kovagoadi/hunfabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'master' into elia-gcve

Browse Source
This commit is contained in:
Ludovico Magnocavallo
2023-08-14 11:56:47 +02:00
committed by GitHub
parent a509756f1b adf2621727
commit 5689aacac2
114 changed files with 2156 additions and 1339 deletions
Download Patch File Download Diff File Expand all files Collapse all files

598
tests/blueprints/data_solutions/shielded_folder/examples/simple.yaml
View File

@@ -13,21 +13,611 @@
# limitations under the License.
values:
module.test.module.folder.google_compute_firewall_policy.policy["prefix-fw-policy"]:
short_name: prefix-fw-policy
module.test.module.firewall-policy.google_compute_firewall_policy.hierarchical[0]:
description: null
short_name: default
timeouts: null
module.test.module.firewall-policy.google_compute_firewall_policy_rule.hierarchical["egress/allow-admins"]:
action: allow
description: Access from the admin subnet to all subnets
direction: INGRESS
disabled: false
enable_logging: null
match:
- dest_address_groups: null
dest_fqdns: null
dest_ip_ranges: null
dest_region_codes: null
dest_threat_intelligences: null
layer4_configs:
- ip_protocol: all
ports: null
src_address_groups: null
src_fqdns: null
src_ip_ranges:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
src_region_codes: null
src_threat_intelligences: null
priority: 1000
target_resources: null
target_service_accounts: null
timeouts: null
module.test.module.firewall-policy.google_compute_firewall_policy_rule.hierarchical["egress/allow-healthchecks"]:
action: allow
description: Enable HTTP and HTTPS healthchecks
direction: INGRESS
disabled: false
enable_logging: null
match:
- dest_address_groups: null
dest_fqdns: null
dest_ip_ranges: null
dest_region_codes: null
dest_threat_intelligences: null
layer4_configs:
- ip_protocol: all
ports: null
src_address_groups: null
src_fqdns: null
src_ip_ranges:
- 35.191.0.0/16
- 130.211.0.0/22
- 209.85.152.0/22
- 209.85.204.0/22
src_region_codes: null
src_threat_intelligences: null
priority: 1001
target_resources: null
target_service_accounts: null
timeouts: null
module.test.module.firewall-policy.google_compute_firewall_policy_rule.hierarchical["egress/allow-icmp"]:
action: allow
description: Enable ICMP
direction: INGRESS
disabled: false
enable_logging: null
match:
- dest_address_groups: null
dest_fqdns: null
dest_ip_ranges: null
dest_region_codes: null
dest_threat_intelligences: null
layer4_configs:
- ip_protocol: all
ports: null
src_address_groups: null
src_fqdns: null
src_ip_ranges:
- 0.0.0.0/0
src_region_codes: null
src_threat_intelligences: null
priority: 1003
target_resources: null
target_service_accounts: null
timeouts: null
module.test.module.firewall-policy.google_compute_firewall_policy_rule.hierarchical["egress/allow-ssh-from-iap"]:
action: allow
description: Enable SSH from IAP
direction: INGRESS
disabled: false
enable_logging: null
match:
- dest_address_groups: null
dest_fqdns: null
dest_ip_ranges: null
dest_region_codes: null
dest_threat_intelligences: null
layer4_configs:
- ip_protocol: all
ports: null
src_address_groups: null
src_fqdns: null
src_ip_ranges:
- 35.235.240.0/20
src_region_codes: null
src_threat_intelligences: null
priority: 1002
target_resources: null
target_service_accounts: null
timeouts: null
module.test.module.folder-workload.google_folder.folder[0]:
display_name: prefix-workload
timeouts: null
module.test.module.folder.google_bigquery_dataset_iam_member.bq-sinks-binding["audit-logs"]:
condition: []
role: roles/bigquery.dataEditor
module.test.module.folder.google_bigquery_dataset_iam_member.bq-sinks-binding["vpc-sc"]:
condition: []
role: roles/bigquery.dataEditor
module.test.module.folder.google_folder.folder[0]:
display_name: ShieldedMVP
parent: organizations/1234567890123
timeouts: null
module.test.module.folder.google_folder_iam_binding.authoritative["roles/editor"]:
condition: []
members:
- group:gcp-data-engineers@example.com
role: roles/editor
module.test.module.folder.google_folder_iam_binding.authoritative["roles/iam.serviceAccountTokenCreator"]:
condition: []
members:
- group:gcp-data-engineers@example.com
role: roles/iam.serviceAccountTokenCreator
module.test.module.folder.google_logging_folder_sink.sink["audit-logs"]:
