kovagoadi/hunfabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Migrate organization to example-based tests

Browse Source
This commit is contained in:
Julio Castillo
2022-12-15 15:23:11 +01:00
parent aaacee2a70
commit b5ca8932dc
22 changed files with 471 additions and 522 deletions
Download Patch File Download Diff File Expand all files Collapse all files

64
modules/organization/README.md
View File

@@ -19,19 +19,11 @@ module "org" {
group_iam = {
"cloud-owners@example.org" = ["roles/owner", "roles/projectCreator"]
}
iam = {
iam = {
"roles/resourcemanager.projectCreator" = ["group:cloud-admins@example.org"]
}
org_policy_custom_constraints = {
"custom.gkeEnableAutoUpgrade" = {
resource_types = ["container.googleapis.com/NodePool"]
method_types = ["CREATE"]
condition = "resource.management.autoUpgrade == true"
action_type = "ALLOW"
display_name = "Enable node auto-upgrade"
description = "All node pools must have node auto-upgrade enabled."
}
iam_additive_members = {
"user:compute@example.org" = ["roles/compute.admin", "roles/container.viewer"]
}
org_policies = {
@@ -76,7 +68,7 @@ module "org" {
}
}
}
# tftest modules=1 resources=12
# tftest modules=1 resources=13 inventory=basic.yaml
```
## IAM
@@ -123,7 +115,7 @@ module "org" {
}
}
}
# tftest modules=1 resources=2
# tftest modules=1 resources=2 inventory=custom-constraints.yaml
```
### Org policy custom constraints factory
@@ -136,10 +128,14 @@ The example below deploys a few org policy custom constraints split between two
module "org" {
source = "./fabric/modules/organization"
organization_id = var.organization_id
org_policy_custom_constraints_data_path = "configs/custom-constraints"
org_policies = {
"custom.gkeEnableAutoUpgrade" = {
enforce = true
}
}
}
# tftest modules=1 resources=3 files=gke,dataproc
# tftest modules=1 resources=3 files=gke inventory=custom-constraints.yaml
```
```yaml
@@ -164,6 +160,7 @@ custom.gkeEnableAutoUpgrade:
description: All node pools must have node auto-upgrade enabled.
```
```yaml
# tftest file dataproc configs/custom-constraints/dataproc.yaml
custom.dataprocNoMoreThan10Workers:
@@ -195,6 +192,17 @@ module "org" {
organization_id = var.organization_id
firewall_policies = {
iap-policy = {
allow-admins = {
description = "Access from the admin subnet to all subnets"
direction = "INGRESS"
action = "allow"
priority = 1000
ranges = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
ports = { all = [] }
target_service_accounts = null
target_resources = null
logging = false
}
allow-iap-ssh = {
description = "Always allow ssh from IAP."
direction = "INGRESS"
@@ -214,7 +222,7 @@ module "org" {
iap_policy = "iap-policy"
}
}
# tftest modules=1 resources=3
# tftest modules=1 resources=4 inventory=hfw.yaml
```
### Firewall policy factory
@@ -227,14 +235,14 @@ module "org" {
organization_id = var.organization_id
firewall_policy_factory = {
cidr_file = "configs/firewall-policies/cidrs.yaml"
policy_name = null
policy_name = "iap-policy"
rules_file = "configs/firewall-policies/rules.yaml"
}
firewall_policy_association = {
factory-policy = module.org.firewall_policy_id["factory"]
iap_policy = module.org.firewall_policy_id["iap-policy"]
}
}
# tftest modules=1 resources=4 files=cidrs,rules
# tftest modules=1 resources=4 files=cidrs,rules inventory=hfw.yaml
```
```yaml
@@ -257,19 +265,19 @@ allow-admins:
ports:
all: []
target_resources: null
enable_logging: false
logging: false
allow-ssh-from-iap:
description: Enable SSH from IAP
allow-iap-ssh:
description: "Always allow ssh from IAP."
direction: INGRESS
action: allow
priority: 1002
priority: 100
ranges:
- 35.235.240.0/20
ports:
tcp: ["22"]
target_resources: null
enable_logging: false
logging: false
```
## Logging Sinks
@@ -335,7 +343,7 @@ module "org" {
no-gce-instances = "resource.type=gce_instance"
}
}
# tftest modules=5 resources=13
# tftest modules=5 resources=13 inventory=logging.yaml
```
## Custom Roles
@@ -353,7 +361,7 @@ module "org" {
(module.org.custom_role_id.myRole) = ["user:me@example.com"]
}
}
# tftest modules=1 resources=2
# tftest modules=1 resources=2 inventory=roles.yaml
```
## Tags
@@ -386,7 +394,7 @@ module "org" {
foo = "tagValues/12345678"
}
}
# tftest modules=1 resources=7
# tftest modules=1 resources=7 inventory=tags.yaml
```
You can also define network tags, through a dedicated variable *network_tags*:
@@ -414,7 +422,7 @@ module "org" {
}
}
}
# tftest modules=1 resources=5
# tftest modules=1 resources=5 inventory=network-tags.yaml
```
<!-- TFDOC OPTS files:1 -->

