From c7102045296449fb33cdedf744cb9859ba831124 Mon Sep 17 00:00:00 2001 From: Kunal Kumar Gupta Date: Mon, 10 Feb 2020 17:01:40 -0600 Subject: [PATCH 01/12] Adding tests for billing-iam module --- .kitchen.yml | 13 +++++ Makefile | 2 + test/fixtures/billing-iam/main.tf | 56 +++++++++++++++++++ test/fixtures/billing-iam/outputs.tf | 34 +++++++++++ test/fixtures/billing-iam/variables.tf | 36 ++++++++++++ .../billing-iam/controls/billing-iam.rb | 48 ++++++++++++++++ test/integration/billing-iam/inspec.yml | 25 +++++++++ test/setup/iam.tf | 8 ++- test/setup/variables.tf | 4 ++ 9 files changed, 225 insertions(+), 1 deletion(-) create mode 100644 test/fixtures/billing-iam/main.tf create mode 100644 test/fixtures/billing-iam/outputs.tf create mode 100644 test/fixtures/billing-iam/variables.tf create mode 100644 test/integration/billing-iam/controls/billing-iam.rb create mode 100644 test/integration/billing-iam/inspec.yml diff --git a/.kitchen.yml b/.kitchen.yml index 4b61fa30..36b5eeeb 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -84,3 +84,16 @@ suites: backend: local provisioner: name: terraform + + - name: billing-iam + driver: + name: terraform + command_timeout: 1800 + root_module_directory: test/fixtures/billing-iam + verifier: + name: terraform + systems: + - name: billing-iam + backend: local + provisioner: + name: terraform diff --git a/Makefile b/Makefile index 86e88824..0335fe60 100644 --- a/Makefile +++ b/Makefile @@ -39,6 +39,7 @@ docker_test_prepare: -e TF_VAR_org_id \ -e TF_VAR_folder_id \ -e TF_VAR_billing_account \ + -e TF_VAR_billing_iam_test_account \ -v $(CURDIR):/workspace \ $(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \ /usr/local/bin/execute_with_credentials.sh prepare_environment @@ -51,6 +52,7 @@ docker_test_cleanup: -e TF_VAR_org_id \ -e TF_VAR_folder_id \ -e TF_VAR_billing_account \ + -e TF_VAR_billing_iam_test_account \ -v $(CURDIR):/workspace \ $(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \ /usr/local/bin/execute_with_credentials.sh cleanup_environment diff --git a/test/fixtures/billing-iam/main.tf b/test/fixtures/billing-iam/main.tf new file mode 100644 index 00000000..1b26d284 --- /dev/null +++ b/test/fixtures/billing-iam/main.tf @@ -0,0 +1,56 @@ +/** + * Copyright 2019 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +locals { + billing_roles = ["roles/billing.admin", "roles/billing.viewer"] + members = [var.member1, var.member2] + + member_group_0 = [ + "serviceAccount:${var.member1}", + "serviceAccount:${var.member2}", + ] + + member_group_1 = [ + "serviceAccount:${var.member2}", + ] + + member_groups = [local.member_group_0, local.member_group_1] + + # 1 or 2 roles amount can be specified to generate that amount of bindings. + # This variability is used to test how the module behaves on configuration updates. + + billing_bindings = zipmap( + slice(local.billing_roles, 0, var.roles), + slice(local.member_groups, 0, var.roles) + ) +} + +provider "google" { + version = "~> 2.7" +} + +provider "google-beta" { + version = "~> 2.7" +} + +#additive + +module "iam_binding_billing_accounts_additive" { + source = "../../../modules/billing_accounts_iam" + mode = "additive" + bindings = local.billing_bindings + billing_account_ids = [var.billing_iam_test_account] +} diff --git a/test/fixtures/billing-iam/outputs.tf b/test/fixtures/billing-iam/outputs.tf new file mode 100644 index 00000000..784a557a --- /dev/null +++ b/test/fixtures/billing-iam/outputs.tf @@ -0,0 +1,34 @@ +/** + * Copyright 2019 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +# Resources + +#Additive + +output "billing_iam_test_account" { + value = module.iam_binding_billing_accounts_additive.billing_account_ids + description = "Billing Accounts which received bindings." +} + +output "roles" { + value = module.iam_binding_billing_accounts_additive.roles + description = "Roles which were assigned to members." +} + +output "members" { + value = module.iam_binding_billing_accounts_additive.members + description = "Members which were bound to the billing accounts." +} diff --git