Adding tests for billing-iam module

chrisghill · Feb 10, 2020 · c710204 · c710204
1 parent e14ae96
commit c710204
Show file tree

Hide file tree

Showing 9 changed files with 225 additions and 1 deletion.
diff --git a/.kitchen.yml b/.kitchen.yml
@@ -84,3 +84,16 @@ suites:
           backend: local
     provisioner:
       name: terraform
+
+  - name: billing-iam
+    driver:
+      name: terraform
+      command_timeout: 1800
+      root_module_directory: test/fixtures/billing-iam
+    verifier:
+      name: terraform
+      systems:
+        - name: billing-iam
+          backend: local
+    provisioner:
+      name: terraform
diff --git a/Makefile b/Makefile
@@ -39,6 +39,7 @@ docker_test_prepare:
 		-e TF_VAR_org_id \
 		-e TF_VAR_folder_id \
 		-e TF_VAR_billing_account \
+		-e TF_VAR_billing_iam_test_account \
 		-v $(CURDIR):/workspace \
 		$(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \
 		/usr/local/bin/execute_with_credentials.sh prepare_environment
@@ -51,6 +52,7 @@ docker_test_cleanup:
 		-e TF_VAR_org_id \
 		-e TF_VAR_folder_id \
 		-e TF_VAR_billing_account \
+		-e TF_VAR_billing_iam_test_account \
 		-v $(CURDIR):/workspace \
 		$(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \
 		/usr/local/bin/execute_with_credentials.sh cleanup_environment

diff --git a/test/fixtures/billing-iam/main.tf b/test/fixtures/billing-iam/main.tf
@@ -0,0 +1,56 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+  billing_roles = ["roles/billing.admin", "roles/billing.viewer"]
+  members       = [var.member1, var.member2]
+
+  member_group_0 = [
+    "serviceAccount:${var.member1}",
+    "serviceAccount:${var.member2}",
+  ]
+
+  member_group_1 = [
+    "serviceAccount:${var.member2}",
+  ]
+
+  member_groups = [local.member_group_0, local.member_group_1]
+
+  # 1 or 2 roles amount can be specified to generate that amount of bindings.
+  # This variability is used to test how the module behaves on configuration updates.
+
+  billing_bindings = zipmap(
+    slice(local.billing_roles, 0, var.roles),
+    slice(local.member_groups, 0, var.roles)
+  )
+}
+
+provider "google" {
+  version = "~> 2.7"
+}
+
+provider "google-beta" {
+  version = "~> 2.7"
+}
+
+#additive
+
+module "iam_binding_billing_accounts_additive" {
+  source              = "../../../modules/billing_accounts_iam"
+  mode                = "additive"
+  bindings            = local.billing_bindings
+  billing_account_ids = [var.billing_iam_test_account]
+}
diff --git a/test/fixtures/billing-iam/outputs.tf b/test/fixtures/billing-iam/outputs.tf
@@ -0,0 +1,34 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+# Resources
+
+#Additive
+
+output "billing_iam_test_account" {
+  value       = module.iam_binding_billing_accounts_additive.billing_account_ids
+  description = "Billing Accounts which received bindings."
+}
+
+output "roles" {
+  value       = module.iam_binding_billing_accounts_additive.roles
+  description = "Roles which were assigned to members."
+}
+
+output "members" {
+  value       = module.iam_binding_billing_accounts_additive.members
+  description = "Members which were bound to the billing accounts."
+}
diff --git a/test/fixtures/billing-iam/variables.tf b/test/fixtures/billing-iam/variables.tf
@@ -0,0 +1,36 @@
+/**
+ * Copyright 2019 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "member1" {
+  type        = string
+  description = "Member created for binding with roles."
+}
+
+variable "member2" {
+  type        = string
+  description = "Member created for binding with roles."
+}
+
+variable "roles" {
+  type        = number
+  default     = 2
+  description = "Amount of roles to assign. Useful for testing how the module behaves on updates."
+}
+
+variable "billing_iam_test_account" {
+  type        = string
+  description = "Billing Accounts IDs list to add the IAM policies/bindings."
+}
diff --git a/test/integration/billing-iam/controls/billing-iam.rb b/test/integration/billing-iam/controls/billing-iam.rb
@@ -0,0 +1,48 @@
+# Copyright 2019 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Billing Bindings
+
+billing_iam_test_account = attribute('billing_iam_test_account')
+members = attribute('members')
+
+control "GCP Billing IAM" do
+            title "GCP Billing Bindings"
+            billing_iam_test_account.each do |billing_iam_test_account|
+                describe command ("gcloud beta billing accounts get-iam-policy #{billing_iam_test_account} --format=json") do
+                its(:exit_status) { should eq 0 }
+                its(:stderr) { should eq '' }
+
+                let!(:data) do
+                    if subject.exit_status == 0
+                        JSON.parse(subject.stdout)
+                    else
+                        {}
+                    end
+                end
+
+                describe "members" do
+                it "are bound" do
+                    members.each do |member|
+                        expect(data['bindings'][0]['members']).to include(member)
+                    end
+                end
+
+                it "are admin" do
+                    expect(data['bindings'][0]['role']).to eq 'roles/billing.admin'
+                end
+            end
+        end
+    end
+end
diff --git a/test/integration/billing-iam/inspec.yml b/test/integration/billing-iam/inspec.yml
@@ -0,0 +1,25 @@
+# Copyright 2019 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: billing-iam
+attributes:
+  - name: billing_iam_test_account
+    required: true
+    type: array
+  - name: roles
+    required: true
+    type: array
+  - name: members
+    required: true
+    type: array
diff --git a/test/setup/iam.tf b/test/setup/iam.tf
@@ -72,7 +72,13 @@ resource "google_billing_account_iam_member" "int_test_ba" {
   member             = "serviceAccount:${google_service_account.int_test.email}"
 }
 
+resource "google_billing_account_iam_member" "int_test_ba_billing_iam" {
+
+  billing_account_id = var.billing_iam_test_account
+  role               = "roles/billing.admin"
+  member             = "serviceAccount:${google_service_account.int_test.email}"
+}
+
 resource "google_service_account_key" "int_test" {
   service_account_id = google_service_account.int_test.id
 }
-
diff --git a/test/setup/variables.tf b/test/setup/variables.tf
@@ -24,3 +24,7 @@ variable "folder_id" {
 variable "billing_account" {
   description = "The billing account id associated with the project, e.g. XXXXXX-YYYYYY-ZZZZZZ"
 }
+
+variable "billing_iam_test_account" {
+  description = "The billing iam test account id is for the billing-iam-module, only for testing, e.g. XXXXXX-YYYYYY-ZZZZZZ"
+}