From afec9771dfc01d5e8d64cc4d17e1ac4aab22b414 Mon Sep 17 00:00:00 2001 From: Paul Xu Date: Wed, 17 Jul 2024 16:15:06 -0400 Subject: [PATCH 01/34] update terraform and provider version --- version.tf | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/version.tf b/version.tf index d77d8ab..ddb8142 100644 --- a/version.tf +++ b/version.tf @@ -1,7 +1,10 @@ terraform { - required_version = ">= 1.5.0" + required_version = ">= 1.9.0" required_providers { - google = ">= 4.69.0, <5.0.0" + google = { + source = "hashicorp/google" + version = "5.38.0" + } } } From d4ce2eeb6c61d379af2275aa4cf01f64549a9d7e Mon Sep 17 00:00:00 2001 From: Paul Xu Date: Wed, 17 Jul 2024 16:15:27 -0400 Subject: [PATCH 02/34] update terraform version in simple-project --- examples/simple-project/versions.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/simple-project/versions.tf b/examples/simple-project/versions.tf index fd126d1..bfb98ab 100644 --- a/examples/simple-project/versions.tf +++ b/examples/simple-project/versions.tf @@ -1,3 +1,3 @@ terraform { - required_version = ">= 1.5.0" + required_version = ">= 1.9.0" } From c51c2acd6f526f65d9cded334992ce49d0d87ad7 Mon Sep 17 00:00:00 2001 From: Paul Xu Date: Wed, 17 Jul 2024 16:15:47 -0400 Subject: [PATCH 03/34] Update .tool-versions --- .tool-versions | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.tool-versions b/.tool-versions index bbb0794..e3ffd93 100644 --- a/.tool-versions +++ b/.tool-versions @@ -1,2 +1,2 @@ -terraform 1.5.0 -ruby 3.2.2 +terraform 1.9.2 +ruby 3.3.4 From 91ca0f1936afcda6d65e01ed3a96dc5533110cdf Mon Sep 17 00:00:00 2001 From: Paul Xu Date: Wed, 17 Jul 2024 16:16:02 -0400 Subject: [PATCH 04/34] update kitchen version --- Gemfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile b/Gemfile index 00a7e64..f435cee 100644 --- a/Gemfile +++ b/Gemfile @@ -1,3 +1,3 @@ source "https://rubygems.org/" do - gem "kitchen-terraform", "~> 7.0.0" + gem "kitchen-terraform", "~> 7.2.0" end \ No newline at end of file From 0bad5674d8198ca133b4c7c2ae65f0eddcb87c55 Mon Sep 17 00:00:00 2001 From: Paul Xu Date: Wed, 17 Jul 2024 16:16:26 -0400 Subject: [PATCH 05/34] update Dockerfile to use .tool-versions only --- .ruby-version | 1 - .terraform-version | 1 - Dockerfile | 8 ++++---- 3 files changed, 4 insertions(+), 6 deletions(-) delete mode 100644 .ruby-version delete mode 100644 .terraform-version diff --git a/.ruby-version b/.ruby-version deleted file mode 100644 index be94e6f..0000000 --- a/.ruby-version +++ /dev/null @@ -1 +0,0 @@ -3.2.2 diff --git a/.terraform-version b/.terraform-version deleted file mode 100644 index 3e1ad72..0000000 --- a/.terraform-version +++ /dev/null @@ -1 +0,0 @@ -1.5.0 \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index c13d66d..204e474 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ -FROM hashicorp/terraform:1.5.0 +FROM hashicorp/terraform:1.9.2 -COPY .ruby-version .ruby-version +COPY .tool-versions .tool-versions # Update and install all of the required packages. # At the end, remove the apk cache @@ -9,8 +9,8 @@ RUN apk upgrade && \ bash \ curl-dev \ curl \ - "ruby-dev=~$(cat .ruby-version)" \ - "ruby-full=~$(cat .ruby-version)" \ + "ruby-dev=~$(grep ruby .tool-versions | awk '{print $2}')" \ + "ruby-full=~$(grep ruby .tool-versions | awk '{print $2}')" \ build-base \ python3 && \ rm -rf /var/cache/apk/* From c783ce0ad34e3b6dc96687a252f89df4db41b4e5 Mon Sep 17 00:00:00 2001 From: Paul Xu Date: Wed, 17 Jul 2024 16:16:49 -0400 Subject: [PATCH 06/34] Update module versions --- main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index 