kovagoadi/hunfabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'fast-dev'

Browse Source
This commit is contained in:
Ludo
2025-04-18 17:34:08 +02:00
parent 89e68a8e22 c65a8afa6f
commit 2b0a9db8ed
208 changed files with 3735 additions and 696 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
tests/examples_e2e/setup_module/main.tf
View File

@@ -54,7 +54,6 @@ locals {
"servicenetworking.googleapis.com",
"serviceusage.googleapis.com",
"sqladmin.googleapis.com",
"stackdriver.googleapis.com",
"storage-component.googleapis.com",
"storage.googleapis.com",
"vpcaccess.googleapis.com",

8
tests/fast/addons/a1_resman_tenants/simple.yaml
View File

@@ -28,9 +28,9 @@ counts:
google_project: 4
google_project_iam_audit_config: 2
google_project_iam_binding: 32
google_project_iam_member: 34
google_project_service: 54
google_project_service_identity: 10
google_project_iam_member: 36
google_project_service: 56
google_project_service_identity: 12
google_service_account: 16
google_service_account_iam_binding: 6
google_service_account_iam_member: 2
@@ -43,4 +43,4 @@ counts:
google_tags_tag_key: 1
google_tags_tag_value: 4
modules: 50
resources: 289
resources: 295

78
tests/fast/stages/s0_bootstrap/cicd.yaml
View File

@@ -35,9 +35,9 @@ values:
disabled: null
display_name: null
oidc:
- allowed_audiences: []
issuer_uri: https://token.actions.githubusercontent.com
jwks_json: null
- allowed_audiences: []
issuer_uri: https://token.actions.githubusercontent.com
jwks_json: null
project: fast-prod-iac-core-0
saml: []
timeouts: null
@@ -66,9 +66,9 @@ values:
disabled: null
display_name: null
oidc:
- allowed_audiences: []
issuer_uri: https://gitlab.com
jwks_json: null
- allowed_audiences: []
issuer_uri: https://gitlab.com
jwks_json: null
project: fast-prod-iac-core-0
saml: []
timeouts: null
@@ -133,7 +133,7 @@ values:
? module.automation-tf-bootstrap-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]
: condition: []
members:
- serviceAccount:fast-prod-bootstrap-1r@fast-prod-iac-core-0.iam.gserviceaccount.com
- serviceAccount:fast-prod-bootstrap-1r@fast-prod-iac-core-0.iam.gserviceaccount.com
role: roles/iam.serviceAccountTokenCreator
? module.automation-tf-bootstrap-r-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-organizations/123456789012/roles/storageViewer"]
: bucket: fast-prod-iac-core-outputs-0
@@ -149,10 +149,10 @@ values:
member: serviceAccount:fast-prod-bootstrap-0@fast-prod-iac-core-0.iam.gserviceaccount.com
project: fast-prod-iac-core-0
timeouts: null
module.automation-tf-bootstrap-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]:
condition: []
? module.automation-tf-bootstrap-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]
: condition: []
members:
- serviceAccount:fast-prod-bootstrap-1@fast-prod-iac-core-0.iam.gserviceaccount.com
- serviceAccount:fast-prod-bootstrap-1@fast-prod-iac-core-0.iam.gserviceaccount.com
role: roles/iam.serviceAccountTokenCreator
? module.automation-tf-bootstrap-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-roles/storage.admin"]
: bucket: fast-prod-iac-core-outputs-0
@@ -162,8 +162,8 @@ values:
: condition: []
project: fast-prod-iac-core-0
role: roles/logging.logWriter
module.automation-tf-cicd-r-sa["bootstrap"].google_service_account.service_account[0]:
account_id: fast-prod-bootstrap-1r
? module.automation-tf-cicd-r-sa["bootstrap"].google_service_account.service_account[0]
: account_id: fast-prod-bootstrap-1r
create_ignore_already_exists: null
description: null
disabled: false
@@ -183,8 +183,8 @@ values:
: condition: []
project: fast-prod-iac-core-0
role: roles/logging.logWriter
module.automation-tf-cicd-r-sa["resman"].google_service_account.service_account[0]:
account_id: fast-prod-resman-1r
? module.automation-tf-cicd-r-sa["resman"].google_service_account.service_account[0]
: account_id: fast-prod-resman-1r
create_ignore_already_exists: null
description: null
disabled: false
@@ -204,8 +204,8 @@ values:
: condition: []
project: fast-prod-iac-core-0
role: roles/logging.logWriter
module.automation-tf-cicd-r-sa["resman-tenants"].google_service_account.service_account[0]:
account_id: fast-prod-resman-tenants-1r
? module.automation-tf-cicd-r-sa["resman-tenants"].google_service_account.service_account[0]
: account_id: fast-prod-resman-tenants-1r
create_ignore_already_exists: null
description: null
disabled: false
@@ -225,8 +225,8 @@ values:
: condition: []
project: fast-prod-iac-core-0
role: roles/logging.logWriter
module.automation-tf-cicd-sa["bootstrap"].google_service_account.service_account[0]:
account_id: fast-prod-bootstrap-1
? module.automation-tf-cicd-sa["bootstrap"].google_service_account.service_account[0]
: account_id: fast-prod-bootstrap-1
create_ignore_already_exists: null
description: null
disabled: false
@@ -246,8 +246,8 @@ values:
: condition: []
project: fast-prod-iac-core-0
role: roles/logging.logWriter
module.automation-tf-cicd-sa["resman"].google_service_account.service_account[0]:
account_id: fast-prod-resman-1
? module.automation-tf-cicd-sa["resman"].google_service_account.service_account[0]
: account_id: fast-prod-resman-1
create_ignore_already_exists: null
description: null
disabled: false
@@ -256,8 +256,8 @@ values:
member: serviceAccount:fast-prod-resman-1@fast-prod-iac-core-0.iam.gserviceaccount.com
project: fast-prod-iac-core-0
timeouts: null
module.automation-tf-cicd-sa["resman"].google_service_account_iam_binding.authoritative["roles/iam.workloadIdentityUser"]:
condition: []
? module.automation-tf-cicd-sa["resman"].google_service_account_iam_binding.authoritative["roles/iam.workloadIdentityUser"]
: condition: []
role: roles/iam.workloadIdentityUser
? module.automation-tf-cicd-sa["resman"].google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-roles/storage.objectViewer"]
: bucket: fast-prod-iac-core-outputs-0
@@ -267,8 +267,8 @@ values:
: condition: []
project: fast-prod-iac-core-0
role: roles/logging.logWriter
module.automation-tf-cicd-sa["resman-tenants"].google_service_account.service_account[0]:
account_id: fast-prod-resman-tenants-1
? module.automation-tf-cicd-sa["resman-tenants"].google_service_account.service_account[0]
: account_id: fast-prod-resman-tenants-1
create_ignore_already_exists: null
description: null
disabled: false
@@ -277,8 +277,8 @@ values:
member: serviceAccount:fast-prod-resman-tenants-1@fast-prod-iac-core-0.iam.gserviceaccount.com
project: fast-prod-iac-core-0
timeouts: null
module.automation-tf-cicd-sa["resman-tenants"].google_service_account_iam_binding.authoritative["roles/iam.workloadIdentityUser"]:
condition: []
? module.automation-tf-cicd-sa["resman-tenants"].google_service_account_iam_binding.authoritative["roles/iam.workloadIdentityUser"]
: condition: []
role: roles/iam.workloadIdentityUser
? module.automation-tf-cicd-sa["resman-tenants"].google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-roles/storage.objectViewer"]
: bucket: fast-prod-iac-core-outputs-0
@@ -294,11 +294,11 @@ values:
member: serviceAccount:fast-prod-resman-0r@fast-prod-iac-core-0.iam.gserviceaccount.com
project: fast-prod-iac-core-0
timeouts: null
module.automation-tf-resman-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]:
condition: []
? module.automation-tf-resman-r-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]
: condition: []
members:
- serviceAccount:fast-prod-resman-1r@fast-prod-iac-core-0.iam.gserviceaccount.com
- serviceAccount:fast-prod-resman-tenants-1r@fast-prod-iac-core-0.iam.gserviceaccount.com
- serviceAccount:fast-prod-resman-1r@fast-prod-iac-core-0.iam.gserviceaccount.com
- serviceAccount:fast-prod-resman-tenants-1r@fast-prod-iac-core-0.iam.gserviceaccount.com
role: roles/iam.serviceAccountTokenCreator
? module.automation-tf-resman-r-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-organizations/123456789012/roles/storageViewer"]
: bucket: fast-prod-iac-core-outputs-0
@@ -314,11 +314,11 @@ values:
member: serviceAccount:fast-prod-resman-0@fast-prod-iac-core-0.iam.gserviceaccount.com
project: fast-prod-iac-core-0
timeouts: null
module.automation-tf-resman-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]:
condition: []
? module.automation-tf-resman-sa.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]
: condition: []
members:
- serviceAccount:fast-prod-resman-1@fast-prod-iac-core-0.iam.gserviceaccount.com
- serviceAccount:fast-prod-resman-tenants-1@fast-prod-iac-core-0.iam.gserviceaccount.com
- serviceAccount:fast-prod-resman-1@fast-prod-iac-core-0.iam.gserviceaccount.com
- serviceAccount:fast-prod-resman-tenants-1@fast-prod-iac-core-0.iam.gserviceaccount.com
role: roles/iam.serviceAccountTokenCreator
? module.automation-tf-resman-sa.google_storage_bucket_iam_member.bucket-roles["fast-prod-iac-core-outputs-0-roles/storage.admin"]
: bucket: fast-prod-iac-core-outputs-0
@@ -335,16 +335,16 @@ counts:
google_logging_organization_sink: 4
google_logging_project_bucket_config: 4
google_org_policy_custom_constraint: 1
google_org_policy_policy: 34
google_org_policy_policy: 36
google_organization_iam_binding: 27
google_organization_iam_custom_role: 13
google_organization_iam_member: 29
google_project: 3
google_project_iam_audit_config: 1
google_project_iam_binding: 19
google_project_iam_member: 22
google_project_service: 31
google_project_service_identity: 7
google_project_iam_member: 23
google_project_service: 32
google_project_service_identity: 8
google_service_account: 12
google_service_account_iam_binding: 12
google_storage_bucket: 4
@@ -356,4 +356,4 @@ counts:
google_tags_tag_value: 2
local_file: 13
modules: 26
resources: 282
resources: 287