description: audit-logs (Terraform-managed).
disabled: false
exclusions: []
filter: logName:"/logs/cloudaudit.googleapis.com%2Factivity" OR logName:"/logs/cloudaudit.googleapis.com%2Fsystem_event"
include_children: true
name: audit-logs
module.test.module.folder.google_logging_folder_sink.sink["vpc-sc"]:
description: vpc-sc (Terraform-managed).
disabled: false
exclusions: []
filter: protoPayload.metadata.@type="type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata"
include_children: true
name: vpc-sc
module.test.module.folder.google_org_policy_policy.default["compute.disableGuestAttributesAccess"]:
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'TRUE'
values: []
timeouts: null
module.test.module.folder.google_org_policy_policy.default["compute.requireOsLogin"]:
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'TRUE'
values: []
timeouts: null
module.test.module.folder.google_org_policy_policy.default["compute.restrictLoadBalancerCreationForTypes"]:
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: null
values:
- allowed_values:
- in:INTERNAL
denied_values: null
timeouts: null
module.test.module.folder.google_org_policy_policy.default["compute.skipDefaultNetworkCreation"]:
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'TRUE'
values: []
timeouts: null
module.test.module.folder.google_org_policy_policy.default["compute.vmExternalIpAccess"]:
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: 'TRUE'
enforce: null
values: []
timeouts: null
module.test.module.folder.google_org_policy_policy.default["iam.automaticIamGrantsForDefaultServiceAccounts"]:
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'TRUE'
values: []
timeouts: null
module.test.module.folder.google_org_policy_policy.default["iam.disableServiceAccountKeyCreation"]:
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'TRUE'
values: []
timeouts: null
module.test.module.folder.google_org_policy_policy.default["iam.disableServiceAccountKeyUpload"]:
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'TRUE'
values: []
timeouts: null
module.test.module.folder.google_org_policy_policy.default["run.allowedIngress"]:
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: null
values:
- allowed_values:
- is:internal
denied_values: null
timeouts: null
module.test.module.folder.google_org_policy_policy.default["sql.restrictAuthorizedNetworks"]:
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'TRUE'
values: []
timeouts: null
module.test.module.folder.google_org_policy_policy.default["sql.restrictPublicIp"]:
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'TRUE'
values: []
timeouts: null
module.test.module.folder.google_org_policy_policy.default["storage.uniformBucketLevelAccess"]:
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'TRUE'
values: []
timeouts: null
module.test.module.log-export-dataset[0].google_bigquery_dataset.default:
dataset_id: prefix_audit_export
default_encryption_configuration: []
default_partition_expiration_ms: null
default_table_expiration_ms: null
delete_contents_on_destroy: false
description: Terraform managed.
friendly_name: Audit logs export.
location: EU
max_time_travel_hours: '168'
project: prefix-audit-logs
timeouts: null
module.test.module.log-export-project[0].data.google_bigquery_default_service_account.bq_sa[0]:
project: prefix-audit-logs
module.test.module.log-export-project[0].data.google_storage_project_service_account.gcs_sa[0]:
project: prefix-audit-logs
user_project: null
module.test.module.log-export-project[0].google_project.project[0]:
auto_create_network: false
billing_account: 123456-123456-123456
labels: null
name: prefix-audit-logs
project_id: prefix-audit-logs
skip_delete: false
timeouts: null
module.test.module.log-export-project[0].google_project_iam_binding.authoritative["roles/editor"]:
condition: []
members:
- group:gcp-data-security@example.com
project: prefix-audit-logs
role: roles/editor
module.test.module.log-export-project[0].google_project_service.project_services["bigquery.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
project: prefix-audit-logs
service: bigquery.googleapis.com
timeouts: null
module.test.module.log-export-project[0].google_project_service.project_services["pubsub.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