2b86034..a776561 100644 --- a/main.tf +++ b/main.tf @@ -1,6 +1,6 @@ module "project" { source = "terraform-google-modules/project-factory/google" - version = "= 14.2.0" + version = "= 15.0.1" name = var.project_name random_project_id = true @@ -22,7 +22,7 @@ module "project" { module "projects_iam_bindings" { source = "terraform-google-modules/iam/google//modules/projects_iam" - version = "7.6.0" + version = "7.7.1" mode = "authoritative" projects = [module.project.project_id] bindings = { From 9aa5fee4aa30855d01e223e259d82aa4eac1ce6c Mon Sep 17 00:00:00 2001 From: Paul Xu Date: Wed, 17 Jul 2024 16:17:07 -0400 Subject: [PATCH 07/34] update pre-commit versions --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index a699936..923305a 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,6 +1,6 @@ repos: - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.81.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases + rev: v1.92.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases hooks: - id: terraform_fmt - id: terraform_docs From af326ed73852f4e9417b6a989100a91ba89e70a3 Mon Sep 17 00:00:00 2001 From: Paul Xu Date: Wed, 17 Jul 2024 16:17:28 -0400 Subject: [PATCH 08/34] update inspec version --- test/integration/simple-project/inspec.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/integration/simple-project/inspec.yml b/test/integration/simple-project/inspec.yml index c9ed8ad..632fe36 100644 --- a/test/integration/simple-project/inspec.yml +++ b/test/integration/simple-project/inspec.yml @@ -5,7 +5,7 @@ copyright: Brown University license: MIT summary: An InSpec Compliance Profile For GCP version: 0.1.0 -inspec_version: ">= 2.3.5" +inspec_version: ">= 5.22.50" attributes: - name: project_id required: true @@ -35,6 +35,6 @@ attributes: depends: - name: inspec-gcp git: https://github.com/inspec/inspec-gcp.git - tag: v1.10.37 + tag: v1.11.123 supports: - platform: gcp From 4b2b14b800df6cf1cb2fb4b8dbb991b276fa8105 Mon Sep 17 00:00:00 2001 From: Paul Xu Date: Wed, 17 Jul 2024 16:17:42 -0400 Subject: [PATCH 09/34] update github action versions --- .github/workflows/kitchen-tests.yml | 10 +++++----- .github/workflows/pr-labeler.yml | 2 +- .github/workflows/release-drafter.yml | 2 +- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/kitchen-tests.yml b/.github/workflows/kitchen-tests.yml index 494d36f..0aa156a 100644 --- a/.github/workflows/kitchen-tests.yml +++ b/.github/workflows/kitchen-tests.yml @@ -23,13 +23,13 @@ jobs: - uses: actions/checkout@v3 - name: Set up QEMU - uses: docker/setup-qemu-action@v2 + uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@v3 - name: Log in to the Container registry - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} @@ -37,7 +37,7 @@ jobs: - name: Extract metadata (tags, labels) for Docker id: meta - uses: docker/metadata-action@v4 + uses: docker/metadata-action@v5 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} tags: | @@ -69,7 +69,7 @@ jobs: image: "${{ needs.docker.outputs.full_image_id }}" steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Create Credential File run: | echo "$GCP_CREDENTIAL_JSON" | base64 -d > /tmp/credentials.json diff --git a/.github/workflows/pr-labeler.yml b/.github/workflows/pr-labeler.yml index d436828..5afdeff 100644 --- a/.github/workflows/pr-labeler.yml +++ b/.github/workflows/pr-labeler.yml @@ -7,7 +7,7 @@ jobs: pr-labeler: runs-on: ubuntu-latest steps: - - uses: TimonVS/pr-labeler-action@v4 + - uses: TimonVS/pr-labeler-action@v5 with: configuration-path: .github/pr-labeler.yml # optional, .github/pr-labeler.yml