12
tests/fast/stages/s0_bootstrap/simple.yaml
View File

@@ -20,16 +20,16 @@ counts:
google_logging_organization_sink: 4
google_logging_project_bucket_config: 4
google_org_policy_custom_constraint: 1
google_org_policy_policy: 34
google_org_policy_policy: 36
google_organization_iam_binding: 27
google_organization_iam_custom_role: 13
google_organization_iam_member: 29
google_project: 3
google_project_iam_audit_config: 1
google_project_iam_binding: 19
google_project_iam_member: 16
google_project_service: 31
google_project_service_identity: 7
google_project_iam_member: 17
google_project_service: 32
google_project_service_identity: 8
google_service_account: 6
google_service_account_iam_binding: 6
google_storage_bucket: 4
@@ -41,7 +41,7 @@ counts:
google_tags_tag_value: 2
local_file: 8
modules: 20
resources: 245
resources: 250
outputs:
automation: __missing__
@@ -96,6 +96,7 @@ outputs:
gcp-devops: group:gcp-devops@fast.example.com
gcp-network-admins: group:gcp-vpc-network-admins@fast.example.com
gcp-organization-admins: group:gcp-organization-admins@fast.example.com
gcp-secops-admins: group:gcp-secops-admins@fast.example.com
gcp-security-admins: group:gcp-security-admins@fast.example.com
gcp-support: group:gcp-support@example.com
locations:
@@ -113,4 +114,3 @@ outputs:
workload_identity_pool:
pool: null
providers: {}

19
tests/fast/stages/s0_bootstrap/simple_org_policies.yaml
View File

@@ -245,9 +245,13 @@ values:
- is:projects/windows-cloud
- is:projects/windows-sql-cloud
- is:projects/confidential-vm-images
- is:projects/confidential-space-images
- is:projects/backupdr-images
- is:projects/deeplearning-platform-release
- is:projects/serverless-vpc-access-images
- is:projects/gke-node-images
- is:projects/gke-windows-node-images
- is:projects/ubuntu-os-gke-cloud
denied_values: null
module.organization.google_org_policy_policy.default["compute.vmExternalIpAccess"]:
dry_run_spec: []
@@ -465,6 +469,21 @@ values:
- allowed_values:
- is:internal-and-cloud-load-balancing
denied_values: null
module.organization.google_org_policy_policy.default["run.managed.requireInvokerIam"]:
dry_run_spec: []
name: organizations/123456789012/policies/run.managed.requireInvokerIam
parent: organizations/123456789012
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'TRUE'
parameters: null
values: []
timeouts: null
module.organization.google_org_policy_policy.default["sql.restrictAuthorizedNetworks"]:
dry_run_spec: []
name: organizations/123456789012/policies/sql.restrictAuthorizedNetworks

