CI/CD support for Source Repository and Cloud Build (#669)

* add id to outputs

* initial cloud build implementation for stage 0

* comments

* stage 0

* stage 1, untested

* add support for IAM and CB triggers to source repository module

* refactor stage 0 to use sourcerepo module

* refactor stage 1 to use sourcerepo module

* file descriptions

* fix gitlab pipeline

tests/modules/source_repository/fixture/main.tf

@@ -14,9 +14,52 @@
  * limitations under the License.
  */
 
-module "test" {
-  source     = "../../../../modules/source-repository"
-  project_id = var.project_id
-  name       = var.name
-  iam        = var.iam
+variable "group_iam" {
+  type    = any
+  default = {}
+}
+
+variable "iam" {
+  type     = any
+  default  = {}
+  nullable = false
+}
+
+variable "iam_additive" {
+  type     = any
+  default  = {}
+  nullable = false
+}
+
+variable "iam_additive_members" {
+  type    = any
+  default = {}
+}
+
+variable "name" {
+  description = "Repository name."
+  type        = string
+  default     = "test"
+}
+
+variable "project_id" {
+  description = "Project used for resources."
+  type        = string
+  default     = "test"
+}
+
+variable "triggers" {
+  type    = any
+  default = null
+}
+
+module "test" {
+  source               = "../../../../modules/source-repository"
+  project_id           = var.project_id
+  name                 = var.name
+  group_iam            = var.group_iam
+  iam                  = var.iam
+  iam_additive         = var.iam_additive
+  iam_additive_members = var.iam_additive_members
+  triggers             = var.triggers
 }

tests/modules/source_repository/fixture/variables.tf

@@ -1,32 +0,0 @@
-/**
- * Copyright 2022 Google LLC
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-variable "project_id" {
-  type    = string
-  default = "test-project"
-}
-
-variable "iam" {
-  type = map(list(string))
-  default = {
-    "roles/source.reader" = ["foo@example.org"]
-  }
-}
-
-variable "name" {
-  type    = string
-  default = "test"
-}

tests/modules/source_repository/test_plan.py

@@ -12,23 +12,49 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-import pytest
 
-
-@pytest.fixture
-def resources(plan_runner):
+def test_resource_count(plan_runner):
+  'Test number of resources created.'
   _, resources = plan_runner()
-  return resources
+  assert len(resources) == 1
 
 
-def test_resource_count(resources):
-  "Test number of resources created."
-  assert len(resources) == 2
+def test_iam(plan_runner):
+  'Test IAM binding resources.'
+  group_iam = '{"fooers@example.org"=["roles/owner"]}'
+  iam = '''{
+    "roles/editor" = ["user:a@example.org", "user:b@example.org"]
+    "roles/owner" = ["user:c@example.org"]
+  }'''
+  _, resources = plan_runner(group_iam=group_iam, iam=iam)
+  bindings = {
+      r['values']['role']: r['values']['members']
+      for r in resources
+      if r['type'] == 'google_sourcerepo_repository_iam_binding'
+  }
+  assert bindings == {
+      'roles/editor': ['user:a@example.org', 'user:b@example.org'],
+      'roles/owner': ['group:fooers@example.org', 'user:c@example.org']
+  }
 
 
-def test_iam(resources):
-  "Test IAM binding resources."
-  bindings = [r['values'] for r in resources if r['type']
-              == 'google_sourcerepo_repository_iam_binding']
-  assert len(bindings) == 1
-  assert bindings[0]['role'] == 'roles/source.reader'
+def test_triggers(plan_runner):
+  'Test trigger resources.'
+  triggers = '''{
+    foo = {
+      filename = "ci/foo.yaml"
+      included_files = ["**/*yaml"]
+      service_account = null
+      substitutions = null
+      template = {
+        branch_name = null
+        project_id = null
+        tag_name = "foo"
+      }
+    }
+  }'''
+  _, resources = plan_runner(triggers=triggers)
+  triggers = [
+      r['index'] for r in resources if r['type'] == 'google_cloudbuild_trigger'
+  ]
+  assert triggers == ['foo']