a/test/fixtures/billing-iam/variables.tf b/test/fixtures/billing-iam/variables.tf new file mode 100644 index 00000000..5bb165c1 --- /dev/null +++ b/test/fixtures/billing-iam/variables.tf @@ -0,0 +1,36 @@ +/** + * Copyright 2019 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "member1" { + type = string + description = "Member created for binding with roles." +} + +variable "member2" { + type = string + description = "Member created for binding with roles." +} + +variable "roles" { + type = number + default = 2 + description = "Amount of roles to assign. Useful for testing how the module behaves on updates." +} + +variable "billing_iam_test_account" { + type = string + description = "Billing Accounts IDs list to add the IAM policies/bindings." +} diff --git a/test/integration/billing-iam/controls/billing-iam.rb b/test/integration/billing-iam/controls/billing-iam.rb new file mode 100644 index 00000000..d143d645 --- /dev/null +++ b/test/integration/billing-iam/controls/billing-iam.rb @@ -0,0 +1,48 @@ +# Copyright 2019 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Billing Bindings + +billing_iam_test_account = attribute('billing_iam_test_account') +members = attribute('members') + +control "GCP Billing IAM" do + title "GCP Billing Bindings" + billing_iam_test_account.each do |billing_iam_test_account| + describe command ("gcloud beta billing accounts get-iam-policy #{billing_iam_test_account} --format=json") do + its(:exit_status) { should eq 0 } + its(:stderr) { should eq '' } + + let!(:data) do + if subject.exit_status == 0 + JSON.parse(subject.stdout) + else + {} + end + end + + describe "members" do + it "are bound" do + members.each do |member| + expect(data['bindings'][0]['members']).to include(member) + end + end + + it "are admin" do + expect(data['bindings'][0]['role']).to eq 'roles/billing.admin' + end + end + end + end +end diff --git a/test/integration/billing-iam/inspec.yml b/test/integration/billing-iam/inspec.yml new file mode 100644 index 00000000..8e0ac369 --- /dev/null +++ b/test/integration/billing-iam/inspec.yml @@ -0,0 +1,25 @@ +# Copyright 2019 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: billing-iam +attributes: + - name: billing_iam_test_account + required: true + type: array + - name: roles + required: true + type: array + - name: members + required: true + type: array diff --git a/test/setup/iam.tf b/test/setup/iam.tf index 463735f0..73288c2b 100644 --- a/test/setup/iam.tf +++ b/test/setup/iam.tf @@ -72,7 +72,13 @@ resource "google_billing_account_iam_member" "int_test_ba" { member = "serviceAccount:${google_service_account.int_test.email}" } +resource "google_billing_account_iam_member" "int_test_ba_billing_iam" { + + billing_account_id = var.billing_iam_test_account + role = "roles/billing.admin" + member = "serviceAccount:${google_service_account.int_test.email}" +} + resource "google_service_account_key" "int_test" { service_account_id = google_service_account.int_test.id } - diff --git a/test/setup/variables.tf b/test/setup/variables.tf index 6d80b898..f06665a4 100644 --- a/test/setup/variables.tf +++ b/test/setup/variables.tf @@ -24,3 +24,7 @@ variable "folder_id" { variable "billing_account" { description = "The billing account id associated with the project, e.g. XXXXXX-YYYYYY-ZZZZZZ" } + +variable "billing_iam_test_account" { + description = "The billing iam test account id is for the billing-iam-module, only for testing, e.g. XXXXXX-YYYYYY-ZZZZZZ" +} From 2b082fa2f89769a158cda8a211b7239a0489fc39 Mon Sep 17 00:00:00 2001 From: Kunal Kumar Gupta Date: Mon, 10 Feb 2020 18:09:41 -0600 Subject: [PATCH 02/12] Fixing roles for billing-iam --- test/setup/iam.tf | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/test/setup/iam.tf b/test/setup/iam.tf index 73288c2b..6f93ca5b 100644 --- a/test/setup/iam.tf +++ b/test/setup/iam.tf @@ -40,6 +40,10 @@ locals { int_required_ba_roles = [ "roles/billing.user", ] + + int_required_ba_billing_iam_roles = [ + "roles/billing.admin", + ] } resource "google_service_account" "int_test" { @@ -73,9 +77,10 @@ resource "google_billing_account_iam_member" "int_test_ba" { } resource "google_billing_account_iam_member" "int_test_ba_billing_iam" { + count = length(local.int_required_ba_billing_iam_roles) billing_account_id = var.billing_iam_test_account - role = "roles/billing.admin" + role = local.int_required_ba_billing_iam_roles[count.index] member = "serviceAccount:${google_service_account.int_test.email}" } From b2c1b4ad15c8ef5582a0c44a904578089accd10b Mon Sep 17 00:00:00 2001 From: Kunal Kumar Gupta Date: Mon, 10 Feb 2020 18:51:42 -0600 Subject: [PATCH 03/12] Fixing resource in setup --- test/setup/iam.