32
tests/fast/stages/s1_resman/simple.yaml
View File

@@ -13,23 +13,23 @@
# limitations under the License.
counts:
google_folder: 12
google_folder_iam_binding: 51
google_folder: 14
google_folder_iam_binding: 67
google_org_policy_policy: 2
google_organization_iam_member: 15
google_project_iam_member: 13
google_service_account: 13
google_service_account_iam_binding: 13
google_storage_bucket: 6
google_storage_bucket_iam_binding: 12
google_storage_bucket_iam_member: 13
google_storage_bucket_object: 15
google_tags_tag_binding: 12
google_organization_iam_member: 20
google_project_iam_member: 17
google_service_account: 17
google_service_account_iam_binding: 17
google_storage_bucket: 8
google_storage_bucket_iam_binding: 16
google_storage_bucket_iam_member: 17
google_storage_bucket_object: 19
google_tags_tag_binding: 14
google_tags_tag_key: 2
google_tags_tag_value: 12
google_tags_tag_value: 13
google_tags_tag_value_iam_binding: 4
modules: 32
resources: 195
modules: 40
resources: 247
outputs:
cicd_repositories:
@@ -49,6 +49,10 @@ outputs:
project-factory-ro: fast2-prod-resman-pf-0r@fast2-prod-automation.iam.gserviceaccount.com
project-factory-rw: fast2-prod-resman-pf-0@fast2-prod-automation.iam.gserviceaccount.com
sandbox: fast2-dev-resman-sbox-0@fast2-prod-automation.iam.gserviceaccount.com
secops-dev-ro: fast2-dev-resman-secops-0r@fast2-prod-automation.iam.gserviceaccount.com
secops-dev-rw: fast2-dev-resman-secops-0@fast2-prod-automation.iam.gserviceaccount.com
secops-ro: fast2-prod-resman-so-0r@fast2-prod-automation.iam.gserviceaccount.com
secops-rw: fast2-prod-resman-so-0@fast2-prod-automation.iam.gserviceaccount.com
security-ro: fast2-prod-resman-sec-0r@fast2-prod-automation.iam.gserviceaccount.com
security-rw: fast2-prod-resman-sec-0@fast2-prod-automation.iam.gserviceaccount.com

6
tests/fast/stages/s1_vpcsc/data/vpc-sc/access-levels/geo_it.yaml
View File

@@ -1,4 +1,4 @@
# Copyright 2024 Google LLC
# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -12,6 +12,8 @@
# See the License for the specific language governing permissions and
# limitations under the License.
# yaml-language-server: $schema=../../../../../../../modules/vpc-sc/schemas/access-level.schema.json
conditions:
- regions:
- IT
- IT

6
tests/fast/stages/s1_vpcsc/data/vpc-sc/access-levels/identity_me.yaml
View File

@@ -1,4 +1,4 @@
# Copyright 2024 Google LLC
# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -12,6 +12,8 @@
# See the License for the specific language governing permissions and
# limitations under the License.
# yaml-language-server: $schema=../../../../../../../modules/vpc-sc/schemas/access-level.schema.json
conditions:
- members:
- user:user@fast.example.com
- user:user@fast.example.com

6
tests/fast/stages/s1_vpcsc/data/vpc-sc/egress-policies/test.yaml
View File

@@ -1,4 +1,4 @@
# Copyright 2024 Google LLC
# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -12,6 +12,8 @@
# See the License for the specific language governing permissions and
# limitations under the License.
# yaml-language-server: $schema=../../../../../../../modules/vpc-sc/schemas/egress-policy.schema.json
from:
identities:
- user:user@fast.example.com
@@ -24,4 +26,4 @@ to:
method_selectors:
- "*"
resources:
- "*"
- "*"

26
tests/fast/stages/s1_vpcsc/data/vpc-sc/ingress-policies/fast-org-log-sinks.yaml Normal file
View File

@@ -0,0 +1,26 @@
# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# yaml-language-server: $schema=../../../../../../../modules/vpc-sc/schemas/ingress-policy.schema.json
from:
access_levels:
- "*"
identities:
- org_logging_writer_identities
to:
operations:
- service_name: "*"
resources:
- logging_project

6
tests/fast/stages/s1_vpcsc/data/vpc-sc/ingress-policies/test.yaml
View File

@@ -1,4 +1,4 @@
# Copyright 2024 Google LLC
# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -12,6 +12,8 @@
# See the License for the specific language governing permissions and
# limitations under the License.
# yaml-language-server: $schema=../../../../../../../modules/vpc-sc/schemas/ingress-policy.schema.json
from:
access_levels:
- "*"
@@ -26,4 +28,4 @@ to:
method_selectors:
- "*"
resources:
- "*"
- "*"

30
tests/fast/stages/s1_vpcsc/data/vpc-sc/perimeters/default.yaml Normal file
View File

@@ -0,0 +1,30 @@
# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# yaml-language-server: $schema=../../../../../../../modules/vpc-sc/schemas/perimeters.schema.json
use_explicit_dry_run_spec: true
spec:
access_levels:
- geo_it
- identity_me
ingress_policies:
- fast-org-log-sinks
- test
egress_policies:
- test
restricted_services:
- restricted_services
resources:
- projects/1234567890