project: prefix-audit-logs
service: pubsub.googleapis.com
timeouts: null
module.test.module.log-export-project[0].google_project_service.project_services["stackdriver.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
project: prefix-audit-logs
service: stackdriver.googleapis.com
timeouts: null
module.test.module.log-export-project[0].google_project_service.project_services["storage.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
project: prefix-audit-logs
service: storage.googleapis.com
timeouts: null
module.test.module.log-export-project[0].google_project_service_identity.jit_si["pubsub.googleapis.com"]:
project: prefix-audit-logs
service: pubsub.googleapis.com
timeouts: null
module.test.module.vpc-sc[0].google_access_context_manager_access_policy.default[0]:
parent: organizations/1122334455
timeouts: null
title: shielded-folder
module.test.module.vpc-sc[0].google_access_context_manager_service_perimeter.regular["shielded"]:
description: null
perimeter_type: PERIMETER_TYPE_REGULAR
spec:
- access_levels: []
egress_policies: []
ingress_policies:
- ingress_from:
- identity_type: null
sources:
- access_level: '*'
resource: null
ingress_to:
- operations:
- method_selectors: []
service_name: '*'
restricted_services:
- accessapproval.googleapis.com
- adsdatahub.googleapis.com
- aiplatform.googleapis.com
- alloydb.googleapis.com
- alpha-documentai.googleapis.com
- analyticshub.googleapis.com
- apigee.googleapis.com
- apigeeconnect.googleapis.com
- artifactregistry.googleapis.com
- assuredworkloads.googleapis.com
- automl.googleapis.com
- baremetalsolution.googleapis.com
- batch.googleapis.com
- beyondcorp.googleapis.com
- bigquery.googleapis.com
- bigquerydatapolicy.googleapis.com
- bigquerydatatransfer.googleapis.com
- bigquerymigration.googleapis.com
- bigqueryreservation.googleapis.com
- bigtable.googleapis.com
- binaryauthorization.googleapis.com
- cloudasset.googleapis.com
- cloudbuild.googleapis.com
- clouddebugger.googleapis.com
- clouderrorreporting.googleapis.com
- cloudfunctions.googleapis.com
- cloudkms.googleapis.com
- cloudprofiler.googleapis.com
- cloudresourcemanager.googleapis.com
- cloudsearch.googleapis.com
- cloudtrace.googleapis.com
- composer.googleapis.com
- compute.googleapis.com
- connectgateway.googleapis.com
- contactcenterinsights.googleapis.com
- container.googleapis.com
- containeranalysis.googleapis.com
- containerfilesystem.googleapis.com
- containerregistry.googleapis.com
- containerthreatdetection.googleapis.com
- contentwarehouse.googleapis.com
- datacatalog.googleapis.com
- dataflow.googleapis.com
- datafusion.googleapis.com
- datalineage.googleapis.com
- datamigration.googleapis.com
- datapipelines.googleapis.com
- dataplex.googleapis.com
- dataproc.googleapis.com
- datastream.googleapis.com
- dialogflow.googleapis.com
- dlp.googleapis.com
- dns.googleapis.com
- documentai.googleapis.com
- domains.googleapis.com
- essentialcontacts.googleapis.com
- eventarc.googleapis.com
- file.googleapis.com
- firebaseappcheck.googleapis.com
- firebaserules.googleapis.com
- firestore.googleapis.com
- gameservices.googleapis.com
- gkebackup.googleapis.com
- gkeconnect.googleapis.com
- gkehub.googleapis.com
- gkemulticloud.googleapis.com
- healthcare.googleapis.com
- iam.googleapis.com
- iamcredentials.googleapis.com
- iaptunnel.googleapis.com
- ids.googleapis.com
- integrations.googleapis.com
- language.googleapis.com
- lifesciences.googleapis.com
- logging.googleapis.com
- managedidentities.googleapis.com
- memcache.googleapis.com
- meshca.googleapis.com
- metastore.googleapis.com
- ml.googleapis.com
- monitoring.googleapis.com
- networkconnectivity.googleapis.com
- networkmanagement.googleapis.com
- networksecurity.googleapis.com
- networkservices.googleapis.com
- notebooks.googleapis.com
- opsconfigmonitoring.googleapis.com
- osconfig.googleapis.com
- oslogin.googleapis.com
- policytroubleshooter.googleapis.com
- privateca.googleapis.com
- pubsub.googleapis.com
- pubsublite.googleapis.com
- recaptchaenterprise.googleapis.com
- recommender.googleapis.com
- redis.googleapis.com
- retail.googleapis.com
- run.googleapis.com
- secretmanager.googleapis.com
- servicecontrol.googleapis.com
- servicedirectory.googleapis.com