146
tests/modules/organization/examples/basic.yaml Normal file
View File

@@ -0,0 +1,146 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
module.org.google_org_policy_policy.default["compute.disableGuestAttributesAccess"]:
name: organizations/1234567890/policies/compute.disableGuestAttributesAccess
parent: organizations/1234567890
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'TRUE'
values: []
module.org.google_org_policy_policy.default["constraints/compute.skipDefaultNetworkCreation"]:
name: organizations/1234567890/policies/constraints/compute.skipDefaultNetworkCreation
parent: organizations/1234567890
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'TRUE'
values: []
module.org.google_org_policy_policy.default["constraints/compute.trustedImageProjects"]:
name: organizations/1234567890/policies/constraints/compute.trustedImageProjects
parent: organizations/1234567890
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: null
values:
- allowed_values:
- projects/my-project
denied_values: null
module.org.google_org_policy_policy.default["constraints/compute.vmExternalIpAccess"]:
name: organizations/1234567890/policies/constraints/compute.vmExternalIpAccess
parent: organizations/1234567890
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: 'TRUE'
enforce: null
values: []
module.org.google_org_policy_policy.default["constraints/iam.allowedPolicyMemberDomains"]:
name: organizations/1234567890/policies/constraints/iam.allowedPolicyMemberDomains
parent: organizations/1234567890
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: null
values:
- allowed_values:
- C0xxxxxxx
- C0yyyyyyy
denied_values: null
module.org.google_org_policy_policy.default["iam.disableServiceAccountKeyCreation"]:
name: organizations/1234567890/policies/iam.disableServiceAccountKeyCreation
parent: organizations/1234567890
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'TRUE'
values: []
module.org.google_org_policy_policy.default["iam.disableServiceAccountKeyUpload"]:
name: organizations/1234567890/policies/iam.disableServiceAccountKeyUpload
parent: organizations/1234567890
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'FALSE'
values: []
- allow_all: null
condition:
- description: test condition
expression: resource.matchTagId("tagKeys/1234", "tagValues/1234")
location: somewhere
title: condition
deny_all: null
enforce: 'TRUE'
values: []
module.org.google_organization_iam_binding.authoritative["roles/owner"]:
condition: []
members:
- group:cloud-owners@example.org
org_id: '1234567890'
role: roles/owner
module.org.google_organization_iam_binding.authoritative["roles/projectCreator"]:
condition: []
members:
- group:cloud-owners@example.org
org_id: '1234567890'
role: roles/projectCreator
module.org.google_organization_iam_binding.authoritative["roles/resourcemanager.projectCreator"]:
condition: []
members:
- group:cloud-admins@example.org
org_id: '1234567890'
role: roles/resourcemanager.projectCreator
module.org.google_organization_iam_member.additive["roles/compute.admin-user:compute@example.org"]:
condition: []
member: user:compute@example.org
org_id: '1234567890'
role: roles/compute.admin
module.org.google_organization_iam_member.additive["roles/container.viewer-user:compute@example.org"]:
condition: []
member: user:compute@example.org
org_id: '1234567890'
role: roles/container.viewer
counts:
google_org_policy_policy: 8
google_organization_iam_binding: 3

39
tests/modules/organization/examples/custom-constraints.yaml Normal file
View File