27
tests/fast/stages/s1_vpcsc/factory.tfvars Normal file
View File

@@ -0,0 +1,27 @@
automation = {
outputs_bucket = "test"
}
logging = {
project_number = "1234567890"
writer_identities = {
audit-logs = "serviceAccount:service-org-1234567890@gcp-sa-logging.iam.gserviceaccount.com"
iam = "serviceAccount:service-org-1234567890@gcp-sa-logging.iam.gserviceaccount.com"
vpc-sc = "serviceAccount:service-org-1234567890@gcp-sa-logging.iam.gserviceaccount.com"
workspace-audit-logs = "serviceAccount:o1234567890-1234567890@gcp-sa-logging.iam.gserviceaccount.com"
}
}
organization = {
domain = "fast.example.com"
id = 123456789012
customer_id = "C00000000"
}
prefix = "fast"
factories_config = {
access_levels = "../../../tests/fast/stages/s1_vpcsc/data/vpc-sc/access-levels"
egress_policies = "../../../tests/fast/stages/s1_vpcsc/data/vpc-sc/egress-policies"
ingress_policies = "../../../tests/fast/stages/s1_vpcsc/data/vpc-sc/ingress-policies"
perimeters = "../../../tests/fast/stages/s1_vpcsc/data/vpc-sc/perimeters"
}
resource_discovery = {
enabled = false
}

16
tests/fast/stages/s1_vpcsc/simple.tfvars
View File

@@ -23,12 +23,16 @@ factories_config = {
}
perimeters = {
default = {
access_levels = ["geo_it", "identity_me"]
egress_policies = ["test"]
ingress_policies = ["fast-org-log-sinks", "test"]
resources = [
"projects/1234567890"
]
use_explicit_dry_run_spec = true
spec = {
access_levels = ["geo_it", "identity_me"]
egress_policies = ["test"]
ingress_policies = ["fast-org-log-sinks", "test"]
restricted_services = ["restricted_services"]
resources = [
"projects/1234567890"
]
}
}
}
resource_discovery = {

8
tests/fast/stages/s1_vpcsc/simple.yaml
View File

@@ -28,7 +28,7 @@ values:
source: null
temporary_hold: null
timeouts: null
module.vpc-sc[0].google_access_context_manager_access_level.basic["geo_it"]:
module.vpc-sc.google_access_context_manager_access_level.basic["geo_it"]:
basic:
- combining_function: AND
conditions:
@@ -44,7 +44,7 @@ values:
description: null
timeouts: null
title: geo_it
module.vpc-sc[0].google_access_context_manager_access_level.basic["identity_me"]:
module.vpc-sc.google_access_context_manager_access_level.basic["identity_me"]:
basic:
- combining_function: AND
conditions:
@@ -60,12 +60,12 @@ values:
description: null
timeouts: null
title: identity_me
module.vpc-sc[0].google_access_context_manager_access_policy.default[0]:
module.vpc-sc.google_access_context_manager_access_policy.default[0]:
parent: organizations/123456789012
scopes: null
timeouts: null
title: default
module.vpc-sc[0].google_access_context_manager_service_perimeter.regular["default"]:
module.vpc-sc.google_access_context_manager_service_perimeter.regular["default"]:
description: null
perimeter_type: PERIMETER_TYPE_REGULAR
spec:

5
tests/fast/stages/s1_vpcsc/tftest.yaml
View File

@@ -1,4 +1,4 @@
# Copyright 2024 Google LLC
# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -16,3 +16,6 @@ module: fast/stages/1-vpcsc
tests:
simple:
factory:
inventory:
- simple.yaml

8
tests/fast/stages/s2_networking_a_simple/ncc.yaml
View File

@@ -36,10 +36,10 @@ counts:
google_network_connectivity_spoke: 2
google_project: 3
google_project_iam_binding: 2
google_project_iam_member: 20
google_project_service: 26
google_project_service_identity: 20
google_project_iam_member: 22
google_project_service: 28
google_project_service_identity: 22
google_storage_bucket_object: 1
google_tags_tag_binding: 3
modules: 23
resources: 179
resources: 185

8
tests/fast/stages/s2_networking_a_simple/simple.yaml
View File

@@ -40,11 +40,11 @@ counts:
google_monitoring_monitored_project: 2
google_project: 3
google_project_iam_binding: 2
google_project_iam_member: 20
google_project_service: 26
google_project_service_identity: 20
google_project_iam_member: 22
google_project_service: 28
google_project_service_identity: 22
google_storage_bucket_object: 1
google_tags_tag_binding: 3
modules: 28
random_id: 3
resources: 196
resources: 202

8
tests/fast/stages/s2_networking_a_simple/vpn.yaml
View File

@@ -38,11 +38,11 @@ counts:
google_monitoring_monitored_project: 2
google_project: 3
google_project_iam_binding: 2
google_project_iam_member: 20
google_project_service: 26
google_project_service_identity: 20
google_project_iam_member: 22
google_project_service: 28
google_project_service_identity: 22
google_storage_bucket_object: 1
google_tags_tag_binding: 3
modules: 30
random_id: 17
resources: 243
resources: 249

8
tests/fast/stages/s2_networking_b_nva/ncc-ra.yaml
View File

@@ -43,11 +43,11 @@ counts:
google_network_connectivity_spoke: 4
google_project: 3
google_project_iam_binding: 2
google_project_iam_member: 19
google_project_service: 25
google_project_service_identity: 19
google_project_iam_member: 22
google_project_service: 28
google_project_service_identity: 22
google_storage_bucket_object: 1
google_tags_tag_binding: 3
modules: 38
random_id: 6
resources: 260
resources: 269