- spanner.googleapis.com
- speakerid.googleapis.com
- speech.googleapis.com
- sqladmin.googleapis.com
- storage.googleapis.com
- storagetransfer.googleapis.com
- texttospeech.googleapis.com
- tpu.googleapis.com
- trafficdirector.googleapis.com
- transcoder.googleapis.com
- translate.googleapis.com
- videointelligence.googleapis.com
- vision.googleapis.com
- visionai.googleapis.com
- vpcaccess.googleapis.com
- workstations.googleapis.com
vpc_accessible_services:
- allowed_services:
- accessapproval.googleapis.com
- adsdatahub.googleapis.com
- aiplatform.googleapis.com
- alloydb.googleapis.com
- alpha-documentai.googleapis.com
- analyticshub.googleapis.com
- apigee.googleapis.com
- apigeeconnect.googleapis.com
- artifactregistry.googleapis.com
- assuredworkloads.googleapis.com
- automl.googleapis.com
- baremetalsolution.googleapis.com
- batch.googleapis.com
- beyondcorp.googleapis.com
- bigquery.googleapis.com
- bigquerydatapolicy.googleapis.com
- bigquerydatatransfer.googleapis.com
- bigquerymigration.googleapis.com
- bigqueryreservation.googleapis.com
- bigtable.googleapis.com
- binaryauthorization.googleapis.com
- cloudasset.googleapis.com
- cloudbuild.googleapis.com
- clouddebugger.googleapis.com
- clouderrorreporting.googleapis.com
- cloudfunctions.googleapis.com
- cloudkms.googleapis.com
- cloudprofiler.googleapis.com
- cloudresourcemanager.googleapis.com
- cloudsearch.googleapis.com
- cloudtrace.googleapis.com
- composer.googleapis.com
- compute.googleapis.com
- connectgateway.googleapis.com
- contactcenterinsights.googleapis.com
- container.googleapis.com
- containeranalysis.googleapis.com
- containerfilesystem.googleapis.com
- containerregistry.googleapis.com
- containerthreatdetection.googleapis.com
- contentwarehouse.googleapis.com
- datacatalog.googleapis.com
- dataflow.googleapis.com
- datafusion.googleapis.com
- datalineage.googleapis.com
- datamigration.googleapis.com
- datapipelines.googleapis.com
- dataplex.googleapis.com
- dataproc.googleapis.com
- datastream.googleapis.com
- dialogflow.googleapis.com
- dlp.googleapis.com
- dns.googleapis.com
- documentai.googleapis.com
- domains.googleapis.com
- essentialcontacts.googleapis.com
- eventarc.googleapis.com
- file.googleapis.com
- firebaseappcheck.googleapis.com
- firebaserules.googleapis.com
- firestore.googleapis.com
- gameservices.googleapis.com
- gkebackup.googleapis.com
- gkeconnect.googleapis.com
- gkehub.googleapis.com
- gkemulticloud.googleapis.com
- healthcare.googleapis.com
- iam.googleapis.com
- iamcredentials.googleapis.com
- iaptunnel.googleapis.com
- ids.googleapis.com
- integrations.googleapis.com
- language.googleapis.com
- lifesciences.googleapis.com
- logging.googleapis.com
- managedidentities.googleapis.com
- memcache.googleapis.com
- meshca.googleapis.com
- metastore.googleapis.com
- ml.googleapis.com
- monitoring.googleapis.com
- networkconnectivity.googleapis.com
- networkmanagement.googleapis.com
- networksecurity.googleapis.com
- networkservices.googleapis.com
- notebooks.googleapis.com
- opsconfigmonitoring.googleapis.com
- osconfig.googleapis.com
- oslogin.googleapis.com
- policytroubleshooter.googleapis.com
- privateca.googleapis.com
- pubsub.googleapis.com
- pubsublite.googleapis.com
- recaptchaenterprise.googleapis.com
- recommender.googleapis.com
- redis.googleapis.com
- retail.googleapis.com
- run.googleapis.com
- secretmanager.googleapis.com
- servicecontrol.googleapis.com
- servicedirectory.googleapis.com
- spanner.googleapis.com
- speakerid.googleapis.com
- speech.googleapis.com
- sqladmin.googleapis.com
- storage.googleapis.com
- storagetransfer.googleapis.com
- texttospeech.googleapis.com
- tpu.googleapis.com
- trafficdirector.googleapis.com
- transcoder.googleapis.com
- translate.googleapis.com
- videointelligence.googleapis.com
- vision.googleapis.com
- visionai.googleapis.com
- vpcaccess.googleapis.com
- workstations.googleapis.com
enable_restriction: true
status: []
timeouts: null
title: shielded
use_explicit_dry_run_spec: true
counts:
google_access_context_manager_access_policy: 1
@@ -47,5 +637,7 @@ counts:
google_project_service_identity: 1
google_projects: 1
google_storage_project_service_account: 1
modules: 6
modules: 7
resources: 38
outputs: {}