is the default value env: diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml index e43769d..97f1b03 100644 --- a/.github/workflows/release-drafter.yml +++ b/.github/workflows/release-drafter.yml @@ -11,7 +11,7 @@ jobs: runs-on: ubuntu-latest steps: # Drafts your next Release notes as Pull Requests are merged into "master" - - uses: release-drafter/release-drafter@v5 + - uses: release-drafter/release-drafter@v6 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From a2d739ff961ddc2c6afde2665049eee0dfb0717a Mon Sep 17 00:00:00 2001 From: Paul Xu Date: Wed, 17 Jul 2024 16:17:51 -0400 Subject: [PATCH 10/34] Update readme file --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 3213407..099b7f4 100644 --- a/README.md +++ b/README.md @@ -106,7 +106,7 @@ Alternatively you can use [tfenv](https://github.com/tfutils/tfenv) and [rbenv]( ### Terraform and Ruby -The tests can simply run in CI. If you want to run the tests locally, you will need to install the version of terraform and Ruby specified in the `.tool-versions` file (or `.terraform-version`, `.ruby-version`). +The tests can simply run in CI. If you want to run the tests locally, you will need to install the version of terraform and Ruby specified in the `.tool-versions` file. ``` asdf plugin-add terraform https://github.com/asdf-community/asdf-hashicorp.git From 9b4f4d3c634193a0002bab2574645728b78b68cd Mon Sep 17 00:00:00 2001 From: Paul Xu Date: Wed, 17 Jul 2024 16:25:47 -0400 Subject: [PATCH 11/34] update ruby version --- .tool-versions | 2 +- Gemfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.tool-versions b/.tool-versions index e3ffd93..4088eb6 100644 --- a/.tool-versions +++ b/.tool-versions @@ -1,2 +1,2 @@ terraform 1.9.2 -ruby 3.3.4 +ruby 3.2.2 diff --git a/Gemfile b/Gemfile index f435cee..ddc69d8 100644 --- a/Gemfile +++ b/Gemfile @@ -1,3 +1,3 @@ source "https://rubygems.org/" do - gem "kitchen-terraform", "~> 7.2.0" + gem "kitchen-terraform", "~> 7.0.2" end \ No newline at end of file From 270b68e1e898ecd85076ac2d40b8901616be0ca4 Mon Sep 17 00:00:00 2001 From: Paul Xu Date: Wed, 17 Jul 2024 16:38:26 -0400 Subject: [PATCH 12/34] update ruby version --- .tool-versions | 2 +- Dockerfile | 4 ++-- test/integration/simple-project/inspec.yml | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.tool-versions b/.tool-versions index 4088eb6..414a1f9 100644 --- a/.tool-versions +++ b/.tool-versions @@ -1,2 +1,2 @@ terraform 1.9.2 -ruby 3.2.2 +ruby 3.3.3 diff --git a/Dockerfile b/Dockerfile index 204e474..7241bcf 100644 --- a/Dockerfile +++ b/Dockerfile @@ -9,8 +9,8 @@ RUN apk upgrade && \ bash \ curl-dev \ curl \ - "ruby-dev=~$(grep ruby .tool-versions | awk '{print $2}')" \ - "ruby-full=~$(grep ruby .tool-versions | awk '{print $2}')" \ + "ruby-dev=~$(grep ruby .tool-versions | awk '{print $2}' | tr -d '\n')" \ + "ruby-full=~$(grep ruby .tool-versions | awk '{print $2}' | tr -d '\n')" \ build-base \ python3 && \ rm -rf /var/cache/apk/* diff --git a/test/integration/simple-project/inspec.yml b/test/integration/simple-project/inspec.yml index 632fe36..c9ed8ad 100644 --- a/test/integration/simple-project/inspec.yml +++ b/test/integration/simple-project/inspec.yml @@ -5,7 +5,7 @@ copyright: Brown University license: MIT summary: An InSpec Compliance Profile For GCP version: 0.1.0 -inspec_version: ">= 5.22.50" +inspec_version: ">= 2.3.5" attributes: - name: project_id required: true @@ -35,6 +35,6 @@ attributes: depends: - name: inspec-gcp git: https://github.com/inspec/inspec-gcp.git - tag: v1.11.123 + tag: v1.10.37 supports: - platform: gcp From 2b81c28da92d29b50f28a08b44b2006a59c119f8 Mon Sep 17 00:00:00 2001 From: Paul Xu Date: Wed, 17 Jul 2024 16:43:31 -0400 Subject: [PATCH 13/34] update inspec version --- test/integration/simple-project/inspec.