8
tests/fast/stages/s2_networking_b_nva/regional.yaml
View File

@@ -45,11 +45,11 @@ counts:
google_monitoring_monitored_project: 2
google_project: 3
google_project_iam_binding: 2
google_project_iam_member: 19
google_project_service: 25
google_project_service_identity: 19
google_project_iam_member: 22
google_project_service: 28
google_project_service_identity: 22
google_storage_bucket_object: 1
google_tags_tag_binding: 3
modules: 46
random_id: 6
resources: 270
resources: 279

8
tests/fast/stages/s2_networking_b_nva/simple.yaml
View File

@@ -45,11 +45,11 @@ counts:
google_monitoring_monitored_project: 2
google_project: 3
google_project_iam_binding: 2
google_project_iam_member: 19
google_project_service: 25
google_project_service_identity: 19
google_project_iam_member: 22
google_project_service: 28
google_project_service_identity: 22
google_storage_bucket_object: 1
google_tags_tag_binding: 3
modules: 42
random_id: 6
resources: 246
resources: 255

8
tests/fast/stages/s2_networking_c_separate_envs/simple.yaml
View File

@@ -38,11 +38,11 @@ counts:
google_monitoring_dashboard: 6
google_project: 2
google_project_iam_binding: 2
google_project_iam_member: 16
google_project_service: 20
google_project_service_identity: 16
google_project_iam_member: 18
google_project_service: 22
google_project_service_identity: 18
google_storage_bucket_object: 1
google_tags_tag_binding: 2
modules: 22
random_id: 6
resources: 216
resources: 222

32
tests/fast/stages/s2_secops/simple.tfvars Normal file
View File

@@ -0,0 +1,32 @@
automation = {
outputs_bucket = "test"
}
billing_account = {
id = "000000-111111-222222"
}
custom_roles = {
project_iam_viewer = "organizations/123456789012/roles/bar"
}
environments = {
"dev" : {
"is_default" : true,
"key" : "dev",
"name" : "Development",
"short_name" : "dev",
"tag_name" : "development"
}
}
essential_contacts = "gcp-secops-admins@fast.example.com"
folder_ids = {
secops = "folders/12345678"
}
organization = {
domain = "fast.example.com"
id = 123456789012
customer_id = "C00000000"
}
prefix = "fast"
tag_values = {
"environment/development" = "tagValues/12345"
"environment/production" = "tagValues/12346"
}

34
tests/fast/stages/s2_secops/simple.yaml Normal file
View File

@@ -0,0 +1,34 @@
# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
counts:
google_essential_contacts_contact: 1
google_project: 1
google_project_iam_binding: 1
google_project_iam_member: 1
google_project_service: 2
google_project_service_identity: 1
google_storage_bucket_object: 1
google_tags_tag_binding: 1
modules: 2
resources: 9
outputs:
federated_identity_pool: null
secops_project_ids:
dev: fast-dev-secops-0
tfvars:
federated_identity_pool: null
secops_project_ids:
dev: fast-dev-secops-0

18
tests/fast/stages/s2_secops/tftest.yaml Normal file
View File

@@ -0,0 +1,18 @@
# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
module: fast/stages/2-secops
tests:
simple:

8
tests/fast/stages/s3_gke_dev/simple.yaml
View File

@@ -19,9 +19,9 @@ counts:
google_container_node_pool: 1
google_project: 1
google_project_iam_binding: 1
google_project_iam_member: 16
google_project_service: 12
google_project_service_identity: 7
google_project_iam_member: 17
google_project_service: 13
google_project_service_identity: 8
google_service_account: 1
modules: 5
resources: 42
resources: 45

45
tests/fast/stages/s3_secops_dev/simple.tfvars Normal file
View File

@@ -0,0 +1,45 @@
billing_account = {
id = "012345-67890A-BCDEF0",
}
project_reuse = null
folder_ids = {
"secops-dev" = "folders/123456789"
}
tenant_config = {
customer_id = "xxxxxx-xxxxxx-xxxxxx"
region = "europe"
}
secops_project_ids = {
dev = "fast-dev-secops-0"
}
iam_default = {
viewers = ["gcp-secops-admins@fast.example.com"]
}
iam = {
"user:test@fast.example.com" = {
roles = ["roles/chronicle.editor"]
scopes = ["gscope"]
}
}
workspace_integration_config = {
delegated_user = "secops-feed@fast.example.com"
workspace_customer_id = "C121212"
}
data_rbac_config = {
labels = {
google = {
description = "Google logs"
label_id = "google"
udm_query = "principal.hostname=\"google.com\""
}
}
scopes = {
google = {
description = "Google logs"
scope_id = "gscope"
allowed_data_access_labels = [{
data_access_label = "google"
}]
}
}
}