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/setup/iam.tf b/test/setup/iam.tf index 6f93ca5b..05aab87a 100644 --- a/test/setup/iam.tf +++ b/test/setup/iam.tf @@ -76,7 +76,7 @@ resource "google_billing_account_iam_member" "int_test_ba" { member = "serviceAccount:${google_service_account.int_test.email}" } -resource "google_billing_account_iam_member" "int_test_ba_billing_iam" { +resource "google_billing_test_account_iam_member" "int_test_ba_billing_iam" { count = length(local.int_required_ba_billing_iam_roles) billing_account_id = var.billing_iam_test_account From 23d6c0dde8b6cc583b7190ac028c4c13a34246f6 Mon Sep 17 00:00:00 2001 From: Kunal Kumar Gupta Date: Tue, 11 Feb 2020 10:07:54 -0600 Subject: [PATCH 04/12] Fixing billing account resource --- test/setup/iam.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/setup/iam.tf b/test/setup/iam.tf index 05aab87a..6f93ca5b 100644 --- a/test/setup/iam.tf +++ b/test/setup/iam.tf @@ -76,7 +76,7 @@ resource "google_billing_account_iam_member" "int_test_ba" { member = "serviceAccount:${google_service_account.int_test.email}" } -resource "google_billing_test_account_iam_member" "int_test_ba_billing_iam" { +resource "google_billing_account_iam_member" "int_test_ba_billing_iam" { count = length(local.int_required_ba_billing_iam_roles) billing_account_id = var.billing_iam_test_account From 058181e11a9b694f9f2b493e201db27a4cadc51c Mon Sep 17 00:00:00 2001 From: Kunal Kumar Gupta Date: Tue, 11 Feb 2020 14:28:30 -0600 Subject: [PATCH 05/12] Added billing_test_account_id variable in setup outputs. --- test/setup/outputs.tf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/test/setup/outputs.tf b/test/setup/outputs.tf index 04c0b89e..4405ace3 100644 --- a/test/setup/outputs.tf +++ b/test/setup/outputs.tf @@ -49,3 +49,8 @@ output "random_hexes" { value = random_id.random_hexes[*].hex description = "List of pre-generated random id hexes. Required for 'for_each' to work when testing static scerarios." } + +output "billing_iam_test_account" { + value = var.billing_iam_test_account + description = "The billing iam test account id is for the billing-iam-module, only for testing, e.g. XXXXXX-YYYYYY-ZZZZZZ" +} From b56cafbef39a64205390fa391e61c9b52e087d04 Mon Sep 17 00:00:00 2001 From: Kunal Kumar Gupta Date: Tue, 11 Feb 2020 15:05:48 -0600 Subject: [PATCH 06/12] Adding env var billing_iam_test_account to build config --- build/int.cloudbuild.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/build/int.cloudbuild.yaml b/build/int.cloudbuild.yaml index 0e4e0537..1a1936b8 100644 --- a/build/int.cloudbuild.yaml +++ b/build/int.cloudbuild.yaml @@ -21,6 +21,7 @@ steps: - 'TF_VAR_org_id=$_ORG_ID' - 'TF_VAR_folder_id=$_FOLDER_ID' - 'TF_VAR_billing_account=$_BILLING_ACCOUNT' + - 'TF_VAR_billing_iam_test_account=$_BILLING_IAM_TEST_ACCOUNT' - id: create member-iam-local waitFor: From 36193795b4f9e3e1144e548cb37945634c3eed59 Mon Sep 17 00:00:00 2001 From: Kunal Kumar Gupta Date: Tue, 11 Feb 2020 15:21:19 -0600 Subject: [PATCH 07/12] Add billing-iam test to Cloud Build --- build/int.cloudbuild.yaml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/build/int.cloudbuild.yaml b/build/int.cloudbuild.yaml index 1a1936b8..9f93942e 100644 --- a/build/int.cloudbuild.yaml +++ b/build/int.cloudbuild.yaml @@ -44,6 +44,30 @@ steps: name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy member-iam-local'] +# ----- SUITE billing-iam-local + +- id: create billing-iam-local + waitFor: + - prepare + name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' + args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do create billing-iam-local'] +- id: converge billing-iam-local + waitFor: + - create billing-iam-local + name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' + args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge billing-iam-local'] +- id: verify billing-iam-local + waitFor: + - converge billing-iam-local + name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' + args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify billing-iam-local'] +- id: destroy billing-iam-local + waitFor: + - verify billing-iam-local + name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' + args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy billing-iam-local'] + + # ----- SUITE additive-local # verify additive-local with 2 roles From 8497afedf85bc6eb52f1b59ca96bb16ff8c3f5a8 Mon Sep 17 00:00:00 2001 From: Kunal Kumar Gupta Date: Tue, 11 Feb 2020 16:38:13 -0600 Subject: [PATCH 08/12] Increasing length of random_id --- test/fixtures/helper/base/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/fixtures/helper/base/main.tf b/test/fixtures/helper/base/main.tf index c05c0102..7a415cb3 100644 --- a/test/fixtures/helper/base/main.tf +++ b/test/fixtures/helper/base/main.tf @@ -35,7 +35,7 @@ resource "google_folder" "test" { resource "random_id" "test" { count = local.n - byte_length = 2 + byte_length = 4 } resource "google_project" "test" { From ef6a69eb153e0428f129d922561d651033ac3521 Mon Sep 17 00:00:00 2001 From: Kunal Kumar Gupta Date: Wed, 12 Feb 2020 17:43:13 -0600 Subject: [PATCH 09/12] Fixed PR comments --- examples/billing_account/main.tf | 35 +++++++++++++------ examples/billing_account/outputs.tf | 30 ++++++++++++++++ examples/billing_account/variables.tf | 18 +++------- test/fixtures/billing-iam/main.tf | 31 ++-------------- test/fixtures/billing-iam/outputs.tf | 12 +++---- test/fixtures/billing-iam/variables.tf | 18 ++++------ .../billing-iam/controls/billing-iam.rb | 13 ++++--- test/integration/billing-iam/inspec.yml | 5 ++- test/setup/outputs.tf | 5 +++ 9 files changed, 92 insertions(+), 75 deletions(-) create mode 100644 examples/billing_account/outputs.tf diff --git a/examples/billing_account/main.tf b/examples/billing_account/main.tf index f5c4f5ac..7c911cdd 100644 --- a/examples/billing_account/main.tf +++ b/examples/billing_account/main.tf @@ -25,6 +25,30 @@ provider "google-beta" { version = "~> 2.7" } +locals { + + bindings={ + "roles/billing.viewer" = [ + "serviceAccount:billing-iam-test-01@${var.project_id}.iam.gserviceaccount.com", + ] + + "roles/billing.admin" = [ + "serviceAccount:billing-iam-test-01@${var.project_id}.iam.gserviceaccount.com", + "serviceAccount:billing-iam-test-02@${var.project_id}.iam.gserviceaccount.com", + ] + } +} + +resource "google_service_account" "service_account_01" { + account_id = "billing-iam-test-01" + project = var.project_id +} + +resource "google_service_account" "service_account_02" { + account_id = "billing-iam-test-02" + project = var.project_id +} + /****************************************** Module billing_account_iam_binding calling *****************************************/ @@ -35,14 +59,5 @@ module "billing-account-iam" { mode = "additive" - bindings = { - "roles/billing.viewer" = [ - "user:${var.user_email}", - ] - - "roles/billing.user" = [ - "serviceAccount:${var.sa_email}", - "group:${var.group_email}", - ] - } + bindings = local.bindings } diff --git a/examples/billing_account/outputs.tf b/examples/billing_account/outputs.tf new file mode 100644 index 00000000..3c17a0c2 --- /dev/null +++ b/examples/billing_account/outputs.tf @@ -0,0 +1,30 @@ +/** + * Copyright 2019 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +output "service_account_address" { + value = [google_service_account.service_account_01.email, google_service_account.service_account_02.email] + description = "Member which was bound to projects." +} + +output "billing_account_ids" { + value = module.billing-account-iam.billing_account_ids + description = "Billing Accounts which received bindings." +} + +output "members" { + value = local.bindings + description = "Members which were bound to the billing accounts." +} diff --git a/examples/billing_account/variables.tf b/examples/billing_account/variables.tf index b1af0599..5add5a37 100644 --- a/examples/billing_account/variables.tf +++ b/examples/billing_account/variables.tf @@ -14,22 +14,12 @@ * limitations under the License. */ -variable "group_email" { - type = string - description = "Email for group to receive roles (ex. group@example.com)" -} - -variable "sa_email" { - type = string - description = "Email for Service Account to receive roles (Ex. default-sa@example-project-id.iam.gserviceaccount.com)" -} - -variable "user_email" { +variable "billing_account_id" { type = string - description = "Email for group to receive roles (Ex. user@example.com)" + description = "Billing Account ID to apply IAM bindings" } -variable "billing_account_id" { +variable "project_id" { type = string - description = "Billing Account ID to apply IAM bindings" + description = "Project ID for the module" } diff --git a/test/fixtures/billing-iam/main.tf b/test/fixtures/billing-iam/main.tf index 1b26d284..9323b918 100644 --- a/test/fixtures/billing-iam/main.tf +++ b/test/fixtures/billing-iam/main.tf @@ -14,30 +14,6 @@ * limitations under the License. */ -locals { - billing_roles = ["roles/billing.admin", "roles/billing.viewer"] - members = [var.member1, var.member2] - - member_group_0 = [ - "serviceAccount:${var.member1}", - "serviceAccount:${var.member2}", - ] - - member_group_1 = [ - "serviceAccount:${var.member2}", - ] - - member_groups = [local.member_group_0, local.member_group_1] - - # 1 or 2 roles amount can be specified to generate that amount of bindings. - # This variability is used to test how the module behaves on configuration updates. - - billing_bindings = zipmap( - slice(local.billing_roles, 0, var.roles), - slice(local.member_groups, 0, var.roles) - ) -} - provider "google" { version = "~> 2.7" } @@ -49,8 +25,7 @@ provider "google-beta" { #additive module "iam_binding_billing_accounts_additive" { - source = "../../../modules/billing_accounts_iam" - mode = "additive" - bindings = local.billing_bindings - billing_account_ids = [var.billing_iam_test_account] + source = "../../../examples/billing_account" + billing_account_id = var.billing_iam_test_account + project_id = var.project_id } diff --git a/test/fixtures/billing-iam/outputs.tf b/test/fixtures/billing-iam/outputs.tf index 784a557a..5f6c4af2 100644 --- a/test/fixtures/billing-iam/outputs.tf +++ b/test/fixtures/billing-iam/outputs.tf @@ -20,15 +20,15 @@ output "billing_iam_test_account" { value = module.iam_binding_billing_accounts_additive.billing_account_ids - description = "Billing Accounts which received bindings." -} - -output "roles" { - value = module.iam_binding_billing_accounts_additive.roles - description = "Roles which were assigned to members." + description = "Billing Account which received bindings." } output "members" { value = module.iam_binding_billing_accounts_additive.members description = "Members which were bound to the billing accounts." } + +output "billing_sa_admin" { + value = var.billing_sa_admin + description = "Admin Service Account bound to Test Billing Account." +} diff --git a/test/fixtures/billing-iam/variables.tf b/test/fixtures/billing-iam/variables.tf index 5bb165c1..e694a18b 100644 --- a/test/fixtures/billing-iam/variables.tf +++ b/test/fixtures/billing-iam/variables.tf @@ -14,23 +14,17 @@ * limitations under the License. */ -variable "member1" { +variable "billing_iam_test_account" { type = string - description = "Member created for binding with roles." + description = "Billing Account ID to use for testing IAM policies/bindings." } -variable "member2" { +variable "billing_sa_admin" { type = string - description = "Member created for binding with roles." -} - -variable "roles" { - type = number - default = 2 - description = "Amount of roles to assign. Useful for testing how the module