Migrate VPC-SC tests to examples

modules/vpc-sc/README.md

@@ -31,7 +31,7 @@ module "test" {
     title  = "vpcsc-policy"
   }
 }
-# tftest modules=1 resources=1
+# tftest modules=1 resources=1 inventory=access-policy.yaml
 ```
 
 If you need the module to create a scoped policy for you, specify 'scopes' of the policy in the `access_policy_create` variable:
@@ -46,7 +46,7 @@ module "test" {
     scopes = ["folders/456789"]
   }
 }
-# tftest modules=1 resources=1
+# tftest modules=1 resources=1 inventory=scoped-access-policy.yaml
 ```
 
 ### Access levels
@@ -72,7 +72,7 @@ module "test" {
     }
   }
 }
-# tftest modules=1 resources=2
+# tftest modules=1 resources=2 inventory=access-levels.yaml
 ```
 
 ### Service perimeters
@@ -103,7 +103,7 @@ module "test" {
     }
   }
 }
-# tftest modules=1 resources=2
+# tftest modules=1 resources=2 inventory=bridge.yaml
 ```
 
 #### Regular type
@@ -172,7 +172,7 @@ module "test" {
     }
   }
 }
-# tftest modules=1 resources=3
+# tftest modules=1 resources=3 inventory=regular.yaml
 ```
 
 ## Notes

tests/modules/vpc_sc/examples/access-levels.yaml

@@ -0,0 +1,56 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+  module.test.google_access_context_manager_access_level.basic["a1"]:
+    basic:
+    - combining_function: AND
+      conditions:
+      - device_policy: []
+        ip_subnetworks: []
+        members:
+        - user:user1@example.com
+        negate: null
+        regions: []
+        required_access_levels: []
+    custom: []
+    name: accessPolicies/12345678/accessLevels/a1
+    parent: accessPolicies/12345678
+    title: a1
+  module.test.google_access_context_manager_access_level.basic["a2"]:
+    basic:
+    - combining_function: OR
+      conditions:
+      - device_policy: []
+        ip_subnetworks:
+        - 101.101.101.0/24
+        members: []
+        negate: null
+        regions: []
+        required_access_levels: []
+      - device_policy: []
+        ip_subnetworks: []
+        members: []
+        negate: null
+        regions:
+        - IT
+        - FR
+        required_access_levels: []
+    custom: []
+    name: accessPolicies/12345678/accessLevels/a2
+    parent: accessPolicies/12345678
+    title: a2
+
+counts:
+  google_access_context_manager_access_level: 2

tests/modules/vpc_sc/examples/access-policy.yaml

@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -11,3 +11,12 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
+
+values:
+  module.test.google_access_context_manager_access_policy.default[0]:
+    parent: organizations/123456
+    scopes: null
+    title: vpcsc-policy
+
+counts:
+  google_access_context_manager_access_policy: 1

tests/modules/vpc_sc/examples/bridge.yaml

@@ -0,0 +1,58 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+  module.test.google_access_context_manager_service_perimeter.bridge["b1"]:
+    description: null
+    name: accessPolicies/12345678/servicePerimeters/b1
+    parent: accessPolicies/12345678
+    perimeter_type: PERIMETER_TYPE_BRIDGE
+    spec: []
+    status:
+    - access_levels: null
+      egress_policies: []
+      ingress_policies: []
+      resources:
+      - projects/111110
+      - projects/111111
+      restricted_services: null
+      vpc_accessible_services: []
+    title: b1
+    use_explicit_dry_run_spec: false
+  module.test.google_access_context_manager_service_perimeter.bridge["b2"]:
+    description: null
+    name: accessPolicies/12345678/servicePerimeters/b2
+    parent: accessPolicies/12345678
+    perimeter_type: PERIMETER_TYPE_BRIDGE
+    spec:
+    - access_levels: null
+      egress_policies: []
+      ingress_policies: []
+      resources:
+      - projects/222220
+      - projects/222221
+      restricted_services: null
+      vpc_accessible_services: []
+    status:
+    - access_levels: null
+      egress_policies: []
+      ingress_policies: []
+      resources: []
+      restricted_services: null
+      vpc_accessible_services: []
+    title: b2
+    use_explicit_dry_run_spec: true
+
+counts:
+  google_access_context_manager_service_perimeter: 2