@@ -0,0 +1,39 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
module.org.google_org_policy_custom_constraint.constraint["custom.gkeEnableAutoUpgrade"]:
action_type: ALLOW
condition: resource.management.autoUpgrade == true
description: All node pools must have node auto-upgrade enabled.
display_name: Enable node auto-upgrade
method_types:
- CREATE
name: custom.gkeEnableAutoUpgrade
parent: organizations/1122334455
resource_types:
- container.googleapis.com/NodePool
module.org.google_org_policy_policy.default["custom.gkeEnableAutoUpgrade"]:
name: organizations/1122334455/policies/custom.gkeEnableAutoUpgrade
parent: organizations/1122334455
spec:
- inherit_from_parent: null
reset: null
rules:
- allow_all: null
condition: []
deny_all: null
enforce: 'TRUE'
values: []

27
tests/modules/organization/firewall_policies_factory.yaml → tests/modules/organization/examples/hfw.yaml
View File

@@ -13,17 +13,18 @@
# limitations under the License.
values:
google_compute_firewall_policy.policy["factory-1"]:
description: null
parent: organizations/1234567890
short_name: factory-1
timeouts: null
google_compute_firewall_policy_rule.rule["factory-1-allow-admins"]:
module.org.google_compute_firewall_policy.policy["iap-policy"]:
parent: organizations/1122334455
short_name: iap-policy
module.org.google_compute_firewall_policy_association.association["iap_policy"]:
attachment_target: organizations/1122334455
name: organizations-1122334455
module.org.google_compute_firewall_policy_rule.rule["iap-policy-allow-admins"]:
action: allow
description: Access from the admin subnet to all subnets
direction: INGRESS
disabled: null
enable_logging: null
enable_logging: false
match:
- dest_ip_ranges: null
layer4_configs:
@@ -31,18 +32,17 @@ values:
ports: []
src_ip_ranges:
- 10.0.0.0/8
- 172.168.0.0/12
- 172.16.0.0/12
- 192.168.0.0/16
priority: 1000
target_resources: null
target_service_accounts: null
timeouts: null
google_compute_firewall_policy_rule.rule["factory-1-allow-ssh-from-iap"]:
module.org.google_compute_firewall_policy_rule.rule["iap-policy-allow-iap-ssh"]:
action: allow
description: Enable SSH from IAP
description: Always allow ssh from IAP.
direction: INGRESS
disabled: null
enable_logging: null
enable_logging: false
match:
- dest_ip_ranges: null
layer4_configs:
@@ -51,11 +51,12 @@ values:
- '22'
src_ip_ranges:
- 35.235.240.0/20
priority: 1002
priority: 100
target_resources: null
target_service_accounts: null
timeouts: null
counts:
google_compute_firewall_policy: 1
google_compute_firewall_policy_association: 1
google_compute_firewall_policy_rule: 2

70
tests/modules/organization/examples/logging.yaml Normal file
View File

@@ -0,0 +1,70 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
module.org.google_bigquery_dataset_iam_member.bq-sinks-binding["info"]:
condition: []
role: roles/bigquery.dataEditor
module.org.google_logging_organization_exclusion.logging-exclusion["no-gce-instances"]:
disabled: null
filter: resource.type=gce_instance
name: no-gce-instances
org_id: '1122334455'
module.org.google_logging_organization_sink.sink["debug"]:
disabled: false
exclusions:
- description: null
disabled: false
filter: logName:compute
name: no-compute
filter: severity=DEBUG
include_children: true
name: debug
org_id: '1122334455'
module.org.google_logging_organization_sink.sink["info"]:
disabled: false
exclusions: []
filter: severity=INFO
include_children: true
name: info
org_id: '1122334455'
module.org.google_logging_organization_sink.sink["notice"]:
disabled: false
exclusions: []
filter: severity=NOTICE
include_children: true
name: notice
org_id: '1122334455'
module.org.google_logging_organization_sink.sink["warnings"]:
destination: storage.googleapis.com/gcs_sink
disabled: false
exclusions: []
filter: severity=WARNING
include_children: true
name: warnings
org_id: '1122334455'
module.pubsub.google_pubsub_topic.default:
kms_key_name: null
labels: null
message_retention_duration: null
name: pubsub_sink
project: project-id
counts:
google_bigquery_dataset_iam_member: 1
google_logging_organization_exclusion: 1
google_logging_organization_sink: 4
google_project_iam_member: 1
google_pubsub_topic_iam_member: 1
google_storage_bucket_iam_member: 1

