kovagoadi/hunfabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix E2E tests.

Browse Source 
* Disable tests for VPC connector and Cloud Functions, CFs are not
  supporrted in the default region
* fix permissions to secrets for Cloud Run
* add permissions admin permissions to any SA within project to
  `var.bucket`
* add permissions to access the secret to any SA within project to
  secrets created by fixture
* disable custom roles in E2E tests, as `var.organization_id` is not the
  same org, within which projects are created in E2E
This commit is contained in:
Wiktor Niesiobędzki
2025-11-03 14:27:02 +00:00
parent 64632eb957
commit d5bc59a238
9 changed files with 22 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
modules/cloud-function-v1/README.md
View File

@@ -414,7 +414,7 @@ module "cf_http" {
egress_setting = "ALL_TRAFFIC" egress_setting = "ALL_TRAFFIC"
} }
} }
# tftest fixtures=fixtures/vpc-connector.tf inventory=service-vpc-access-connector.yaml e2e # tftest fixtures=fixtures/vpc-connector.tf inventory=service-vpc-access-connector.yaml
``` ```
If creation of the VPC Access Connector is required, use the `vpc_connector.create` and `vpc_connector_create` variable which also supports optional attributes like number of instances, machine type, or throughput. If creation of the VPC Access Connector is required, use the `vpc_connector.create` and `vpc_connector_create` variable which also supports optional attributes like number of instances, machine type, or throughput.
@@ -441,7 +441,7 @@ module "cf_http" {
} }
} }
} }
# tftest inventory=service-vpc-access-connector-create.yaml e2e # tftest inventory=service-vpc-access-connector-create.yaml
``` ```
Note that if you are using a Shared VPC for the connector, you need to specify a subnet and the host project if this is not where the Cloud Run service is deployed. Note that if you are using a Shared VPC for the connector, you need to specify a subnet and the host project if this is not where the Cloud Run service is deployed.
@@ -471,7 +471,7 @@ module "cf_http" {
} }
} }
} }
# tftest fixtures=fixtures/shared-vpc.tf inventory=service-vpc-access-connector-create-sharedvpc.yaml e2e # tftest fixtures=fixtures/shared-vpc.tf inventory=service-vpc-access-connector-create-sharedvpc.yaml
``` ```
<!-- BEGIN TFDOC --> <!-- BEGIN TFDOC -->
## Variables ## Variables

6
modules/cloud-function-v2/README.md
View File

@@ -346,7 +346,7 @@ module "cf_http" {
egress_setting = "ALL_TRAFFIC" egress_setting = "ALL_TRAFFIC"
} }
} }
# tftest fixtures=fixtures/vpc-connector.tf inventory=service-vpc-access-connector.yaml e2e # tftest fixtures=fixtures/vpc-connector.tf inventory=service-vpc-access-connector.yaml
``` ```
If creation of the VPC Access Connector is required, use the `vpc_connector.create` and `vpc_connector_create` variable which also supports optional attributes like number of instances, machine type, or throughput. If creation of the VPC Access Connector is required, use the `vpc_connector.create` and `vpc_connector_create` variable which also supports optional attributes like number of instances, machine type, or throughput.
@@ -373,7 +373,7 @@ module "cf_http" {
} }
} }
} }
# tftest inventory=service-vpc-access-connector-create.yaml e2e # tftest inventory=service-vpc-access-connector-create.yaml
``` ```
Note that if you are using a Shared VPC for the connector, you need to specify a subnet and the host project if this is not where the Cloud Run service is deployed. Note that if you are using a Shared VPC for the connector, you need to specify a subnet and the host project if this is not where the Cloud Run service is deployed.
@@ -403,7 +403,7 @@ module "cf_http" {
} }
} }
} }
# tftest fixtures=fixtures/shared-vpc.tf inventory=service-vpc-access-connector-create-sharedvpc.yaml e2e # tftest fixtures=fixtures/shared-vpc.tf inventory=service-vpc-access-connector-create-sharedvpc.yaml
``` ```
<!-- BEGIN TFDOC --> <!-- BEGIN TFDOC -->
## Variables ## Variables

4
modules/cloud-run-v2/README.md
View File

@@ -493,9 +493,7 @@ module "secrets" {
secrets = { secrets = {
otel-config = { otel-config = {
iam = { iam = {
"roles/secretmanager.secretAccessor" = [ "roles/secretmanager.secretAccessor" = [module.cloud_run.service_account_iam_email]
"serviceAccount:${var.project_number}-compute@developer.gserviceaccount.com"
]
} }
versions = { versions = {
v1 = { v1 = {

