Merge remote-tracking branch 'origin/master' into fast-dev

2025-07-30 18:26:43 +00:00
parent 97f63fcc52 4ebfe6b274
commit d526af2844
7 changed files with 165 additions and 2 deletions
--- a/tests/fixtures/gke-cluster-standard.tf
+++ b/tests/fixtures/gke-cluster-standard.tf
@@ -33,8 +33,16 @@ module "gke-cluster-standard" {
  enable_features = {
    dataplane_v2        = true
    fqdn_network_policy = true
+    shielded_nodes      = true
    workload_identity   = true
  }
+  node_config = {
+    service_account               = module.gke-service-accounts.email
+    kubelet_readonly_port_enabled = false
+  }
+  node_pool_auto_config = {
+    network_tags = ["foo"] # to avoid perma-diff
+  }
 }

 module "gke-nodepool" {
@@ -49,4 +57,24 @@ module "gke-nodepool" {
      min_node_count = 1
    }
  }
+  service_account = { email = module.gke-service-accounts.email }
+  node_config = {
+    shielded_instance_config = {
+      enable_integrity_monitoring = true
+      enable_secure_boot          = true
+    }
+  }
+}
+
+module "gke-service-accounts" {
+  source     = "./fabric/modules/iam-service-account"
+  project_id = var.project_id
+  name       = "gke-sa"
+  # non-authoritative roles granted *to* the service accounts on other resources
+  iam_project_roles = {
+    "${var.project_id}" = [
+      "roles/logging.logWriter",
+      "roles/monitoring.metricWriter",
+    ]
+  }
 }
--- a/tests/modules/secure_source_manager_instance/examples/branch-protection-rules.yaml
+++ b/tests/modules/secure_source_manager_instance/examples/branch-protection-rules.yaml
@@ -0,0 +1,56 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+  module.ssm_instance.google_secure_source_manager_branch_rule.branch_rules["my-repository.rule1"]:
+    allow_stale_reviews: false
+    branch_rule_id: rule1
+    disabled: false
+    include_pattern: main
+    location: europe-west8
+    minimum_approvals_count: 1
+    minimum_reviews_count: 1
+    project: project-id
+    repository_id: my-repository
+    require_comments_resolved: true
+    require_linear_history: true
+    require_pull_request: true
+    timeouts: null
+  module.ssm_instance.google_secure_source_manager_instance.instance[0]:
+    effective_labels:
+      goog-terraform-provisioned: 'true'
+    instance_id: my-instance
+    kms_key: null
+    labels: null
+    location: europe-west8
+    private_config: []
+    project: project-id
+    terraform_labels:
+      goog-terraform-provisioned: 'true'
+    timeouts: null
+    workforce_identity_federation_config: []
+  module.ssm_instance.google_secure_source_manager_repository.repositories["my-repository"]:
+    description: null
+    initial_config: []
+    location: europe-west8
+    project: project-id
+    repository_id: my-repository
+    timeouts: null
+
+counts:
+  google_secure_source_manager_branch_rule: 1
+  google_secure_source_manager_instance: 1
+  google_secure_source_manager_repository: 1
+  modules: 1
+  resources: 3