2
tests/fast/stages/s2_networking_a_peering/stage.yaml
View File

@@ -13,5 +13,5 @@
# limitations under the License.
counts:
modules: 27
modules: 28
resources: 151

2
tests/fast/stages/s2_networking_b_vpn/stage.yaml
View File

@@ -13,5 +13,5 @@
# limitations under the License.
counts:
modules: 29
modules: 30
resources: 188

2
tests/fast/stages/s2_networking_c_nva/stage.yaml
View File

@@ -13,5 +13,5 @@
# limitations under the License.
counts:
modules: 41
modules: 42
resources: 197

2
tests/fast/stages/s2_networking_d_separate_envs/stage.yaml
View File

@@ -13,5 +13,5 @@
# limitations under the License.
counts:
modules: 20
modules: 21
resources: 168

2
tests/fast/stages/s2_networking_e_nva_bgp/stage.yaml
View File

@@ -13,5 +13,5 @@
# limitations under the License.
counts:
modules: 35
modules: 36
resources: 210

15
tests/fixtures.py
View File

@@ -168,6 +168,7 @@ def plan_validator(module_path, inventory_paths, basedir, tf_var_files=None,
for path in inventory_paths:
# allow tfvars and inventory to be relative to the caller
path = basedir / path
relative_path = path.relative_to(_REPO_ROOT)
try:
inventory = yaml.safe_load(path.read_text())
except (IOError, OSError, yaml.YAMLError) as e:
@@ -193,34 +194,34 @@ def plan_validator(module_path, inventory_paths, basedir, tf_var_files=None,
expected_values = inventory['values']
for address, expected_value in expected_values.items():
assert address in summary.values, \
f'{address} is not a valid address in the plan'
f'{relative_path}: {address} is not a valid address in the plan'
for k, v in expected_value.items():
assert k in summary.values[address], \
f'{k} not found at {address}'
f'{relative_path}: {k} not found at {address}'
plan_value = summary.values[address][k]
assert plan_value == v, \
f'{k} at {address} failed. Got `{plan_value}`, expected `{v}`'
f'{relative_path}: {k} at {address} failed. Got `{plan_value}`, expected `{v}`'
if 'counts' in inventory:
expected_counts = inventory['counts']
for type_, expected_count in expected_counts.items():
assert type_ in summary.counts, \
f'module does not create any resources of type `{type_}`'
f'{relative_path}: module does not create any resources of type `{type_}`'
plan_count = summary.counts[type_]
assert plan_count == expected_count, \
f'count of {type_} resources failed. Got {plan_count}, expected {expected_count}'
f'{relative_path}: count of {type_} resources failed. Got {plan_count}, expected {expected_count}'
if 'outputs' in inventory:
expected_outputs = inventory['outputs']
for output_name, expected_output in expected_outputs.items():
assert output_name in summary.outputs, \
f'module does not output `{output_name}`'
f'{relative_path}: module does not output `{output_name}`'
output = summary.outputs[output_name]
# assert 'value' in output, \
# f'output `{output_name}` does not have a value (is it sensitive or dynamic?)'
plan_output = output.get('value', '__missing__')
assert plan_output == expected_output, \
f'output {output_name} failed. Got `{plan_output}`, expected `{expected_output}`'
f'{relative_path}: output {output_name} failed. Got `{plan_output}`, expected `{expected_output}`'
return summary

40
tests/modules/cloud_run/examples/gen2.yaml Normal file
View File

@@ -0,0 +1,40 @@
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
module.cloud_run.google_cloud_run_service.service:
autogenerate_revision_name: false
location: europe-west1
metadata:
- {}
name: hello
project: project-id
template:
- metadata:
- annotations:
run.googleapis.com/execution-environment: gen2
spec:
- containers:
- args: null
command: null
env: []
env_from: []
image: us-docker.pkg.dev/cloudrun/container/hello
liveness_probe: []
volume_mounts: []
working_dir: null
volumes: []
counts:
google_cloud_run_service: 1

34
tests/modules/compute_mig/examples/stateful.yaml
View File

@@ -13,25 +13,49 @@
# limitations under the License.
values:
module.nginx-mig.google_compute_instance_group_manager.default[0]:
all_instances_config: []
auto_healing_policies: []
base_instance_name: mig-test
description: Terraform managed.
list_managed_instances_results: PAGELESS
name: mig-test
named_port: []
project: my-prj
stateful_disk: []
stateful_external_ip: []
stateful_internal_ip: []
target_pools: null
timeouts: null
version:
- name: default
target_size: []
wait_for_instances: false
wait_for_instances_status: STABLE
zone: europe-west8-b
module.nginx-mig.google_compute_per_instance_config.default["instance-1"]:
instance_group_manager: mig-test
minimal_action: NONE
most_disruptive_allowed_action: REPLACE
name: instance-1
preserved_state:
- disk:
- delete_rule: NEVER
device_name: persistent-disk-1
device_name: data-1
mode: READ_WRITE
source: test-disk
source: projects/my-prj/zones/europe-west8-b/disks/test-data-1
metadata:
foo: bar
project: my-project
project: my-prj
remove_instance_state_on_destroy: false
timeouts: null
zone: europe-west1-b
zone: europe-west8-b
counts:
google_compute_autoscaler: 1
google_compute_instance_group_manager: 1
google_compute_instance_template: 1
google_compute_per_instance_config: 1
modules: 2
resources: 3
outputs: {}

13
tests/modules/dataplex_datascan/examples/datascan_iam.yaml
View File

@@ -11,6 +11,7 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
module.dataplex-datascan.google_dataplex_datascan.datascan:
data:
@@ -57,11 +58,19 @@ values:
- group:user-group@example.com
project: my-project-name
role: roles/dataplex.dataScanViewer
module.dataplex-datascan.google_dataplex_datascan_iam_member.members["am1-viewer"]:
condition: []
data_scan_id: test-datascan
location: us-central1
member: user:am1@example.com
project: my-project-name
role: roles/dataplex.dataScanViewer
counts:
google_dataplex_datascan: 1
google_dataplex_datascan_iam_binding: 3
google_dataplex_datascan_iam_member: 1
modules: 1
resources: 4
resources: 5
outputs: {}
outputs: {}

11
tests/modules/folder/examples/iam.yaml
View File

@@ -16,6 +16,7 @@ values:
module.folder.google_folder.folder[0]:
display_name: Folder name
parent: organizations/1234567890
timeouts: null
module.folder.google_folder_iam_binding.authoritative["roles/owner"]:
condition: []
members:
@@ -52,8 +53,16 @@ values:
condition: []
member: user:am2@example.org
role: roles/storage.objectViewer
module.folder.google_folder_iam_member.members["am1-storage-admin"]:
condition: []
member: user:am1@example.org
role: roles/storage.admin
counts:
google_folder: 1
google_folder_iam_binding: 3
google_folder_iam_member: 5
google_folder_iam_member: 6
modules: 1
resources: 10
outputs: {}