37
tests/fast/stages/s3_secops_dev/simple.yaml Normal file
View File

@@ -0,0 +1,37 @@
# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
counts:
google_apikeys_key: 1
google_chronicle_data_access_label: 1
google_chronicle_data_access_scope: 1
google_chronicle_reference_list: 1
google_chronicle_rule: 1
google_chronicle_rule_deployment: 1
google_org_policy_policy: 1
google_project: 1
google_project_iam_custom_role: 2
google_project_iam_member: 5
google_project_service: 9
google_project_service_identity: 5
google_secret_manager_secret: 2
google_secret_manager_secret_version: 2
google_service_account: 1
google_service_account_key: 1
modules: 4
resources: 41
restful_resource: 6
outputs:
project_id: fast-dev-secops-0

18
tests/fast/stages/s3_secops_dev/tftest.yaml Normal file
View File

@@ -0,0 +1,18 @@
# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
module: fast/stages/3-secops-dev/
tests:
simple:

3
tests/fixtures/shared-vpc.tf vendored
View File

@@ -43,11 +43,12 @@ module "project-service" {
"dns.googleapis.com",
"eventarc.googleapis.com",
"iam.googleapis.com",
"logging.googleapis.com",
"monitoring.googleapis.com",
"run.googleapis.com",
"secretmanager.googleapis.com",
"servicenetworking.googleapis.com",
"serviceusage.googleapis.com",
"stackdriver.googleapis.com",
"storage-component.googleapis.com",
"storage.googleapis.com",
"vpcaccess.googleapis.com",

2
tests/modules/cloud_run_v2/examples/service-vpc-access-connector-create-sharedvpc.yaml
View File

@@ -44,6 +44,6 @@ counts:
google_cloud_run_v2_service: 1
google_vpc_access_connector: 1
modules: 4
resources: 56
resources: 59
outputs: {}

11
tests/modules/net_vpc/examples/subnet-options.yaml
View File

@@ -31,6 +31,15 @@ values:
private_ip_google_access: true
project: project-id
region: europe-west1
? module.vpc.google_compute_subnetwork.subnetwork["europe-west1/hybrid"]
: description: Terraform-managed.
ip_cidr_range: 10.0.4.0/24
log_config: []
name: hybrid
private_ip_google_access: true
project: project-id
region: europe-west1
allow_subnet_cidr_routes_overlap: true
? module.vpc.google_compute_subnetwork.subnetwork["europe-west1/with-flow-logs"]
: description: Terraform-managed.
ip_cidr_range: 10.0.3.0/24
@@ -56,4 +65,4 @@ values:
counts:
google_compute_network: 1
google_compute_subnetwork: 4
google_compute_subnetwork: 5

30
tests/modules/project_factory/examples/example.yaml
View File

@@ -54,8 +54,8 @@ values:
- serviceAccount:test-pf-dev-tb-app0-0-ro@test-pf-teams-iac-0.iam.gserviceaccount.com
- serviceAccount:test-pf-dev-tb-app0-0-rw@test-pf-teams-iac-0.iam.gserviceaccount.com
role: roles/storage.objectViewer
module.project-factory.module.automation-service-accounts["dev-tb-app0-0/ro"].google_service_account.service_account[0]:
account_id: test-pf-dev-tb-app0-0-ro
? module.project-factory.module.automation-service-accounts["dev-tb-app0-0/automation/ro"].google_service_account.service_account[0]
: account_id: test-pf-dev-tb-app0-0-ro
create_ignore_already_exists: null
description: Team B app 0 read-only automation sa.
disabled: false
@@ -64,8 +64,8 @@ values:
member: serviceAccount:test-pf-dev-tb-app0-0-ro@test-pf-teams-iac-0.iam.gserviceaccount.com
project: test-pf-teams-iac-0
timeouts: null
module.project-factory.module.automation-service-accounts["dev-tb-app0-0/rw"].google_service_account.service_account[0]:
account_id: test-pf-dev-tb-app0-0-rw
? module.project-factory.module.automation-service-accounts["dev-tb-app0-0/automation/rw"].google_service_account.service_account[0]
: account_id: test-pf-dev-tb-app0-0-rw
create_ignore_already_exists: null
description: Team B app 0 read/write automation sa.
disabled: false
@@ -257,6 +257,26 @@ values:
: project: test-pf-dev-ta-app0-be
service: container.googleapis.com
timeouts: null
module.project-factory.module.projects["dev-ta-app0-be"].google_tags_tag_key.default["my-tag-key-1"]:
description: Managed by the Terraform project-factory module.
parent: projects/test-pf-dev-ta-app0-be
purpose: null
purpose_data: null
short_name: my-tag-key-1
timeouts: null
module.project-factory.module.projects["dev-ta-app0-be"].google_tags_tag_value.default["my-tag-key-1/my-value-1"]:
description: My value 1
short_name: my-value-1
timeouts: null
module.project-factory.module.projects["dev-ta-app0-be"].google_tags_tag_value.default["my-tag-key-1/my-value-2"]:
description: My value 3
short_name: my-value-2
timeouts: null
? module.project-factory.module.projects["dev-ta-app0-be"].google_tags_tag_value_iam_binding.default["my-tag-key-1/my-value-2:roles/resourcemanager.tagUser"]
: condition: []
members:
- user:user@example.com
role: roles/resourcemanager.tagUser
module.project-factory.module.projects["dev-tb-app0-0"].data.google_storage_project_service_account.gcs_sa[0]:
project: test-pf-dev-tb-app0-0
user_project: null
@@ -515,6 +535,6 @@ counts:
google_storage_project_service_account: 4
google_tags_tag_binding: 1
modules: 20
resources: 70
resources: 74
outputs: {}