47
tests/modules/organization/examples/network-tags.yaml Normal file
View File

@@ -0,0 +1,47 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
module.org.google_tags_tag_key.default["net-environment"]:
description: This is a network tag.
parent: organizations/1122334455
purpose: GCE_FIREWALL
purpose_data:
network: my_project/my_vpc
short_name: net-environment
timeouts: null
module.org.google_tags_tag_key_iam_binding.default["net-environment:roles/resourcemanager.tagAdmin"]:
condition: []
members:
- group:admins@example.com
role: roles/resourcemanager.tagAdmin
module.org.google_tags_tag_value.default["net-environment/dev"]:
description: Managed by the Terraform organization module.
short_name: dev
timeouts: null
module.org.google_tags_tag_value.default["net-environment/prod"]:
description: 'Environment: production.'
short_name: prod
timeouts: null
module.org.google_tags_tag_value_iam_binding.default["net-environment/prod:roles/resourcemanager.tagUser"]:
condition: []
members:
- user:user1@example.com
role: roles/resourcemanager.tagUser
counts:
google_tags_tag_key: 1
google_tags_tag_key_iam_binding: 1
google_tags_tag_value: 2
google_tags_tag_value_iam_binding: 1

28
tests/modules/organization/iam_additive.yaml → tests/modules/organization/examples/roles.yaml
View File

@@ -12,20 +12,22 @@
# See the License for the specific language governing permissions and
# limitations under the License.
values:
google_organization_iam_binding.authoritative["user:one@example.org"]:
values:
module.org.google_organization_iam_binding.authoritative["organizations/1122334455/roles/myRole"]:
condition: []
members:
- roles/owner
org_id: '1234567890'
role: user:one@example.org
google_organization_iam_binding.authoritative["user:two@example.org"]:
condition: []
members:
- roles/editor
- roles/owner
org_id: '1234567890'
role: user:two@example.org
- user:me@example.com
org_id: '1122334455'
role: organizations/1122334455/roles/myRole
module.org.google_organization_iam_custom_role.roles["myRole"]:
description: Terraform-managed.
org_id: '1122334455'
permissions:
- compute.instances.list
role_id: myRole
stage: GA
title: Custom role myRole
counts:
google_organization_iam_binding: 2
google_organization_iam_binding: 1
google_organization_iam_custom_role: 1

53
tests/modules/organization/examples/tags.yaml Normal file
View File

@@ -0,0 +1,53 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
module.org.google_tags_tag_binding.binding["env-prod"]:
parent: //cloudresourcemanager.googleapis.com/organizations/1122334455
timeouts: null
module.org.google_tags_tag_binding.binding["foo"]:
parent: //cloudresourcemanager.googleapis.com/organizations/1122334455
tag_value: tagValues/12345678
timeouts: null
module.org.google_tags_tag_key.default["environment"]:
description: Environment specification.
parent: organizations/1122334455
purpose: null
purpose_data: null
short_name: environment
timeouts: null
module.org.google_tags_tag_key_iam_binding.default["environment:roles/resourcemanager.tagAdmin"]:
condition: []
members:
- group:admins@example.com
role: roles/resourcemanager.tagAdmin
module.org.google_tags_tag_value.default["environment/dev"]:
description: Managed by the Terraform organization module.
short_name: dev
timeouts: null
module.org.google_tags_tag_value.default["environment/prod"]:
description: 'Environment: production.'
short_name: prod
timeouts: null
module.org.google_tags_tag_value_iam_binding.default["environment/prod:roles/resourcemanager.tagViewer"]:
condition: []
members:
- user:user1@example.com
role: roles/resourcemanager.tagViewer
counts:
google_tags_tag_binding: 2
google_tags_tag_key: 1
google_tags_tag_key_iam_binding: 1
google_tags_tag_value: 2