behaves on updates." + description = "Admin Service Account bound to Test Billing Account." } -variable "billing_iam_test_account" { +variable "project_id" { type = string - description = "Billing Accounts IDs list to add the IAM policies/bindings." + description = "Project ID" } diff --git a/test/integration/billing-iam/controls/billing-iam.rb b/test/integration/billing-iam/controls/billing-iam.rb index d143d645..8073253e 100644 --- a/test/integration/billing-iam/controls/billing-iam.rb +++ b/test/integration/billing-iam/controls/billing-iam.rb @@ -16,6 +16,7 @@ billing_iam_test_account = attribute('billing_iam_test_account') members = attribute('members') +billing_sa_admin = attribute('billing_sa_admin') control "GCP Billing IAM" do title "GCP Billing Bindings" @@ -34,13 +35,17 @@ describe "members" do it "are bound" do - members.each do |member| - expect(data['bindings'][0]['members']).to include(member) + members.each_value do |member_value| + member_value.each do |member| + expect(data['bindings'][0]['members']).to include(member) + end end end - it "are admin" do - expect(data['bindings'][0]['role']).to eq 'roles/billing.admin' + describe "Billing IAM SA" do + it "is bound" do + expect(data['bindings'][0]['members']).to include("serviceAccount:#{billing_sa_admin}") + end end end end diff --git a/test/integration/billing-iam/inspec.yml b/test/integration/billing-iam/inspec.yml index 8e0ac369..90fd8dba 100644 --- a/test/integration/billing-iam/inspec.yml +++ b/test/integration/billing-iam/inspec.yml @@ -22,4 +22,7 @@ attributes: type: array - name: members required: true - type: array + type: hash + - name: billing_sa_admin + required: true + type: string diff --git a/test/setup/outputs.tf b/test/setup/outputs.tf index 4405ace3..7b738174 100644 --- a/test/setup/outputs.tf +++ b/test/setup/outputs.tf @@ -45,6 +45,11 @@ output "member2" { description = "Members created for binding with roles." } +output "billing_sa_admin" { + value = google_service_account.int_test.email + description = "Admin Service Account bound to Test Billing Account." +} + output "random_hexes" { value = random_id.random_hexes[*].hex description = "List of pre-generated random id hexes. Required for 'for_each' to work when testing static scerarios." From 0f515481975346185ac8a70708f7fdf3a2afa023 Mon Sep 17 00:00:00 2001 From: Kunal Kumar Gupta Date: Thu, 13 Feb 2020 09:23:54 -0600 Subject: [PATCH 10/12] Fixed lint test issues --- examples/billing_account/README.md | 12 +++++++++--- examples/billing_account/main.tf | 2 +- test/fixtures/billing-iam/main.tf | 6 +++--- 3 files changed, 13 insertions(+), 7 deletions(-) diff --git a/examples/billing_account/README.md b/examples/billing_account/README.md index 474da886..c61c21da 100644 --- a/examples/billing_account/README.md +++ b/examples/billing_account/README.md @@ -8,9 +8,15 @@ This example illustrates how to use the `billing_accounts_iam` submodule | Name | Description | Type | Default | Required | |------|-------------|:----:|:-----:|:-----:| | billing\_account\_id | Billing Account ID to apply IAM bindings | string | n/a | yes | -| group\_email | Email for group to receive roles (ex. group@example.com) | string | n/a | yes | -| sa\_email | Email for Service Account to receive roles (Ex. default-sa@example-project-id.iam.gserviceaccount.com) | string | n/a | yes | -| user\_email | Email for group to receive roles (Ex. user@example.com) | string | n/a | yes | +| project\_id | Project ID for the module | string | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| billing\_account\_ids | Billing Accounts which received bindings. | +| members | Members which were bound to the billing accounts. | +| service\_account\_address | Member which was bound to projects. | diff --git a/examples/billing_account/main.tf b/examples/billing_account/main.tf index 7c911cdd..2d0b8c9a 100644 --- a/examples/billing_account/main.tf +++ b/examples/billing_account/main.tf @@ -27,7 +27,7 @@ provider "google-beta" { locals { - bindings={ + bindings = { "roles/billing.viewer" = [ "serviceAccount:billing-iam-test-01@${var.project_id}.iam.gserviceaccount.com", ] diff --git a/test/fixtures/billing-iam/main.tf b/test/fixtures/billing-iam/main.tf index 9323b918..42d03dd4 100644 --- a/test/fixtures/billing-iam/main.tf +++ b/test/fixtures/billing-iam/main.tf @@ -25,7 +25,7 @@ provider "google-beta" { #additive module "iam_binding_billing_accounts_additive" { - source = "../../../examples/billing_account" - billing_account_id = var.billing_iam_test_account - project_id = var.project_id + source = "../../../examples/billing_account" + billing_account_id = var.billing_iam_test_account + project_id = var.project_id } From 94baf3a344f5d7e1048d85f172c2db9c8cd9e2b6 Mon Sep 17 00:00:00 2001 From: Kunal Kumar Gupta Date: Fri, 14 Feb 2020 12:18:30 -0600 Subject: [PATCH 11/12] Fixed PR comments --- examples/billing_account/README.md | 2 +- examples/billing_account/outputs.tf | 4 ++-- test/fixtures/billing-iam/outputs.tf | 9 ++------ test/fixtures/billing-iam/variables.tf | 5 ---- .../billing-iam/controls/billing-iam.rb | 23 ++++++++----------- test/integration/billing-iam/inspec.yml | 5 +--- 6 files changed, 16 insertions(+), 32 deletions(-) diff --git a/examples/billing_account/README.md b/examples/billing_account/README.md index c61c21da..ff1d2823 100644 --- a/examples/billing_account/README.md +++ b/examples/billing_account/README.md @@ -16,7 +16,7 @@ This example illustrates how to use the `billing_accounts_iam` submodule |------|-------------| | billing\_account\_ids | Billing Accounts which received bindings. | | members | Members which were bound to the billing accounts. | -| service\_account\_address | Member which was bound to projects. | +| service\_account\_addresses | Service Account Addresses which were bound to projects. | diff --git a/examples/billing_account/outputs.tf b/examples/billing_account/outputs.tf index 3c17a0c2..ba02156c 100644 --- a/examples/billing_account/outputs.tf +++ b/examples/billing_account/outputs.tf @@ -14,9 +14,9 @@ * limitations under the License. */ -output "service_account_address" { +output "service_account_addresses" { value = [google_service_account.service_account_01.email, google_service_account.service_account_02.email] - description = "Member which was bound to projects." + description = "Service Account Addresses which were bound to projects." } output "billing_account_ids" { diff --git a/test/fixtures/billing-iam/outputs.tf b/test/fixtures/billing-iam/outputs.tf index 5f6c4af2..c3371f7a 100644 --- a/test/fixtures/billing-iam/outputs.tf +++ b/test/fixtures/billing-iam/outputs.tf @@ -18,17 +18,12 @@ #Additive -output "billing_iam_test_account" { +output "billing_iam_test_accounts" { value = module.iam_binding_billing_accounts_additive.billing_account_ids - description = "Billing Account which received bindings." + description = "Billing Accounts which received bindings." } output "members" { value = module.iam_binding_billing_accounts_additive.members description = "Members which were bound to the billing accounts." } - -output "billing_sa_admin" { - value = var.billing_sa_admin - description = "Admin Service Account bound to Test Billing Account." -} diff --git a/test/fixtures/billing-iam/variables.tf b/test/fixtures/billing-iam/variables.tf index e694a18b..7bc1ccf7 100644 --- a/test/fixtures/billing-iam/variables.tf +++ b/test/fixtures/billing-iam/variables.tf @@ -19,11 +19,6 @@ variable "billing_iam_test_account" { description = "Billing Account ID to use for testing IAM policies/bindings." } -variable "billing_sa_admin" { - type = string - description = "Admin Service Account bound to Test Billing Account." -} - variable "project_id" { type = string description = "Project ID" diff --git a/test/integration/billing-iam/controls/billing-iam.rb b/test/integration/billing-iam/controls/billing-iam.rb index 8073253e..50d1f72c 100644 --- a/test/integration/billing-iam/controls/billing-iam.rb +++ b/test/integration/billing-iam/controls/billing-iam.rb @@ -14,14 +14,13 @@ # Billing Bindings -billing_iam_test_account = attribute('billing_iam_test_account') +billing_iam_test_accounts = attribute('billing_iam_test_accounts') members = attribute('members') -billing_sa_admin = attribute('billing_sa_admin') control "GCP Billing IAM" do title "GCP Billing Bindings" - billing_iam_test_account.each do |billing_iam_test_account| - describe command ("gcloud beta billing accounts get-iam-policy #{billing_iam_test_account} --format=json") do + billing_iam_test_accounts.each do |billing_iam_test_accounts| + describe command ("gcloud beta billing accounts get-iam-policy #{billing_iam_test_accounts} --format=json") do its(:exit_status) { should eq 0 } its(:stderr) { should eq '' } @@ -35,16 +34,14 @@ describe "members" do it "are bound" do - members.each_value do |member_value| - member_value.each do |member| - expect(data['bindings'][0]['members']).to include(member) - end + transformed_data={} + data['bindings'].each do |binding| + transformed_data.store(binding["role"],binding["members"]) end - end - - describe "Billing IAM SA" do - it "is bound" do - expect(data['bindings'][0]['members']).to include("serviceAccount:#{billing_sa_admin}") + members.each do |role,saMembers| + saMembers.each do |member| + expect(transformed_data[role]).to include(member) + end end end end diff --git a/test/integration/billing-iam/inspec.yml b/test/integration/billing-iam/inspec.yml index 90fd8dba..377d973b 100644 --- a/test/integration/billing-iam/inspec.yml +++ b/test/integration/billing-iam/inspec.yml @@ -14,7 +14,7 @@ name: billing-iam attributes: - - name: billing_iam_test_account + - name: billing_iam_test_accounts required: true type: array - name: roles @@ -23,6 +23,3 @@ attributes: - name: members required: true type: hash - - name: billing_sa_admin - required: true - type: string From ed6555ce0361dd7d351cf9be2275ec348dea91ed Mon Sep 17 00:00:00 2001 From: Kunal Kumar Gupta Date: Fri, 14 Feb 2020 15:07:54 -0600 Subject: [PATCH 12/12] Fixed test for billing-iam --- test/fixtures/billing-iam/outputs.tf | 5 +++++ test/integration/billing-iam/controls/billing-iam.rb | 9 ++++----- test/integration/billing-iam/inspec.yml | 3 +++ 3 files changed, 12 insertions(+), 5 deletions(-) diff --git a/test/fixtures/billing-iam/outputs.tf b/test/fixtures/billing-iam/outputs.tf index c3371f7a..e5195a31 100644 --- a/test/fixtures/billing-iam/outputs.tf +++ b/test/fixtures/billing-iam/outputs.tf @@ -27,3 +27,8 @@ output "members" { value = module.iam_binding_billing_accounts_additive.members description = "Members which were bound to the billing accounts." } + +output "project_id" { + value = var.project_id + description = "Project ID" +} diff --git a/test/integration/billing-iam/controls/billing-iam.rb b/test/integration/billing-iam/controls/billing-iam.rb index 50d1f72c..7da631ae 100644 --- a/test/integration/billing-iam/controls/billing-iam.rb +++ b/test/integration/billing-iam/controls/billing-iam.rb @@ -16,6 +16,7 @@ billing_iam_test_accounts = attribute('billing_iam_test_accounts') members = attribute('members') +project_id = attribute('project_id') control "GCP Billing IAM" do title "GCP Billing Bindings" @@ -38,11 +39,9 @@ data['bindings'].each do |binding| transformed_data.store(binding["role"],binding["members"]) end - members.each do |role,saMembers| - saMembers.each do |member| - expect(transformed_data[role]).to include(member) - end - end + expect(transformed_data["roles/billing.viewer"]).to include("serviceAccount:billing-iam-test-01@#{project_id}.iam.gserviceaccount.com") + expect(transformed_data["roles/billing.admin"]).to include("serviceAccount:billing-iam-test-01@#{project_id}.iam.gserviceaccount.com") + expect(transformed_data["roles/billing.admin"]).to include("serviceAccount:billing-iam-test-02@#{project_id}.iam.gserviceaccount.com") end end end diff --git a/test/integration/billing-iam/inspec.yml b/test/integration/billing-iam/inspec.yml index 377d973b..2f9a0e5d 100644 --- a/test/integration/billing-iam/inspec.yml +++ b/test/integration/billing-iam/inspec.yml @@ -23,3 +23,6 @@ attributes: - name: members required: true type: hash + - name: project_id + required: true + type: string