22
tests/modules/kms/examples/basic.yaml
View File

@@ -19,12 +19,14 @@ values:
purpose: ENCRYPT_DECRYPT
rotation_period: null
skip_initial_version_creation: null
timeouts: null
module.kms.google_kms_crypto_key.default["key-b"]:
labels: null
name: key-b
purpose: ENCRYPT_DECRYPT
rotation_period: 604800s
skip_initial_version_creation: null
timeouts: null
module.kms.google_kms_crypto_key.default["key-c"]:
labels:
env: test
@@ -32,23 +34,29 @@ values:
purpose: ENCRYPT_DECRYPT
rotation_period: null
skip_initial_version_creation: null
timeouts: null
module.kms.google_kms_crypto_key_iam_binding.default["key-a.roles/cloudkms.admin"]:
condition: []
members:
- user:user3@example.com
role: roles/cloudkms.admin
module.kms.google_kms_crypto_key_iam_member.default["key-b.roles/cloudkms.cryptoKeyEncrypterDecrypteruser:user4@example.com"]:
condition: []
? module.kms.google_kms_crypto_key_iam_member.default["key-b.roles/cloudkms.cryptoKeyEncrypterDecrypteruser:user4@example.com"]
: condition: []
member: user:user4@example.com
role: roles/cloudkms.cryptoKeyEncrypterDecrypter
module.kms.google_kms_crypto_key_iam_member.default["key-b.roles/cloudkms.cryptoKeyEncrypterDecrypteruser:user5@example.com"]:
condition: []
? module.kms.google_kms_crypto_key_iam_member.default["key-b.roles/cloudkms.cryptoKeyEncrypterDecrypteruser:user5@example.com"]
: condition: []
member: user:user5@example.com
role: roles/cloudkms.cryptoKeyEncrypterDecrypter
module.kms.google_kms_crypto_key_iam_member.members["key-b-am1"]:
condition: []
member: user:am1@example.com
role: roles/cloudkms.cryptoKeyEncrypterDecrypter
module.kms.google_kms_key_ring.default[0]:
location: europe-west1
name: test
project: my-project
timeouts: null
module.kms.google_kms_key_ring_iam_member.default["roles/cloudkms.cryptoKeyEncrypterDecrypteruser:user1@example.com"]:
condition: []
member: user:user1@example.com
@@ -61,6 +69,10 @@ values:
counts:
google_kms_crypto_key: 3
google_kms_crypto_key_iam_binding: 1
google_kms_crypto_key_iam_member: 2
google_kms_crypto_key_iam_member: 3
google_kms_key_ring: 1
google_kms_key_ring_iam_member: 2
modules: 1
resources: 10
outputs: {}

4
tests/modules/net_vpc_firewall_policy/examples/factory.yaml → tests/modules/net_firewall_policy/examples/factory.yaml
View File

@@ -18,7 +18,7 @@ values:
module.firewall-policy.google_compute_firewall_policy_association.hierarchical["test"]:
attachment_target: folders/4567890123
name: test-1-test
module.firewall-policy.google_compute_firewall_policy_rule.hierarchical["egress/icmp"]:
module.firewall-policy.google_compute_firewall_policy_rule.hierarchical["ingress/icmp"]:
action: allow
direction: INGRESS
disabled: false
@@ -41,7 +41,7 @@ values:
priority: 1000
target_resources: null
target_service_accounts: null
module.firewall-policy.google_compute_firewall_policy_rule.hierarchical["ingress/smtp"]:
module.firewall-policy.google_compute_firewall_policy_rule.hierarchical["egress/smtp"]:
action: deny
direction: EGRESS
disabled: false

0
tests/modules/net_vpc_firewall_policy/examples/global-net.yaml → tests/modules/net_firewall_policy/examples/global-net.yaml
View File

0
tests/modules/net_vpc_firewall_policy/examples/hierarchical.yaml → tests/modules/net_firewall_policy/examples/hierarchical.yaml
View File

0
tests/modules/net_vpc_firewall_policy/examples/regional-net.yaml → tests/modules/net_firewall_policy/examples/regional-net.yaml
View File