tests/modules/vpc_sc/examples/regular.yaml

@@ -0,0 +1,93 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+  module.test.google_access_context_manager_access_level.basic["a1"]:
+    basic:
+    - combining_function: AND
+      conditions:
+      - device_policy: []
+        ip_subnetworks: []
+        members:
+        - user:user1@example.com
+        negate: null
+        regions: []
+        required_access_levels: []
+    custom: []
+    name: accessPolicies/12345678/accessLevels/a1
+    parent: accessPolicies/12345678
+    title: a1
+  module.test.google_access_context_manager_access_level.basic["a2"]:
+    basic:
+    - combining_function: AND
+      conditions:
+      - device_policy: []
+        ip_subnetworks: []
+        members:
+        - user:user2@example.com
+        negate: null
+        regions: []
+        required_access_levels: []
+    custom: []
+    name: accessPolicies/12345678/accessLevels/a2
+    parent: accessPolicies/12345678
+    title: a2
+  module.test.google_access_context_manager_service_perimeter.regular["r1"]:
+    name: accessPolicies/12345678/servicePerimeters/r1
+    parent: accessPolicies/12345678
+    perimeter_type: PERIMETER_TYPE_REGULAR
+    spec: []
+    status:
+    - egress_policies:
+      - egress_from:
+        - identities:
+          - serviceAccount:foo@myproject.iam.gserviceaccount.com
+          identity_type: ANY_IDENTITY
+        egress_to:
+        - external_resources: null
+          operations:
+          - method_selectors:
+            - method: '*'
+              permission: null
+            service_name: storage.googleapis.com
+          resources:
+          - projects/123456789
+      ingress_policies:
+      - ingress_from:
+        - identities:
+          - serviceAccount:test-tf@myproject.iam.gserviceaccount.com
+          identity_type: null
+          sources:
+          - resource: null
+        ingress_to:
+        - operations:
+          - method_selectors: []
+            service_name: '*'
+          resources:
+          - '*'
+      resources:
+      - projects/11111
+      - projects/111111
+      restricted_services:
+      - storage.googleapis.com
+      vpc_accessible_services:
+      - allowed_services:
+        - storage.googleapis.com
+        enable_restriction: true
+    title: r1
+    use_explicit_dry_run_spec: false
+
+counts:
+  google_access_context_manager_access_level: 2
+  google_access_context_manager_service_perimeter: 1

tests/modules/vpc_sc/examples/scoped-access-policy.yaml

@@ -0,0 +1,23 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+  module.test.google_access_context_manager_access_policy.default[0]:
+    parent: organizations/123456
+    scopes:
+    - folders/456789
+    title: vpcsc-policy
+
+counts:
+  google_access_context_manager_access_policy: 1

tests/modules/vpc_sc/fixture/main.tf

@@ -1,26 +0,0 @@
-/**
- * Copyright 2022 Google LLC
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-module "test" {
-  source                     = "../../../../modules/vpc-sc"
-  access_policy              = var.access_policy
-  access_policy_create       = var.access_policy_create
-  access_levels              = var.access_levels
-  egress_policies            = var.egress_policies
-  ingress_policies           = var.ingress_policies
-  service_perimeters_bridge  = var.service_perimeters_bridge
-  service_perimeters_regular = var.service_perimeters_regular
-}

tests/modules/vpc_sc/fixture/test.regular.tfvars

@@ -1,96 +0,0 @@
-access_levels = {
-  a1 = {
-    combining_function = null
-    conditions = [
-      {
-        device_policy          = null
-        ip_subnetworks         = null
-        members                = ["user:ludomagno@google.com"]
-        negate                 = null
-        regions                = null
-        required_access_levels = null
-      }
-    ]
-  }
-  a2 = {
-    combining_function = "OR"
-    conditions = [
-      {
-        device_policy          = null
-        ip_subnetworks         = null
-        members                = null
