From 89cbcb75fd1a6f3a1b09670119c5c749c8a9d8bb Mon Sep 17 00:00:00 2001
From: Danny Seymour <seymourd@google.com>
Date: Tue, 19 Feb 2019 11:33:46 -0800
Subject: [PATCH] Add unit test to check G Suite group is created

Fixes https://github.com/terraform-google-modules/terraform-google-project-factory/issues/111
---
 modules/core_project_factory/main.tf     |  2 +-
 test/fixtures/full/main.tf               | 14 ++++----
 test/fixtures/shared/variables.tf        |  3 +-
 test/integration/full/controls/gsuite.rb |  6 ++++
 test/scripts/gsuite/gsuite_groups.py     | 41 ++++++++++++++++++++++++
 5 files changed, 57 insertions(+), 9 deletions(-)
 create mode 100755 test/scripts/gsuite/gsuite_groups.py

diff --git a/modules/core_project_factory/main.tf b/modules/core_project_factory/main.tf
index 5a1686c8a..db8d401c2 100644
--- a/modules/core_project_factory/main.tf
+++ b/modules/core_project_factory/main.tf
@@ -136,7 +136,7 @@ resource "google_compute_shared_vpc_service_project" "shared_vpc_attachment" {
   Default compute service account retrieval
  *****************************************/
 data "google_compute_default_service_account" "default" {
-  project = "${google_project.main.id}"
+  project = "${google_project.main.project_id}"
 
   depends_on = ["google_project_service.project_services"]
 }
diff --git a/test/fixtures/full/main.tf b/test/fixtures/full/main.tf
index f573be044..bb6caba5d 100644
--- a/test/fixtures/full/main.tf
+++ b/test/fixtures/full/main.tf
@@ -50,7 +50,8 @@ module "vpc" {
   source       = "terraform-google-modules/network/google"
   version      = "~> 0.4.0"
   network_name = "pf-test-int-full-${random_string.suffix.result}"
-  project_id   = "${var.shared_vpc}"
+
+  project_id = "${var.shared_vpc}"
 
   # The provided project must already be a Shared VPC host
   shared_vpc_host = "false"
@@ -89,11 +90,12 @@ module "project-factory" {
   group_role          = "${var.group_role}"
   group_name          = "${var.group_name}"
   shared_vpc          = "${var.shared_vpc}"
-  shared_vpc_subnets  = "${local.shared_vpc_subnets}"
-  sa_role             = "${var.sa_role}"
-  sa_group            = "${var.sa_group}"
-  credentials_path    = "${var.credentials_path}"
-  lien                = "true"
+
+  shared_vpc_subnets = "${local.shared_vpc_subnets}"
+  sa_role            = "${var.sa_role}"
+  sa_group           = "${var.sa_group}"
+  credentials_path   = "${var.credentials_path}"
+  lien               = "true"
 
   activate_apis = [
     "compute.googleapis.com",
diff --git a/test/fixtures/shared/variables.tf b/test/fixtures/shared/variables.tf
index f3027de02..99413caf1 100644
--- a/test/fixtures/shared/variables.tf
+++ b/test/fixtures/shared/variables.tf
@@ -22,8 +22,7 @@ variable "folder_id" {
   default = ""
 }
 
-variable "domain" {
-}
+variable "domain" {}
 
 variable "usage_bucket_name" {
   default = ""
diff --git a/test/integration/full/controls/gsuite.rb b/test/integration/full/controls/gsuite.rb
index d8c537578..971e9dcc0 100644
--- a/test/integration/full/controls/gsuite.rb
+++ b/test/integration/full/controls/gsuite.rb
@@ -18,6 +18,7 @@
 project_id                  = attribute('project_id')
 service_account_email       = attribute('service_account_email')
 credentials_path            = attribute('credentials_path')
+gsuite_admin_account        = attribute('gsuite_admin_account')
 
 ENV['CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE'] = File.absolute_path(
   credentials_path,
@@ -74,4 +75,9 @@
       )
     end
   end
+
+  describe command("./test/scripts/gsuite/gsuite_groups.py --sa-json-credentials='test/fixtures/shared/credentials.json' --group-email #{group_email} --impersonate-user #{gsuite_admin_account}") do
+    its('exit_status') { should eq 0 }
+    its('stderr') { should eq '' }
+  end
 end
diff --git a/test/scripts/gsuite/gsuite_groups.py b/test/scripts/gsuite/gsuite_groups.py
new file mode 100755
index 000000000..be0074f3e
--- /dev/null
+++ b/test/scripts/gsuite/gsuite_groups.py
@@ -0,0 +1,41 @@
+#! /usr/bin/env python2
+
+import argparse
+from googleapiclient.errors import HttpError
+from googleapiclient.discovery import build
+from oauth2client.service_account import ServiceAccountCredentials
+
+SCOPES = ['https://www.googleapis.com/auth/admin.directory.group']
+
+def authenticate(impersonated_user, sa_json_file_path, scopes):
+    print 'Getting delegated credentials for %s' % impersonated_user
+
+    credentials = ServiceAccountCredentials.from_json_keyfile_name(
+        sa_json_file_path,
+        scopes=scopes
+    )
+
+    return credentials.create_delegated(impersonated_user)
+
+def group_exists(service, group_email):
+    try:
+        return service.groups().get(groupKey=group_email).execute()
+    except HttpError as e:
+        if e.resp.status == 404:
+            print 'Group {0} does not exist'.format(group_email)
+            exit(1)
+        else:
+            print 'Error fetching groups {0} {1}'.format(e.content, e.error_details)
+            exit(2)
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(description='Test if the specified G Suite exists')
+    parser.add_argument('--sa-json-credentials', dest='sa_json_credentials')
+    parser.add_argument('--group-email', dest='group_email')
+    parser.add_argument('--impersonate-user', dest='impersonate_user')
+    args = parser.parse_args()
+
+    service = build("admin", "directory_v1", credentials=authenticate(args.impersonate_user,
+                                                                      args.sa_json_credentials,
+                                                                      SCOPES))
+    group_exists(service, args.group_email)