E2E tests for folder module (#1876)

E2E tests for folder module

modules/folder/README.md

@@ -21,26 +21,26 @@ This module allows the creation and management of folders, including support for
 ```hcl
 module "folder" {
   source = "./fabric/modules/folder"
-  parent = "organizations/1234567890"
+  parent = var.folder_id
   name   = "Folder name"
   group_iam = {
-    "cloud-owners@example.org" = [
+    "${var.group_email}" = [
       "roles/owner",
       "roles/resourcemanager.folderAdmin",
       "roles/resourcemanager.projectCreator"
     ]
   }
   iam = {
-    "roles/owner" = ["user:one@example.org"]
+    "roles/owner" = ["serviceAccount:${var.service_account.email}"]
   }
   iam_bindings_additive = {
     am1-storage-admin = {
-      member = "user:am1@example.org"
+      member = "serviceAccount:${var.service_account.email}"
       role   = "roles/storage.admin"
     }
   }
 }
-# tftest modules=1 resources=5 inventory=iam.yaml
+# tftest modules=1 resources=5 inventory=iam.yaml e2e
 ```
 
 ## IAM
@@ -62,7 +62,7 @@ To manage organization policies, the `orgpolicy.googleapis.com` service should b
 ```hcl
 module "folder" {
   source = "./fabric/modules/folder"
-  parent = "organizations/1234567890"
+  parent = var.folder_id
   name   = "Folder name"
   org_policies = {
     "compute.disableGuestAttributesAccess" = {
@@ -109,12 +109,67 @@ module "folder" {
     }
   }
 }
-# tftest modules=1 resources=8 inventory=org-policies.yaml
+# tftest modules=1 resources=8 inventory=org-policies.yaml e2e
 ```
 
 ### Organization Policy Factory
 
-See the [organization policy factory in the project module](../project#organization-policy-factory).
+Organization policies can be loaded from a directory containing YAML files where each file defines one or more constraints. The structure of the YAML files is exactly the same as the org_policies variable.
+
+Note that constraints defined via org_policies take precedence over those in org_policies_data_path. In other words, if you specify the same constraint in a YAML file and in the org_policies variable, the latter will take priority.
+
+The example below deploys a few organization policies split between two YAML files.
+
+```hcl
+module "folder" {
+  source                 = "./fabric/modules/folder"
+  parent                 = var.folder_id
+  name                   = "Folder name"
+  org_policies_data_path = "configs/org-policies/"
+}
+# tftest modules=1 resources=8 files=boolean,list inventory=org-policies.yaml e2e
+```
+
+```yaml
+# tftest-file id=boolean path=configs/org-policies/boolean.yaml
+compute.disableGuestAttributesAccess:
+  rules:
+  - enforce: true
+compute.skipDefaultNetworkCreation:
+  rules:
+  - enforce: true
+iam.disableServiceAccountKeyCreation:
+  rules:
+  - enforce: true
+iam.disableServiceAccountKeyUpload:
+  rules:
+  - condition:
+      description: test condition
+      expression: resource.matchTagId('tagKeys/1234', 'tagValues/1234')
+      location: somewhere
+      title: condition
+    enforce: true
+  - enforce: false
+```
+
+```yaml
+# tftest-file id=list path=configs/org-policies/list.yaml
+compute.trustedImageProjects:
+  rules:
+  - allow:
+      values:
+      - projects/my-project
+compute.vmExternalIpAccess:
+  rules:
+  - deny:
+      all: true
+iam.allowedPolicyMemberDomains:
+  rules:
+  - allow:
+      values:
+      - C0xxxxxxx
+      - C0yyyyyyy
+```
 
 ## Hierarchical Firewall Policy Attachments
 
@@ -133,7 +188,7 @@ module "firewall-policy" {
 
 module "folder" {
   source = "./fabric/modules/folder"
-  parent = "organizations/1234567890"
+  parent = var.folder_id
   name   = "Folder name"
   # attachment via the organization module
   firewall_policy = {
@@ -141,42 +196,41 @@ module "folder" {
     policy = module.firewall-policy.id
   }
 }
-# tftest modules=2 resources=3
+# tftest modules=2 resources=3 e2e
 ```
-
 ## Log Sinks
 
 ```hcl
 module "gcs" {
   source        = "./fabric/modules/gcs"
-  project_id    = "my-project"
+  project_id    = var.project_id
   name          = "gcs_sink"
   force_destroy = true
 }
 
 module "dataset" {
   source     = "./fabric/modules/bigquery-dataset"
-  project_id = "my-project"
+  project_id = var.project_id
   id         = "bq_sink"
 }
 
 module "pubsub" {
   source     = "./fabric/modules/pubsub"
-  project_id = "my-project"
+  project_id = var.project_id
   name       = "pubsub_sink"
 }
 
 module "bucket" {
   source      = "./fabric/modules/logging-bucket"
   parent_type = "project"
-  parent      = "my-project"
+  parent      = var.project_id
   id          = "bucket"
 }
 
