver:
+      name: "terraform"
+      command_timeout: 1800
+      root_module_directory: test/fixtures/simple_example_bridge/
+    verifier:
+      name: terraform
+      color: false
+      systems:
+        - name: simple_example_bridge
+          backend: local
+          controls:
+            - bridge_policy_test
+    provisioner:
+      name: terraform

build/int.cloudbuild.yaml

@@ -21,21 +21,55 @@ steps:
   - 'TF_VAR_org_id=$_ORG_ID'
   - 'TF_VAR_folder_id=$_FOLDER_ID'
   - 'TF_VAR_billing_account=$_BILLING_ACCOUNT'
-- id: remove existing policy
+- id: remove-existing-policy
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && remove_gcloud_org_accesspolicy']
-- id: create
+- id: create-simple-example
+  waitFor:
+    - prepare
+    - remove-existing-policy
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do create']
-- id: converge
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do create simple-example-local']
+- id: converge-simple-example
+  waitFor:
+    - create-simple-example
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge']
-- id: verify
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge simple-example-local']
+- id: verify-simple-example
+  waitFor:
+    - converge-simple-example
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && sleep 360 && kitchen_do verify']
-- id: destroy
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && sleep 360 && kitchen_do verify simple-example-local']
+- id: destroy-simple-example
+  waitFor:
+    - verify-simple-example
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy']
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy simple-example-local']
+- id: remove-existing-policy-cleanup-simple-example
+  waitFor:
+      - destroy-simple-example
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && remove_gcloud_org_accesspolicy']
+- id: create-simple-example-bridge-local
+  waitFor:
+    - remove-existing-policy-cleanup-simple-example
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do create simple-example-bridge-local']
+- id: converge-simple-example-bridge-local
+  waitFor:
+    - create-simple-example-bridge-local
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge simple-example-bridge-local']
+- id: verify-simple-example-bridge-local
+  waitFor:
+    - converge-simple-example-bridge-local
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && sleep 360 && kitchen_do verify simple-example-bridge-local']
+- id: destroy-simple-example-bridge-local
+  waitFor:
+    - verify-simple-example-bridge-local
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy simple-example-bridge-local']
 tags:
 - 'ci'
 - 'integration'

examples/simple_example_bridge/main.tf

@@ -15,7 +15,7 @@
  */
 
 provider "google" {
-  version = "~> 2.5.0"
+  version = "~> 2.18.0"
 }
 
 module "access_context_manager_policy" {

modules/regular_service_perimeter/outputs.tf

@@ -17,4 +17,5 @@
 output "shared_resources" {
   description = "A map of lists of resources to share in a Bridge perimeter module. Each list should contain all or a subset of the perimeters resources"
   value       = var.shared_resources
+  depends_on  = [google_access_context_manager_service_perimeter.regular_service_perimeter]
 }

test/fixtures/simple_example_bridge/main.tf

@@ -0,0 +1,28 @@
+
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+resource "random_id" "random_suffix" {
+  byte_length = 2
+}
+
+module "example_bridge" {
+  source                = "../../../examples/simple_example_bridge"
+  parent_id             = var.parent_id
+  policy_name           = "int_test_vpc_sc_bridge_policy_${random_id.random_suffix.hex}"
+  protected_project_ids = var.protected_project_ids
+  public_project_ids    = var.public_project_ids
+}

test/fixtures/simple_example_bridge/outputs.tf

@@ -0,0 +1,23 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "policy_name" {
+  value = module.example_bridge.policy_name
+}
+
+output "parent_id" {
+  value = var.parent_id
+}

test/fixtures/simple_example_bridge/variables.tf

@@ -0,0 +1,30 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "parent_id" {
+  description = "The parent of this AccessPolicy in the Cloud Resource Hierarchy. As of now, only organization are accepted as parent."
+  type        = string
+}
+
+variable "protected_project_ids" {
+  description = "Project id and number of the project INSIDE the regular service perimeter. This map variable expects an \"id\" for the project id and \"number\" key for the project number."
+  type        = object({ id = string, number = number })
+}
+
+variable "public_project_ids" {
+  description = "Project id and number of the project OUTSIDE of the regular service perimeter. This variable is only necessary for running integration tests. This map variable expects an \"id\" for the project id and \"number\" key for the project number."
+  type        = object({ id = string, number = number })
+}

test/integration/simple_example_bridge/controls/gcloud.rb

@@ -0,0 +1,36 @@
+# Copyright 2019 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+policy_name = attribute('policy_name')
+org_id      = attribute('parent_id')
+
+control "bridge_policy_test" do
+  title "Access policy test"
+  describe command("gcloud access-context-manager policies list --organization=#{org_id} --format=json" ) do
+    its(:exit_status) { should eq 0 }
+    its(:stderr) { should eq '' }
+    let!(:data) do
+      if subject.exit_status == 0
+        JSON.parse(subject.stdout)
+      else
+        {}
+      end
+    end
+    describe "policy" do
+      it "has correct title" do
+        expect(data[0]["title"]).to eq policy_name
+      end
+    end
+  end
+end

test/integration/simple_example_bridge/inspec.yml

@@ -0,0 +1,8 @@
+name: simple_example_bridge
+attributes:
+  - name: policy_name
+    required: true
+    type: string
+  - name: parent_id
+    required: true
+    type: string