45
tests/modules/organization/firewall_policies.tfvars
View File

@@ -1,45 +0,0 @@
firewall_policies = {
policy1 = {
allow-ingress = {
description = ""
direction = "INGRESS"
action = "allow"
priority = 100
ranges = ["10.0.0.0/8"]
ports = {
tcp = ["22"]
}
target_service_accounts = null
target_resources = null
logging = false
}
deny-egress = {
description = ""
direction = "EGRESS"
action = "deny"
priority = 200
ranges = ["192.168.0.0/24"]
ports = {
tcp = ["443"]
}
target_service_accounts = null
target_resources = null
logging = false
}
}
policy2 = {
allow-ingress = {
description = ""
direction = "INGRESS"
action = "allow"
priority = 100
ranges = ["10.0.0.0/8"]
ports = {
tcp = ["22"]
}
target_service_accounts = null
target_resources = null
logging = false
}
}
}

73
tests/modules/organization/firewall_policies.yaml
View File

@@ -1,73 +0,0 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
google_compute_firewall_policy.policy["policy1"]:
parent: organizations/1234567890
short_name: policy1
google_compute_firewall_policy.policy["policy2"]:
parent: organizations/1234567890
short_name: policy2
google_compute_firewall_policy_rule.rule["policy1-allow-ingress"]:
action: allow
direction: INGRESS
disabled: null
enable_logging: false
match:
- dest_ip_ranges: null
layer4_configs:
- ip_protocol: tcp
ports:
- '22'
src_ip_ranges:
- 10.0.0.0/8
priority: 100
target_resources: null
target_service_accounts: null
google_compute_firewall_policy_rule.rule["policy1-deny-egress"]:
action: deny
direction: EGRESS
disabled: null
enable_logging: false
match:
- dest_ip_ranges:
- 192.168.0.0/24
layer4_configs:
- ip_protocol: tcp
ports:
- '443'
src_ip_ranges: null
priority: 200
target_resources: null
target_service_accounts: null
google_compute_firewall_policy_rule.rule["policy2-allow-ingress"]:
action: allow
direction: INGRESS
disabled: null
enable_logging: false
match:
- dest_ip_ranges: null
layer4_configs:
- ip_protocol: tcp
ports:
- '22'
src_ip_ranges:
- 10.0.0.0/8
priority: 100
target_resources: null
target_service_accounts: null
counts:
google_compute_firewall_policy: 2
google_compute_firewall_policy_rule: 3

5
tests/modules/organization/firewall_policies_factory.tfvars
View File

@@ -1,5 +0,0 @@
firewall_policy_factory = {
cidr_file = "../../tests/modules/organization/data/firewall-cidrs.yaml"
policy_name = "factory-1"
rules_file = "../../tests/modules/organization/data/firewall-rules.yaml"
}

52
tests/modules/organization/firewall_policies_factory_combined.tfvars
View File

@@ -1 +1,51 @@
# skip boilerplate check
firewall_policies = {
policy1 = {
allow-ingress = {
description = ""
direction = "INGRESS"
action = "allow"
priority = 100
ranges = ["10.0.0.0/8"]
ports = {
tcp = ["22"]
}
target_service_accounts = null
target_resources = null
logging = false
}
deny-egress = {
description = ""
direction = "EGRESS"
action = "deny"
priority = 200
ranges = ["192.168.0.0/24"]
ports = {
tcp = ["443"]
}
target_service_accounts = null
target_resources = null
logging = false
}
}
policy2 = {
allow-ingress = {
description = ""
direction = "INGRESS"
action = "allow"
priority = 100
ranges = ["10.0.0.0/8"]
ports = {
tcp = ["22"]
}
target_service_accounts = null
target_resources = null
logging = false
}
}
}
firewall_policy_factory = {
cidr_file = "../../tests/modules/organization/data/firewall-cidrs.yaml"
policy_name = "factory-1"
rules_file = "../../tests/modules/organization/data/firewall-rules.yaml"
}

18
tests/modules/organization/iam.tfvars
View File

@@ -1,18 +0,0 @@
group_iam = {
"owners@example.org" = [
"roles/owner",
"roles/resourcemanager.folderAdmin"
],
"viewers@example.org" = [
"roles/viewer"
]
}
iam = {
"roles/owner" = [
"user:one@example.org",
"user:two@example.org"
],
"roles/browser" = [
"domain:example.org"
]
}