69
tests/modules/net_vpc/examples/subnet-iam.yaml
View File

@@ -14,17 +14,63 @@
values:
module.vpc.google_compute_network.network[0]:
auto_create_subnetworks: false
delete_default_routes_on_create: false
description: Terraform-managed.
enable_ula_internal_ipv6: null
name: my-network
network_firewall_policy_enforcement_order: AFTER_CLASSIC_FIREWALL
project: my-project
routing_mode: GLOBAL
timeouts: null
module.vpc.google_compute_route.gateway["private-googleapis"]:
description: Terraform-managed.
dest_range: 199.36.153.8/30
name: my-network-private-googleapis
next_hop_gateway: default-internet-gateway
next_hop_ilb: null
next_hop_instance: null
next_hop_vpn_tunnel: null
priority: 1000
project: my-project
tags: null
timeouts: null
module.vpc.google_compute_route.gateway["restricted-googleapis"]:
description: Terraform-managed.
dest_range: 199.36.153.4/30
name: my-network-restricted-googleapis
next_hop_gateway: default-internet-gateway
next_hop_ilb: null
next_hop_instance: null
next_hop_vpn_tunnel: null
priority: 1000
project: my-project
tags: null
timeouts: null
module.vpc.google_compute_subnetwork.subnetwork["europe-west1/subnet-1"]:
description: Terraform-managed.
ip_cidr_range: 10.0.1.0/24
ipv6_access_type: null
log_config: []
name: subnet-1
private_ip_google_access: true
project: my-project
region: europe-west1
role: null
secondary_ip_range: []
timeouts: null
module.vpc.google_compute_subnetwork.subnetwork["europe-west1/subnet-2"]:
description: Terraform-managed.
ip_cidr_range: 10.0.1.0/24
ipv6_access_type: null
log_config: []
name: subnet-2
private_ip_google_access: true
project: my-project
region: europe-west1
role: null
secondary_ip_range: []
timeouts: null
module.vpc.google_compute_subnetwork_iam_binding.binding["europe-west1/subnet-1.roles/compute.networkUser"]:
condition: []
members:
@@ -34,16 +80,23 @@ values:
region: europe-west1
role: roles/compute.networkUser
subnetwork: subnet-1
module.vpc.google_compute_subnetwork_iam_member.binding["europe-west1/subnet-2.roles/compute.networkUser.user:user2@example.com"]:
condition: []
? module.vpc.google_compute_subnetwork_iam_member.binding["europe-west1/subnet-2.roles/compute.networkUser.group:group2@example.com"]
: condition: []
member: group:group2@example.com
project: my-project
region: europe-west1
role: roles/compute.networkUser
subnetwork: subnet-2
? module.vpc.google_compute_subnetwork_iam_member.binding["europe-west1/subnet-2.roles/compute.networkUser.user:user2@example.com"]
: condition: []
member: user:user2@example.com
project: my-project
region: europe-west1
role: roles/compute.networkUser
subnetwork: subnet-2
module.vpc.google_compute_subnetwork_iam_member.binding["europe-west1/subnet-2.roles/compute.networkUser.group:group2@example.com"]:
module.vpc.google_compute_subnetwork_iam_member.members["subnet-2-am1"]:
condition: []
member: group:group2@example.com
member: user:am1@example.com
project: my-project
region: europe-west1
role: roles/compute.networkUser
@@ -51,7 +104,11 @@ values:
counts:
google_compute_network: 1
google_compute_route: 2
google_compute_subnetwork: 2
google_compute_subnetwork_iam_binding: 1
google_compute_subnetwork_iam_member: 2
google_compute_route: 2
google_compute_subnetwork_iam_member: 3
modules: 1
resources: 9
outputs: {}

36
tests/modules/organization/examples/basic.yaml
View File

@@ -25,6 +25,7 @@ values:
deny_all: null
enforce: 'TRUE'
values: []
timeouts: null
module.org.google_org_policy_policy.default["compute.skipDefaultNetworkCreation"]:
name: organizations/1234567890/policies/compute.skipDefaultNetworkCreation
parent: organizations/1234567890
@@ -37,6 +38,7 @@ values:
deny_all: null
enforce: 'TRUE'
values: []
timeouts: null
module.org.google_org_policy_policy.default["compute.trustedImageProjects"]:
name: organizations/1234567890/policies/compute.trustedImageProjects
parent: organizations/1234567890
@@ -52,6 +54,7 @@ values:
- allowed_values:
- projects/my-project
denied_values: null
timeouts: null
module.org.google_org_policy_policy.default["compute.vmExternalIpAccess"]:
name: organizations/1234567890/policies/compute.vmExternalIpAccess
parent: organizations/1234567890
@@ -64,6 +67,20 @@ values:
deny_all: 'TRUE'
enforce: null
values: []
timeouts: null
module.org.google_org_policy_policy.default["custom.gkeEnableAutoUpgrade"]:
name: organizations/1234567890/policies/custom.gkeEnableAutoUpgrade
parent: organizations/1234567890
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'TRUE'
values: []
timeouts: null
module.org.google_org_policy_policy.default["iam.allowedPolicyMemberDomains"]:
name: organizations/1234567890/policies/iam.allowedPolicyMemberDomains
parent: organizations/1234567890
@@ -95,6 +112,7 @@ values:
- C0xxxxxxx
- C0yyyyyyy
denied_values: null
timeouts: null
module.org.google_org_policy_policy.default["iam.disableServiceAccountKeyCreation"]:
name: organizations/1234567890/policies/iam.disableServiceAccountKeyCreation
parent: organizations/1234567890
@@ -107,6 +125,7 @@ values:
deny_all: null
enforce: 'TRUE'
values: []
timeouts: null
module.org.google_org_policy_policy.default["iam.disableServiceAccountKeyUpload"]:
name: organizations/1234567890/policies/iam.disableServiceAccountKeyUpload
parent: organizations/1234567890
@@ -128,6 +147,7 @@ values:
deny_all: null
enforce: 'FALSE'
values: []
timeouts: null
module.org.google_organization_iam_binding.authoritative["roles/owner"]:
condition: []
members:
@@ -156,20 +176,34 @@ values:
member: user:compute@example.org
org_id: '1234567890'
role: roles/container.viewer
module.org.google_organization_iam_member.members["am1-storage-admin"]:
condition: []
member: user:am1@example.org
org_id: '1234567890'
role: roles/storage.admin
module.org.google_tags_tag_key.default["allowexternal"]:
description: Allow external identities.
parent: organizations/1234567890
purpose: null
purpose_data: null
short_name: allowexternal
timeouts: null
module.org.google_tags_tag_value.default["allowexternal/false"]:
description: Managed by the Terraform organization module.
short_name: 'false'
timeouts: null
module.org.google_tags_tag_value.default["allowexternal/true"]:
description: Managed by the Terraform organization module.
short_name: 'true'
timeouts: null
counts:
google_org_policy_policy: 8
google_organization_iam_binding: 3
google_organization_iam_member: 2
google_organization_iam_member: 3
google_tags_tag_key: 1
google_tags_tag_value: 2
modules: 1
resources: 17
outputs: {}