9
modules/project/README.md
View File

@@ -93,15 +93,12 @@ module "project" {
"stackdriver.googleapis.com" "stackdriver.googleapis.com"
] ]
context = { context = {
custom_roles = {
my_role = google_organization_iam_custom_role.custom_role.id # or module.organization.custom_roles["my_role"].id
}
iam_principals = { iam_principals = {
org_admins = "group:${var.group_email}" org_admins = "group:${var.group_email}"
} }
} }
iam = { iam = {
"$custom_roles:my_role" = [ "roles/cloudasset.owner" = [
"$iam_principals:org_admins" "$iam_principals:org_admins"
] ]
} }
@@ -119,9 +116,6 @@ module "project" {
parent = var.folder_id parent = var.folder_id
prefix = var.prefix prefix = var.prefix
context = { context = {
custom_roles = {
my_role = google_organization_iam_custom_role.custom_role.id # or module.organization.custom_roles["my_role"].id
}
iam_principals = { iam_principals = {
org_admins = "group:${var.group_email}" org_admins = "group:${var.group_email}"
} }
@@ -132,7 +126,6 @@ module "project" {
"roles/cloudsupport.techSupportEditor", "roles/cloudsupport.techSupportEditor",
"roles/iam.securityReviewer", "roles/iam.securityReviewer",
"roles/logging.admin", "roles/logging.admin",
"$custom_roles:my_role"
] ]
"$iam_principals:org_admins" = [ "$iam_principals:org_admins" = [
"roles/owner" "roles/owner"

8
tests/examples_e2e/setup_module/main.tf
View File

@@ -91,6 +91,14 @@ resource "google_storage_bucket" "bucket" {
depends_on = [google_project_service.project_service] depends_on = [google_project_service.project_service]
} }
resource "google_storage_bucket_iam_binding" "binding" {
bucket = google_storage_bucket.bucket.id
members = [
"principalSet://cloudresourcemanager.googleapis.com/projects/${google_project.project.number}/type/ServiceAccount"
]
role = "roles/storage.admin"
}
resource "google_compute_network" "network" { resource "google_compute_network" "network" {
name = "e2e-test" name = "e2e-test"
project = google_project.project.project_id project = google_project.project.project_id

1
tests/fixtures/secret-credentials.tf vendored
View File

@@ -23,6 +23,7 @@ module "secret-manager" {
"roles/secretmanager.secretAccessor" = [ "roles/secretmanager.secretAccessor" = [
"serviceAccount:${var.project_number}-compute@developer.gserviceaccount.com", "serviceAccount:${var.project_number}-compute@developer.gserviceaccount.com",
"serviceAccount:${var.project_id}@appspot.gserviceaccount.com", "serviceAccount:${var.project_id}@appspot.gserviceaccount.com",
"principalSet://cloudresourcemanager.googleapis.com/projects/${var.project_number}/type/ServiceAccount",
] ]
} }
versions = { versions = {

1
tests/modules/cloud_run_v2/examples/service-iam-env.yaml
View File

@@ -99,6 +99,7 @@ values:
? module.secret-manager.google_secret_manager_secret_iam_binding.authoritative["credentials.roles/secretmanager.secretAccessor"] ? module.secret-manager.google_secret_manager_secret_iam_binding.authoritative["credentials.roles/secretmanager.secretAccessor"]
: condition: [] : condition: []
members: members:
- principalSet://cloudresourcemanager.googleapis.com/projects/123/type/ServiceAccount
- serviceAccount:123-compute@developer.gserviceaccount.com - serviceAccount:123-compute@developer.gserviceaccount.com
- serviceAccount:project-id@appspot.gserviceaccount.com - serviceAccount:project-id@appspot.gserviceaccount.com
role: roles/secretmanager.secretAccessor role: roles/secretmanager.secretAccessor

3
tests/modules/project/examples/iam-authoritative.yaml
View File

@@ -28,11 +28,12 @@ values:
terraform_labels: terraform_labels:
goog-terraform-provisioned: 'true' goog-terraform-provisioned: 'true'
timeouts: null timeouts: null
module.project.google_project_iam_binding.authoritative["$custom_roles:my_role"]: module.project.google_project_iam_binding.authoritative["roles/cloudasset.owner"]:
condition: [] condition: []
members: members:
- group:organization-admins@example.org - group:organization-admins@example.org
project: test-project project: test-project
role: roles/cloudasset.owner
counts: counts:
google_project: 1 google_project: 1

9
tests/modules/project/examples/iam-group.yaml
View File

@@ -13,11 +13,6 @@
# limitations under the License. # limitations under the License.
values: values:
module.project.google_project_iam_binding.authoritative["$custom_roles:my_role"]:
condition: []
members:
- group:organization-admins@example.org
project: test-project
module.project.google_project_iam_binding.authoritative["roles/cloudasset.owner"]: module.project.google_project_iam_binding.authoritative["roles/cloudasset.owner"]:
condition: [] condition: []
members: members:
@@ -51,6 +46,6 @@ values:
counts: counts:
google_project: 1 google_project: 1
google_project_iam_binding: 6 google_project_iam_binding: 5
modules: 1 modules: 1
resources: 8 resources: 7