 module "folder-sink" {
   source = "./fabric/modules/folder"
-  parent = "folders/657104291943"
-  name   = "my-folder"
+  name   = "Folder name"
+  parent = var.folder_id
   logging_sinks = {
     warnings = {
       destination = module.gcs.id
@@ -206,7 +260,7 @@ module "folder-sink" {
     no-gce-instances = "resource.type=gce_instance"
   }
 }
-# tftest modules=5 resources=14 inventory=logging.yaml
+# tftest modules=5 resources=14 inventory=logging.yaml e2e
 ```
 
 ## Data Access Logs
@@ -218,12 +272,12 @@ This example shows how to set a non-authoritative access log configuration:
 ```hcl
 module "folder" {
   source = "./fabric/modules/folder"
-  parent = "folders/657104291943"
-  name   = "my-folder"
+  parent = var.folder_id
+  name   = "Folder name"
   logging_data_access = {
     allServices = {
       # logs for principals listed here will be excluded
-      ADMIN_READ = ["group:organization-admins@example.org"]
+      ADMIN_READ = ["group:${var.group_email}"]
     }
     "storage.googleapis.com" = {
       DATA_READ  = []
@@ -231,7 +285,7 @@ module "folder" {
     }
   }
 }
-# tftest modules=1 resources=3 inventory=logging-data-access.yaml
+# tftest modules=1 resources=3 inventory=logging-data-access.yaml e2e
 ```
 
 ## Tags
@@ -256,14 +310,13 @@ module "org" {
 
 module "folder" {
   source = "./fabric/modules/folder"
-  name   = "Test"
-  parent = module.org.organization_id
+  name   = "Folder name"
+  parent = var.folder_id
   tag_bindings = {
     env-prod = module.org.tag_values["environment/prod"].id
-    foo      = "tagValues/12345678"
   }
 }
-# tftest modules=2 resources=6 inventory=tags.yaml
+# tftest modules=2 resources=5 inventory=tags.yaml e2e
 ```
 
 <!-- TFDOC OPTS files:1 -->

tests/modules/folder/examples/iam.yaml

@@ -15,27 +15,27 @@
 values:
   module.folder.google_folder.folder[0]:
     display_name: Folder name
-    parent: organizations/1234567890
+    parent: folders/1122334455
     timeouts: null
   module.folder.google_folder_iam_binding.authoritative["roles/owner"]:
     condition: []
     members:
-    - group:cloud-owners@example.org
-    - user:one@example.org
+    - group:organization-admins@example.org
+    - serviceAccount:service_account_email
     role: roles/owner
   module.folder.google_folder_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]:
     condition: []
     members:
-    - group:cloud-owners@example.org
+    - group:organization-admins@example.org
     role: roles/resourcemanager.folderAdmin
   module.folder.google_folder_iam_binding.authoritative["roles/resourcemanager.projectCreator"]:
     condition: []
     members:
-    - group:cloud-owners@example.org
+    - group:organization-admins@example.org
     role: roles/resourcemanager.projectCreator
   module.folder.google_folder_iam_member.bindings["am1-storage-admin"]:
     condition: []
-    member: user:am1@example.org
+    member: serviceAccount:service_account_email
     role: roles/storage.admin
 
 counts:

tests/modules/folder/examples/logging-data-access.yaml

@@ -14,8 +14,8 @@
 
 values:
   module.folder.google_folder.folder[0]:
-    display_name: my-folder
-    parent: folders/657104291943
+    display_name: Folder name
+    parent: folders/1122334455
     timeouts: null
   module.folder.google_folder_iam_audit_config.default["allServices"]:
     audit_log_config:

tests/modules/folder/examples/logging.yaml

@@ -16,8 +16,8 @@ values:
   module.folder-sink.google_bigquery_dataset_iam_member.bq-sinks-binding["info"]:
     role: roles/bigquery.dataEditor
   module.folder-sink.google_folder.folder[0]:
-    display_name: my-folder
-    parent: folders/657104291943
+    display_name: Folder name
+    parent: folders/1122334455
   module.folder-sink.google_logging_folder_exclusion.logging-exclusion["no-gce-instances"]:
     description: no-gce-instances (Terraform-managed).
     filter: resource.type=gce_instance

tests/modules/folder/examples/org-policies.yaml

@@ -15,7 +15,7 @@
 values:
   module.folder.google_folder.folder[0]:
     display_name: Folder name
-    parent: organizations/1234567890
+    parent: folders/1122334455
   module.folder.google_org_policy_policy.default["compute.disableGuestAttributesAccess"]:
     spec:
     - inherit_from_parent: null

tests/modules/folder/examples/tags.yaml

@@ -16,13 +16,13 @@
 tests/examples/test_plan.py::test_example[modules/folder:Tags] values:
   module.folder.google_folder.folder[0]:
     display_name: Test
-    parent: organizations/1122334455
+    parent: folders/1122334455
   module.folder.google_tags_tag_binding.binding["env-prod"]: {}
   module.folder.google_tags_tag_binding.binding["foo"]:
     tag_value: tagValues/12345678
   module.org.google_tags_tag_key.default["environment"]:
     description: Environment specification.
-    parent: organizations/1122334455
+    parent: folders/1122334455
     purpose: null
     purpose_data: null
     short_name: environment
@@ -36,6 +36,6 @@ tests/examples/test_plan.py::test_example[modules/folder:Tags] values:
 
 counts:
   google_folder: 1
-  google_tags_tag_binding: 2
+  google_tags_tag_binding: 1
   google_tags_tag_key: 1
   google_tags_tag_value: 2