4
tests/modules/project_factory/shared_vpc_network_user.yaml
View File

@@ -13,7 +13,7 @@
# limitations under the License.
values:
module.automation-service-accounts["service1/ro"].google_service_account.service_account[0]:
module.automation-service-accounts["service1/automation/ro"].google_service_account.service_account[0]:
account_id: my-prefix-service1-ro
create_ignore_already_exists: null
description: Service read-only automation sa.
@@ -23,7 +23,7 @@ values:
member: serviceAccount:my-prefix-service1-ro@service-iac.iam.gserviceaccount.com
project: service-iac
timeouts: null
module.automation-service-accounts["service1/rw"].google_service_account.service_account[0]:
module.automation-service-accounts["service1/automation/rw"].google_service_account.service_account[0]:
account_id: my-prefix-service1-rw
create_ignore_already_exists: null
description: Service read/write automation sa.

8
tests/modules/vpc_sc/examples/bridge.yaml
View File

@@ -44,13 +44,7 @@ values:
- projects/222221
restricted_services: null
vpc_accessible_services: []
status:
- access_levels: null
egress_policies: []
ingress_policies: []
resources: null
restricted_services: null
vpc_accessible_services: []
status: []
title: b2
use_explicit_dry_run_spec: true

16
tests/modules/vpc_sc/examples/factory.yaml
View File

@@ -49,9 +49,9 @@ values:
parent: accessPolicies/12345678
timeouts: null
title: identity-user1
module.test.google_access_context_manager_service_perimeter.regular["r1"]:
description: null
name: accessPolicies/12345678/servicePerimeters/r1
module.test.google_access_context_manager_service_perimeter.regular["perimeter-north"]:
description: Main perimeter
name: accessPolicies/12345678/servicePerimeters/perimeter-north
parent: accessPolicies/12345678
perimeter_type: PERIMETER_TYPE_REGULAR
spec: []
@@ -62,7 +62,7 @@ values:
- serviceAccount:bar@myproject.iam.gserviceaccount.com
- serviceAccount:foo@myproject.iam.gserviceaccount.com
identity_type: null
source_restriction: 'SOURCE_RESTRICTION_DISABLED'
source_restriction: SOURCE_RESTRICTION_DISABLED
sources: []
egress_to:
- external_resources: null
@@ -104,9 +104,11 @@ values:
service_name: '*'
resources:
- projects/1234567890
- projects/321
- projects/654
resources:
- projects/11111
- projects/111111
- projects/1111
- projects/2222
restricted_services:
- storage.googleapis.com
vpc_accessible_services:
@@ -114,7 +116,7 @@ values:
- storage.googleapis.com
enable_restriction: true
timeouts: null
title: r1
title: perimeter-north
use_explicit_dry_run_spec: false
counts:

4
tests/modules/vpc_sc/examples/regular.yaml
View File

@@ -108,8 +108,8 @@ values:
roles: null
title: sa-tf-test
resources:
- projects/11111
- projects/111111
- projects/1111
- projects/2222
restricted_services:
- storage.googleapis.com
vpc_accessible_services:

6
tests/schemas/vpc-sc/fail-access-level-invalid-member-prefix.yaml
View File

@@ -1,6 +0,0 @@
# skip boilerplate check
# tftest schema=modules/vpc-sc/schemas/access-level.schema.json fail
# fails because members must be prefixed with serviceAccount: or user:
conditions:
- members:
- "group:group@example.com"

6
tests/schemas/vpc-sc/fail-access-level-no-member-prefix.yaml
View File

@@ -1,6 +0,0 @@
# skip boilerplate check
# tftest schema=modules/vpc-sc/schemas/access-level.schema.json fail
# fails because members must be prefixed with serviceAccount: or user:
conditions:
- members:
- "user@example.com"