44
tests/modules/organization/iam.yaml
View File

@@ -1,44 +0,0 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
google_organization_iam_binding.authoritative["roles/browser"]:
condition: []
members:
- domain:example.org
org_id: '1234567890'
role: roles/browser
google_organization_iam_binding.authoritative["roles/owner"]:
condition: []
members:
- group:owners@example.org
- user:one@example.org
- user:two@example.org
org_id: '1234567890'
role: roles/owner
google_organization_iam_binding.authoritative["roles/resourcemanager.folderAdmin"]:
condition: []
members:
- group:owners@example.org
org_id: '1234567890'
role: roles/resourcemanager.folderAdmin
google_organization_iam_binding.authoritative["roles/viewer"]:
condition: []
members:
- group:viewers@example.org
org_id: '1234567890'
role: roles/viewer
counts:
google_organization_iam_binding: 4

4
tests/modules/organization/iam_additive.tfvars
View File

@@ -1,4 +0,0 @@
iam = {
"user:one@example.org" = ["roles/owner"],
"user:two@example.org" = ["roles/owner", "roles/editor"]
}

29
tests/modules/organization/logging.tfvars
View File

@@ -1,29 +0,0 @@
logging_sinks = {
warning = {
destination = "mybucket"
type = "storage"
filter = "severity=WARNING"
}
info = {
destination = "projects/myproject/datasets/mydataset"
type = "bigquery"
filter = "severity=INFO"
disabled = true
}
notice = {
destination = "projects/myproject/topics/mytopic"
type = "pubsub"
filter = "severity=NOTICE"
include_children = false
}
debug = {
destination = "projects/myproject/locations/global/buckets/mybucket"
type = "logging"
filter = "severity=DEBUG"
include_children = false
exclusions = {
no-compute = "logName:compute"
no-container = "logName:container"
}
}
}

86
tests/modules/organization/logging.yaml
View File

@@ -1,86 +0,0 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
google_bigquery_dataset_iam_member.bq-sinks-binding["info"]:
condition: []
dataset_id: mydataset
project: myproject
role: roles/bigquery.dataEditor
google_logging_organization_sink.sink["debug"]:
description: debug (Terraform-managed).
destination: logging.googleapis.com/projects/myproject/locations/global/buckets/mybucket
disabled: false
exclusions:
- description: null
disabled: false
filter: logName:compute
name: no-compute
- description: null
disabled: false
filter: logName:container
name: no-container
filter: severity=DEBUG
include_children: false
name: debug
org_id: '1234567890'
google_logging_organization_sink.sink["info"]:
description: info (Terraform-managed).
destination: bigquery.googleapis.com/projects/myproject/datasets/mydataset
disabled: true
exclusions: []
filter: severity=INFO
include_children: true
name: info
org_id: '1234567890'
google_logging_organization_sink.sink["notice"]:
description: notice (Terraform-managed).
destination: pubsub.googleapis.com/projects/myproject/topics/mytopic
disabled: false
exclusions: []
filter: severity=NOTICE
include_children: false
name: notice
org_id: '1234567890'
google_logging_organization_sink.sink["warning"]:
description: warning (Terraform-managed).
destination: storage.googleapis.com/mybucket
disabled: false
exclusions: []
filter: severity=WARNING
include_children: true
name: warning
org_id: '1234567890'
google_project_iam_member.bucket-sinks-binding["debug"]:
condition:
- expression: resource.name.endsWith('projects/myproject/locations/global/buckets/mybucket')
title: debug bucket writer
project: myproject
role: roles/logging.bucketWriter
google_pubsub_topic_iam_member.pubsub-sinks-binding["notice"]:
condition: []
project: myproject
role: roles/pubsub.publisher
topic: mytopic
google_storage_bucket_iam_member.storage-sinks-binding["warning"]:
bucket: mybucket
condition: []
role: roles/storage.objectCreator
counts:
google_bigquery_dataset_iam_member: 1
google_logging_organization_sink: 4
google_project_iam_member: 1
google_pubsub_topic_iam_member: 1
google_storage_bucket_iam_member: 1