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/integration/simple-project/inspec.yml b/test/integration/simple-project/inspec.yml index c9ed8ad..b75326e 100644 --- a/test/integration/simple-project/inspec.yml +++ b/test/integration/simple-project/inspec.yml @@ -5,7 +5,7 @@ copyright: Brown University license: MIT summary: An InSpec Compliance Profile For GCP version: 0.1.0 -inspec_version: ">= 2.3.5" +inspec_version: ">= 5.22.3" attributes: - name: project_id required: true From 5956a912a1348de0cccbb5b8188d82f1c20d352d Mon Sep 17 00:00:00 2001 From: Paul Xu Date: Wed, 17 Jul 2024 17:00:58 -0400 Subject: [PATCH 14/34] add linux-headers to docker image --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index 7241bcf..0aeb4f1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -9,6 +9,7 @@ RUN apk upgrade && \ bash \ curl-dev \ curl \ + linux-headers \ "ruby-dev=~$(grep ruby .tool-versions | awk '{print $2}' | tr -d '\n')" \ "ruby-full=~$(grep ruby .tool-versions | awk '{print $2}' | tr -d '\n')" \ build-base \ From 7540f4062c919c7b800ede4ba7af226932a21de0 Mon Sep 17 00:00:00 2001 From: Paul Xu Date: Wed, 17 Jul 2024 17:11:53 -0400 Subject: [PATCH 15/34] force perform clean operations in dockerfile --- Dockerfile | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 0aeb4f1..0680246 100644 --- a/Dockerfile +++ b/Dockerfile @@ -20,8 +20,10 @@ RUN mkdir /usr/app WORKDIR /usr/app COPY Gemfile* ./ -RUN gem install bundler && \ +RUN gem cleanup && \ + gem install bundler && \ bundle config set system 'true' && \ + bundle clean --force && \ bundle install From 77f35a67d9bdff948ddc210d3ad029a8ccb75ea4 Mon Sep 17 00:00:00 2001 From: Paul Xu Date: Wed, 17 Jul 2024 17:13:11 -0400 Subject: [PATCH 16/34] force perform clean operations in dockerfile --- Dockerfile | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 0680246..0aeb4f1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -20,10 +20,8 @@ RUN mkdir /usr/app WORKDIR /usr/app COPY Gemfile* ./ -RUN gem cleanup && \ - gem install bundler && \ +RUN gem install bundler && \ bundle config set system 'true' && \ - bundle clean --force && \ bundle install From 517b284310051ca71c83d93d7a96ab9435159d86 Mon Sep 17 00:00:00 2001 From: Paul Xu Date: Wed, 17 Jul 2024 17:32:47 -0400 Subject: [PATCH 17/34] downgrade inspec version --- .github/workflows/kitchen-tests.yml | 2 +- test/integration/simple-project/inspec.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/kitchen-tests.yml b/.github/workflows/kitchen-tests.yml index 0aa156a..a9dcae8 100644 --- a/.github/workflows/kitchen-tests.yml +++ b/.github/workflows/kitchen-tests.yml @@ -20,7 +20,7 @@ jobs: outputs: full_image_id: ${{ steps.save_full_image_id.outputs.full_image_id }} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Set up QEMU uses: docker/setup-qemu-action@v3 diff --git a/test/integration/simple-project/inspec.yml b/test/integration/simple-project/inspec.yml index b75326e..c9ed8ad 100644 --- a/test/integration/simple-project/inspec.yml +++ b/test/integration/simple-project/inspec.yml @@ -5,7 +5,7 @@ copyright: Brown University license: MIT summary: An InSpec Compliance Profile For GCP version: 0.1.0 -inspec_version: ">= 5.22.3" +inspec_version: ">= 2.3.5" attributes: - name: project_id required: true From 9bf33b392635ba7ceb520b3a36eeee368d0d2669 Mon Sep 17 00:00:00 2001 From: Paul