Merge pull request terraform-google-modules#94 from terraform-google-…

…modules/feature/add_tests_for_billing_account_iam

Add tests for billing_account_iam submodule terraform-google-modules#80

.kitchen.yml

@@ -84,3 +84,16 @@ suites:
           backend: local
     provisioner:
       name: terraform
+
+  - name: billing-iam
+    driver:
+      name: terraform
+      command_timeout: 1800
+      root_module_directory: test/fixtures/billing-iam
+    verifier:
+      name: terraform
+      systems:
+        - name: billing-iam
+          backend: local
+    provisioner:
+      name: terraform

Makefile

@@ -39,6 +39,7 @@ docker_test_prepare:
 		-e TF_VAR_org_id \
 		-e TF_VAR_folder_id \
 		-e TF_VAR_billing_account \
+		-e TF_VAR_billing_iam_test_account \
 		-v $(CURDIR):/workspace \
 		$(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \
 		/usr/local/bin/execute_with_credentials.sh prepare_environment
@@ -51,6 +52,7 @@ docker_test_cleanup:
 		-e TF_VAR_org_id \
 		-e TF_VAR_folder_id \
 		-e TF_VAR_billing_account \
+		-e TF_VAR_billing_iam_test_account \
 		-v $(CURDIR):/workspace \
 		$(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \
 		/usr/local/bin/execute_with_credentials.sh cleanup_environment

build/int.cloudbuild.yaml

@@ -21,6 +21,7 @@ steps:
   - 'TF_VAR_org_id=$_ORG_ID'
   - 'TF_VAR_folder_id=$_FOLDER_ID'
   - 'TF_VAR_billing_account=$_BILLING_ACCOUNT'
+  - 'TF_VAR_billing_iam_test_account=$_BILLING_IAM_TEST_ACCOUNT'
 
 - id: create member-iam-local
   waitFor:
@@ -43,6 +44,30 @@ steps:
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy member-iam-local']
 
+# ----- SUITE billing-iam-local
+
+- id: create billing-iam-local
+  waitFor:
+    - prepare
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do create billing-iam-local']
+- id: converge billing-iam-local
+  waitFor:
+    - create billing-iam-local
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge billing-iam-local']
+- id: verify billing-iam-local
+  waitFor:
+    - converge billing-iam-local
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify billing-iam-local']
+- id: destroy billing-iam-local
+  waitFor:
+    - verify billing-iam-local
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy billing-iam-local']
+
+
 # ----- SUITE additive-local
 
 # verify additive-local with 2 roles

examples/billing_account/README.md

@@ -8,9 +8,15 @@ This example illustrates how to use the `billing_accounts_iam` submodule
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
 | billing\_account\_id | Billing Account ID to apply IAM bindings | string | n/a | yes |
-| group\_email | Email for group to receive roles (ex. group@example.com) | string | n/a | yes |
-| sa\_email | Email for Service Account to receive roles (Ex. default-sa@example-project-id.iam.gserviceaccount.com) | string | n/a | yes |
-| user\_email | Email for group to receive roles (Ex. user@example.com) | string | n/a | yes |
+| project\_id | Project ID for the module | string | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| billing\_account\_ids | Billing Accounts which received bindings. |
+| members | Members which were bound to the billing accounts. |
+| service\_account\_addresses | Service Account Addresses which were bound to projects. |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 

examples/billing_account/main.tf

@@ -25,6 +25,30 @@ provider "google-beta" {
   version = "~> 2.7"
 }
 
+locals {
+
+  bindings = {
+    "roles/billing.viewer" = [
+      "serviceAccount:billing-iam-test-01@${var.project_id}.iam.gserviceaccount.com",
+    ]
+
+    "roles/billing.admin" = [
+      "serviceAccount:billing-iam-test-01@${var.project_id}.iam.gserviceaccount.com",
+      "serviceAccount:billing-iam-test-02@${var.project_id}.iam.gserviceaccount.com",
+    ]
+  }
+}
+
+resource "google_service_account" "service_account_01" {
+  account_id = "billing-iam-test-01"
+  project    = var.project_id
+}
+
+resource "google_service_account" "service_account_02" {
+  account_id = "billing-iam-test-02"
+  project    = var.project_id
+}
+
 /******************************************
   Module billing_account_iam_binding calling
  *****************************************/
@@ -35,14 +59,5 @@ module "billing-account-iam" {
 
   mode = "additive"
 