4
tests/modules/organization/logging_exclusions.tfvars
View File

@@ -1,4 +0,0 @@
logging_exclusions = {
exclusion1 = "resource.type=gce_instance"
exclusion2 = "severity=NOTICE"
}

30
tests/modules/organization/logging_exclusions.yaml
View File

@@ -1,30 +0,0 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
google_logging_organization_exclusion.logging-exclusion["exclusion1"]:
description: exclusion1 (Terraform-managed).
disabled: null
filter: resource.type=gce_instance
name: exclusion1
org_id: '1234567890'
google_logging_organization_exclusion.logging-exclusion["exclusion2"]:
description: exclusion2 (Terraform-managed).
disabled: null
filter: severity=NOTICE
name: exclusion2
org_id: '1234567890'
counts:
google_logging_organization_exclusion: 2

43
tests/modules/organization/tags.tfvars
View File

@@ -1,43 +0,0 @@
network_tags = {
net_environment = {
network = "foobar"
}
}
tags = {
foo = {}
bar = {
description = null
iam = null
values = null
}
foobar = {
description = "Foobar tag."
iam = {
"roles/resourcemanager.tagAdmin" = [
"user:user1@example.com", "user:user2@example.com"
]
}
values = {
one = null
two = {
description = "Foobar 2."
iam = {
"roles/resourcemanager.tagViewer" = [
"user:user3@example.com"
]
}
}
three = {
description = "Foobar 3."
iam = {
"roles/resourcemanager.tagViewer" = [
"user:user3@example.com"
]
"roles/resourcemanager.tagAdmin" = [
"user:user4@example.com"
]
}
}
}
}
}

76
tests/modules/organization/tags.yaml
View File

@@ -1,76 +0,0 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
google_tags_tag_key.default["bar"]:
description: Managed by the Terraform organization module.
parent: organizations/1234567890
purpose: null
purpose_data: null
short_name: bar
google_tags_tag_key.default["foo"]:
description: Managed by the Terraform organization module.
parent: organizations/1234567890
purpose: null
purpose_data: null
short_name: foo
google_tags_tag_key.default["foobar"]:
description: Foobar tag.
parent: organizations/1234567890
purpose: null
purpose_data: null
short_name: foobar
google_tags_tag_key.default["net_environment"]:
description: Managed by the Terraform organization module.
parent: organizations/1234567890
purpose: GCE_FIREWALL
purpose_data:
network: foobar
short_name: net_environment
google_tags_tag_key_iam_binding.default["foobar:roles/resourcemanager.tagAdmin"]:
condition: []
members:
- user:user1@example.com
- user:user2@example.com
role: roles/resourcemanager.tagAdmin
google_tags_tag_value.default["foobar/one"]:
description: Managed by the Terraform organization module.
short_name: one
google_tags_tag_value.default["foobar/three"]:
description: Foobar 3.
short_name: three
google_tags_tag_value.default["foobar/two"]:
description: Foobar 2.
short_name: two
google_tags_tag_value_iam_binding.default["foobar/three:roles/resourcemanager.tagAdmin"]:
condition: []
members:
- user:user4@example.com
role: roles/resourcemanager.tagAdmin
google_tags_tag_value_iam_binding.default["foobar/three:roles/resourcemanager.tagViewer"]:
condition: []
members:
- user:user3@example.com
role: roles/resourcemanager.tagViewer
google_tags_tag_value_iam_binding.default["foobar/two:roles/resourcemanager.tagViewer"]:
condition: []
members:
- user:user3@example.com
role: roles/resourcemanager.tagViewer
counts:
google_tags_tag_key: 4
google_tags_tag_key_iam_binding: 1
google_tags_tag_value: 3
google_tags_tag_value_iam_binding: 3

10
tests/modules/organization/tftest.yaml
View File

@@ -19,17 +19,7 @@ common_tfvars:
tests:
audit_config:
iam:
iam_additive:
logging:
logging_exclusions:
org_policies_list:
org_policies_boolean:
org_policies_custom_constraints:
tags:
firewall_policies:
firewall_policies_factory:
firewall_policies_factory_combined:
tfvars:
- firewall_policies.tfvars
- firewall_policies_factory.tfvars