51
tests/modules/organization/firewall_policies_factory_combined.tfvars
View File

@@ -1,51 +0,0 @@
firewall_policies = {
policy1 = {
allow-ingress = {
description = ""
direction = "INGRESS"
action = "allow"
priority = 100
ranges = ["10.0.0.0/8"]
ports = {
tcp = ["22"]
}
target_service_accounts = null
target_resources = null
logging = false
}
deny-egress = {
description = ""
direction = "EGRESS"
action = "deny"
priority = 200
ranges = ["192.168.0.0/24"]
ports = {
tcp = ["443"]
}
target_service_accounts = null
target_resources = null
logging = false
}
}
policy2 = {
allow-ingress = {
description = ""
direction = "INGRESS"
action = "allow"
priority = 100
ranges = ["10.0.0.0/8"]
ports = {
tcp = ["22"]
}
target_service_accounts = null
target_resources = null
logging = false
}
}
}
firewall_policy_factory = {
cidr_file = "../../tests/modules/organization/data/firewall-cidrs.yaml"
policy_name = "factory-1"
rules_file = "../../tests/modules/organization/data/firewall-rules.yaml"
}

27
tests/modules/organization/firewall_policies_factory_combined.yaml
View File

@@ -1,27 +0,0 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
google_compute_firewall_policy.policy["factory-1"]: {}
google_compute_firewall_policy.policy["policy1"]: {}
google_compute_firewall_policy.policy["policy2"]: {}
google_compute_firewall_policy_rule.rule["factory-1-allow-admins"]: {}
google_compute_firewall_policy_rule.rule["factory-1-allow-ssh-from-iap"]: {}
google_compute_firewall_policy_rule.rule["policy1-allow-ingress"]: {}
google_compute_firewall_policy_rule.rule["policy1-deny-egress"]: {}
google_compute_firewall_policy_rule.rule["policy2-allow-ingress"]: {}
counts:
google_compute_firewall_policy: 3
google_compute_firewall_policy_rule: 5

1
tests/modules/organization/tftest.yaml
View File

@@ -21,5 +21,4 @@ tests:
org_policies_list:
org_policies_boolean:
org_policies_custom_constraints:
firewall_policies_factory_combined:
tags:

48
tests/modules/project/examples/iam-members.yaml Normal file
View File

@@ -0,0 +1,48 @@
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
module.project.google_project.project[0]:
auto_create_network: false
billing_account: null
folder_id: null
labels: null
name: project-example
org_id: null
project_id: project-example
skip_delete: false
timeouts: null
module.project.google_project_iam_member.members["one-owner"]:
condition: []
member: user:one@example.org
project: project-example
role: roles/owner
module.project.google_project_iam_member.members["two-compute-admin"]:
condition: []
member: user:two@example.org
project: project-example
role: roles/compute.admin
module.project.google_project_iam_member.members["two-viewer"]:
condition: []
member: user:two@example.org
project: project-example
role: roles/viewer
counts:
google_project: 1
google_project_iam_member: 3
modules: 1
resources: 4
outputs: {}

12
tests/modules/source_repository/examples/simple.yaml
View File

@@ -17,6 +17,7 @@ values:
name: my-repo
project: my-project
pubsub_configs: []
timeouts: null
module.repo.google_sourcerepo_repository_iam_binding.authoritative["roles/source.reader"]:
condition: []
members:
@@ -24,7 +25,18 @@ values:
project: my-project
repository: my-repo
role: roles/source.reader
module.repo.google_sourcerepo_repository_iam_member.members["am1-reader"]:
condition: []
member: user:am1@example.com
project: my-project
repository: my-repo
role: roles/source.reader
counts:
google_sourcerepo_repository: 1
google_sourcerepo_repository_iam_binding: 1
google_sourcerepo_repository_iam_member: 1
modules: 1
resources: 3
outputs: {}