-  bindings = {
-    "roles/billing.viewer" = [
-      "user:${var.user_email}",
-    ]
-
-    "roles/billing.user" = [
-      "serviceAccount:${var.sa_email}",
-      "group:${var.group_email}",
-    ]
-  }
+  bindings = local.bindings
 }

examples/billing_account/outputs.tf

@@ -0,0 +1,30 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "service_account_addresses" {
+  value       = [google_service_account.service_account_01.email, google_service_account.service_account_02.email]
+  description = "Service Account Addresses which were bound to projects."
+}
+
+output "billing_account_ids" {
+  value       = module.billing-account-iam.billing_account_ids
+  description = "Billing Accounts which received bindings."
+}
+
+output "members" {
+  value       = local.bindings
+  description = "Members which were bound to the billing accounts."
+}

examples/billing_account/variables.tf

@@ -14,22 +14,12 @@
  * limitations under the License.
  */
 
-variable "group_email" {
-  type        = string
-  description = "Email for group to receive roles (ex. group@example.com)"
-}
-
-variable "sa_email" {
-  type        = string
-  description = "Email for Service Account to receive roles (Ex. default-sa@example-project-id.iam.gserviceaccount.com)"
-}
-
-variable "user_email" {
+variable "billing_account_id" {
   type        = string
-  description = "Email for group to receive roles (Ex. user@example.com)"
+  description = "Billing Account ID to apply IAM bindings"
 }
 
-variable "billing_account_id" {
+variable "project_id" {
   type        = string
-  description = "Billing Account ID to apply IAM bindings"
+  description = "Project ID for the module"
 }

test/fixtures/billing-iam/main.tf

@@ -0,0 +1,31 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+provider "google" {
+  version = "~> 2.7"
+}
+
+provider "google-beta" {
+  version = "~> 2.7"
+}
+
+#additive
+
+module "iam_binding_billing_accounts_additive" {
+  source             = "../../../examples/billing_account"
+  billing_account_id = var.billing_iam_test_account
+  project_id         = var.project_id
+}

test/fixtures/billing-iam/outputs.tf

@@ -0,0 +1,34 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+# Resources
+
+#Additive
+
+output "billing_iam_test_accounts" {
+  value       = module.iam_binding_billing_accounts_additive.billing_account_ids
+  description = "Billing Accounts which received bindings."
+}
+
+output "members" {
+  value       = module.iam_binding_billing_accounts_additive.members
+  description = "Members which were bound to the billing accounts."
+}
+
+output "project_id" {
+  value       = var.project_id
+  description = "Project ID"
+}

test/fixtures/billing-iam/variables.tf

@@ -0,0 +1,25 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "billing_iam_test_account" {
+  type        = string
+  description = "Billing Account ID to use for testing IAM policies/bindings."
+}
+
+variable "project_id" {
+  type        = string
+  description = "Project ID"
+}

test/fixtures/helper/base/main.tf

@@ -35,7 +35,7 @@ resource "google_folder" "test" {
 resource "random_id" "test" {
   count = local.n
 
-  byte_length = 2
+  byte_length = 4
 }
 
 resource "google_project" "test" {

test/integration/billing-iam/controls/billing-iam.rb

@@ -0,0 +1,49 @@
+# Copyright 2019 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Billing Bindings
+
+billing_iam_test_accounts = attribute('billing_iam_test_accounts')
+members = attribute('members')
+project_id = attribute('project_id')
+
+control "GCP Billing IAM" do
+            title "GCP Billing Bindings"
+            billing_iam_test_accounts.each do |billing_iam_test_accounts|
+                describe command ("gcloud beta billing accounts get-iam-policy #{billing_iam_test_accounts} --format=json") do
+                its(:exit_status) { should eq 0 }
+                its(:stderr) { should eq '' }
+
+                let!(:data) do
+                    if subject.exit_status == 0
+                        JSON.parse(subject.stdout)
+                    else
+                        {}
+                    end
+                end
+
+                describe "members" do
+                it "are bound" do
+                    transformed_data={}
+                    data['bindings'].each do |binding|
+                        transformed_data.store(binding["role"],binding["members"])
+                    end
+                    expect(transformed_data["roles/billing.viewer"]).to include("serviceAccount:billing-iam-test-01@#{project_id}.iam.gserviceaccount.com")
+                    expect(transformed_data["roles/billing.admin"]).to include("serviceAccount:billing-iam-test-01@#{project_id}.iam.gserviceaccount.com")
+                    expect(transformed_data["roles/billing.admin"]).to include("serviceAccount:billing-iam-test-02@#{project_id}.iam.gserviceaccount.com")
+                end
+            end
+        end
+    end
+end

test/integration/billing-iam/inspec.yml

@@ -0,0 +1,28 @@
+# Copyright 2019 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: billing-iam
+attributes:
+  - name: billing_iam_test_accounts
+    required: true
+    type: array
+  - name: roles
+    required: true
+    type: array
+  - name: members
+    required: true
+    type: hash
+  - name: project_id
+    required: true
+    type: string