kovagoadi/hunfabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Organization module end-to-end tests (#1860)

Browse Source 
* added tag serial to mark tests to be run serially
* always run tests using loadgroup distribution to make use of serial tag
* added end-to-end tests for organization, not adding to custom constraints as the name has to be unique
* fixed granting custom roles created in the same module call
This commit is contained in:
Wiktor Niesiobędzki
2023-11-14 18:54:59 +01:00
committed by GitHub
parent 1c2f1c7b0d
commit 03bf0b15b3
10 changed files with 66 additions and 81 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
modules/organization/README.md
View File

@@ -35,16 +35,16 @@ To manage organization policies, the `orgpolicy.googleapis.com` service should b
```hcl
module "org" {
source = "./fabric/modules/organization"
organization_id = "organizations/1234567890"
organization_id = var.organization_id
group_iam = {
"cloud-owners@example.org" = ["roles/owner", "roles/projectCreator"]
(var.group_email) = ["roles/owner"]
}
iam = {
"roles/resourcemanager.projectCreator" = ["group:cloud-admins@example.org"]
"roles/resourcemanager.projectCreator" = ["group:${var.group_email}"]
}
iam_bindings_additive = {
am1-storage-admin = {
member = "user:am1@example.org"
member = "group:${var.group_email}"
role = "roles/storage.admin"
}
}
@@ -57,9 +57,6 @@ module "org" {
}
}
org_policies = {
"custom.gkeEnableAutoUpgrade" = {
rules = [{ enforce = true }]
}
"compute.disableGuestAttributesAccess" = {
rules = [{ enforce = true }]
}
@@ -118,7 +115,7 @@ module "org" {
}
}
}
# tftest modules=1 resources=15 inventory=basic.yaml
# tftest modules=1 resources=13 inventory=basic.yaml e2e serial
```
## IAM
@@ -262,7 +259,7 @@ module "org" {
policy = module.firewall-policy.id
}
}
# tftest modules=2 resources=2
# tftest modules=2 resources=2 e2e serial
```
## Log Sinks
@@ -273,6 +270,7 @@ The following example shows how to define organization-level log sinks:
module "gcs" {
source = "./fabric/modules/gcs"
project_id = var.project_id
prefix = var.prefix
name = "gcs_sink"
force_destroy = true
}
@@ -292,7 +290,7 @@ module "pubsub" {
module "bucket" {
source = "./fabric/modules/logging-bucket"
parent_type = "project"
parent = "my-project"
parent = var.project_id
id = "bucket"
}
@@ -330,7 +328,7 @@ module "org" {
no-gce-instances = "resource.type=gce_instance"
}
}
# tftest modules=5 resources=13 inventory=logging.yaml
# tftest modules=5 resources=13 inventory=logging.yaml e2e serial
```
## Data Access Logs
@@ -344,7 +342,7 @@ module "org" {
logging_data_access = {
allServices = {
# logs for principals listed here will be excluded
ADMIN_READ = ["group:organization-admins@example.org"]
ADMIN_READ = ["group:${var.group_email}"]
}
"storage.googleapis.com" = {
DATA_READ = []
@@ -352,12 +350,12 @@ module "org" {
}
}
}
# tftest modules=1 resources=2 inventory=logging-data-access.yaml
# tftest modules=1 resources=2 inventory=logging-data-access.yaml e2e serial
```
## Custom Roles
Custom roles can be defined via the `custom_roles` variable, and referenced via the `custom_role_id` output:
Custom roles can be defined via the `custom_roles` variable, and referenced via the `custom_role_id` output (this also provides explicit dependency on the custom role):
```hcl
module "org" {
@@ -369,10 +367,10 @@ module "org" {
]
}
iam = {
(module.org.custom_role_id.myRole) = ["user:me@example.com"]
(module.org.custom_role_id.myRole) = ["group:${var.group_email}"]
}
}
# tftest modules=1 resources=2 inventory=roles.yaml
# tftest modules=1 resources=2 inventory=roles.yaml e2e serial
```
## Tags
@@ -387,14 +385,14 @@ module "org" {
environment = {
description = "Environment specification."
iam = {
"roles/resourcemanager.tagAdmin" = ["group:admins@example.com"]
"roles/resourcemanager.tagAdmin" = ["group:${var.group_email}"]
}
values = {
dev = {}
prod = {
description = "Environment: production."
iam = {
"roles/resourcemanager.tagViewer" = ["user:user1@example.com"]
"roles/resourcemanager.tagViewer" = ["group:${var.group_email}"]
}
}
}
@@ -402,10 +400,9 @@ module "org" {
}
tag_bindings = {
env-prod = module.org.tag_values["environment/prod"].id
foo = "tagValues/12345678"
}
}
# tftest modules=1 resources=7 inventory=tags.yaml
# tftest modules=1 resources=6 inventory=tags.yaml e2e serial
```
You can also define network tags, through a dedicated variable *network_tags*:
@@ -417,23 +414,23 @@ module "org" {
network_tags = {
net-environment = {
description = "This is a network tag."
network = "my_project/my_vpc"
network = "${var.project_id}/${var.vpc.name}"
iam = {
"roles/resourcemanager.tagAdmin" = ["group:admins@example.com"]
"roles/resourcemanager.tagAdmin" = ["group:${var.group_email}"]
}
values = {
dev = null
prod = {
description = "Environment: production."
iam = {
"roles/resourcemanager.tagUser" = ["user:user1@example.com"]
"roles/resourcemanager.tagUser" = ["group:${var.group_email}"]
}
}
}
}
}
}
# tftest modules=1 resources=5 inventory=network-tags.yaml
# tftest modules=1 resources=5 inventory=network-tags.yaml e2e serial
```
<!-- TFDOC OPTS files:1 -->

3
modules/organization/iam.tf
View File

@@ -46,6 +46,7 @@ resource "google_organization_iam_binding" "authoritative" {
org_id = local.organization_id_numeric
role = each.key
members = each.value
# ensuring that custom role exists is left to the caller, by leveraging custom_role_id output
}
resource "google_organization_iam_binding" "bindings" {
@@ -61,6 +62,7 @@ resource "google_organization_iam_binding" "bindings" {
description = each.value.condition.description
}
}
# ensuring that custom role exists is left to the caller, by leveraging custom_role_id output
}
resource "google_organization_iam_member" "bindings" {
@@ -76,4 +78,5 @@ resource "google_organization_iam_member" "bindings" {
description = each.value.condition.description
}
}
# ensuring that custom role exists is left to the caller, by leveraging custom_role_id output
}