-        negate                 = null
-        regions                = ["IT", "FR"]
-        required_access_levels = null
-      },
-      {
-        device_policy          = null
-        ip_subnetworks         = null
-        members                = null
-        negate                 = null
-        regions                = ["US"]
-        required_access_levels = null
-      }
-    ]
-  }
-}
-egress_policies = {
-  foo = {
-    from = {
-      identities = ["user:foo@example.com"]
-    }
-    to = {
-      resources = ["projects/333330"]
-    }
-  }
-}
-ingress_policies = {
-  foo = {
-    from = {
-      source_access_levels = ["a2"]
-      source_resources     = ["projects/333330"]
-    }
-    to = {
-      operations = [{
-        service_name = "compute.googleapis.com"
-      }]
-      resources = ["projects/222220"]
-    }
-  }
-}
-service_perimeters_bridge = {
-  b1 = {
-    status_resources = ["projects/111110", "projects/111111"]
-  }
-  b2 = {
-    status_resources          = ["projects/111110", "projects/222220"]
-    spec_resources            = ["projects/111110", "projects/222220"]
-    use_explicit_dry_run_spec = true
-  }
-}
-service_perimeters_regular = {
-  r1 = {
-    status = {
-      access_levels       = ["a1"]
-      resources           = ["projects/11111", "projects/111111"]
-      restricted_services = ["storage.googleapis.com"]
-      vpc_accessible_services = {
-        allowed_services   = ["compute.googleapis.com"]
-        enable_restriction = true
-      }
-    }
-  }
-  r2 = {
-    status = {
-      access_levels       = ["a1", "a2"]
-      resources           = ["projects/222220", "projects/222221"]
-      restricted_services = ["storage.googleapis.com"]
-      egress_policies     = ["foo"]
-      ingress_policies    = ["foo"]
-      vpc_accessible_services = {
-        allowed_services   = ["compute.googleapis.com"]
-        enable_restriction = true
-      }
-    }
-  }
-}

tests/modules/vpc_sc/fixture/variables.tf

@@ -1,53 +0,0 @@
-/**
- * Copyright 2022 Google LLC
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-variable "access_levels" {
-  type     = any
-  default  = {}
-  nullable = false
-}
-
-variable "access_policy" {
-  type = string
-}
-
-variable "access_policy_create" {
-  type    = any
-  default = null
-}
-
-variable "egress_policies" {
-  type     = any
-  default  = {}
-  nullable = false
-}
-
-variable "ingress_policies" {
-  type     = any
-  default  = {}
-  nullable = false
-}
-
-variable "service_perimeters_bridge" {
-  type    = any
-  default = {}
-}
-
-variable "service_perimeters_regular" {
-  type     = any
-  default  = {}
-  nullable = false
-}

tests/modules/vpc_sc/test_plan.py

@@ -1,45 +0,0 @@
-# Copyright 2022 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-import collections
-
-
-def test_create_policy(plan_runner):
-  "Test with auto-created policy."
-  access_policy_create = '''{
-    parent = "organizations/123456"
-    title  = "vpcsc-policy"
-  }'''
-  _, resources = plan_runner(tf_var_file='test.regular.tfvars',
-                             access_policy='null',
-                             access_policy_create=access_policy_create)
-  counts = collections.Counter(f'{r["type"]}.{r["name"]}' for r in resources)
-  assert counts == {
-      'google_access_context_manager_access_level.basic': 2,
-      'google_access_context_manager_access_policy.default': 1,
-      'google_access_context_manager_service_perimeter.bridge': 2,
-      'google_access_context_manager_service_perimeter.regular': 2
-  }
-
-
-def test_use_policy(plan_runner):
-  "Test with existing policy."
-  _, resources = plan_runner(tf_var_file='test.regular.tfvars',
-                             access_policy="accessPolicies/foobar")
-  counts = collections.Counter(f'{r["type"]}.{r["name"]}' for r in resources)
-  assert counts == {
-      'google_access_context_manager_access_level.basic': 2,
-      'google_access_context_manager_service_perimeter.bridge': 2,
-      'google_access_context_manager_service_perimeter.regular': 2
-  }