Xu Date: Wed, 17 Jul 2024 19:07:28 -0400 Subject: [PATCH 18/34] run terraform test in ci --- .github/workflows/kitchen-tests.yml | 6 +- .terraform.lock.hcl | 102 ++++++++++++++++++ README.md | 8 +- tests/simple-project/main.tf | 17 +++ tests/simple-project/outputs.tf | 28 +++++ tests/simple-project/terraform.tfvars.example | 5 + tests/simple-project/variables.tf | 22 ++++ tests/simple-project/versions.tf | 3 + tests/simple_project.tftest.hcl | 17 +++ 9 files changed, 202 insertions(+), 6 deletions(-) create mode 100644 .terraform.lock.hcl create mode 100644 tests/simple-project/main.tf create mode 100644 tests/simple-project/outputs.tf create mode 100644 tests/simple-project/terraform.tfvars.example create mode 100644 tests/simple-project/variables.tf create mode 100644 tests/simple-project/versions.tf create mode 100644 tests/simple_project.tftest.hcl diff --git a/.github/workflows/kitchen-tests.yml b/.github/workflows/kitchen-tests.yml index a9dcae8..774461d 100644 --- a/.github/workflows/kitchen-tests.yml +++ b/.github/workflows/kitchen-tests.yml @@ -75,8 +75,10 @@ jobs: echo "$GCP_CREDENTIAL_JSON" | base64 -d > /tmp/credentials.json env: GCP_CREDENTIAL_JSON: ${{ secrets.GCP_CI_CREDENTIAL_JSON}} - - name: Run Kitchen - run: kitchen test + - name: Run terraform test + run: | + terraform init + terraform test env: TF_VAR_billing_account: ${{ secrets.GCP_BURWOOD_BILLING_ACCOUNT }} TF_VAR_org_id: ${{ secrets.GCP_ORG_ID }} diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl new file mode 100644 index 0000000..5eb547b --- /dev/null +++ b/.terraform.lock.hcl @@ -0,0 +1,102 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/google" { + version = "5.38.0" + constraints = ">= 3.43.0, >= 3.53.0, >= 4.28.0, >= 5.22.0, 5.38.0, < 6.0.0" + hashes = [ + "h1:5xqoIwJbuXeHvq2NVt9S783fGS05hQUHg1AnnIJ+6EI=", + "zh:0db794dfbd4d3604499f1a4011faf7aa3f4c07eace32aa238bdf0b235965259a", + "zh:372f399f67c7e320c25e71d5a2c4c9bad6b4f9b35f7fcdc86fb5009711e34751", + "zh:a010ff05ea62396ee5d0771c614a7e6abd6a869e8ee9b7d9da0747eb4b10f2ba", + "zh:a416a2d7784436409a317cdf42a82eaf98d0f2d935bb5bacb50820f88207e1d9", + "zh:b3926e2295604c87aae81f305d0d1960157a734811ec0b3324f933c8c2421b1a", + "zh:c317d75cf290fac34be9438c14ecf8a9f80f966823e5346020fe7b6c6281259b", + "zh:c97127635c25cc72fc3e2d6bb48b2e9f88730b3c46629bdc335e391791ad53da", + "zh:ccfd23ad869c3bd2037a231718dea44e42c12cff605880edbb37c46255bd1e91", + "zh:dfd389432df9084e54c32809ab960058bafa002393a051640d11bf70533f1cc7", + "zh:ecb5b65be8188a51b19b37be587797a72b238bbdc252aee2e1e22dd5f59e20df", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:fa5f5d9bce05bb02ef58bead70e4b8653feb98293eb4e0d95bce58b3b1f0a943", + ] +} + +provider "registry.terraform.io/hashicorp/google-beta" { + version = "5.38.0" + constraints = ">= 3.43.0, >= 4.11.0, >= 5.22.0, < 6.0.0" + hashes = [ + "h1:Q4bKg0gqqOa3IUks206PqHTTyDM0LsLB/lwpn0AALnk=", + "zh:19b33b874b1aa47699dfefc2691464932d6974fbe14bff7b60e0f64b3142e334", + "zh:215f675174d4074f11226f5c48b75880b59c2d56f0ae22ae3ea16012023b68e3", + "zh:22bc73738a7a57e3a022b28bdb34039da07cc105c1f46b288002c02b05c05a71", + "zh:4876a02bc040c98fb662e985a78caecd2b6a7355480362648ff36826e45d09fa", + "zh:899a64484ea44092dd0822478032e87f661dd85e8d735adbb553f7796d7ee497", + "zh:991990de697bd32066e4f2b67aa10c59b84e18f75170be976e75fb711cd0070f", + "zh:a4db4d424c060c0e8f686b0fb714aa7d41e3a5ba20d6aba05496eb8c6e635a3d", + "zh:a988d8a24e673aeff6b1a298d731ed69ef63bba7af9cd4ceb5c51834eecf9fde", + "zh:be3855a320cc44b1936c0778c9cbcaebe92435a2d5eef1f6e5a967ce2a3dc01e", + "zh:e26c72bc15ae27a3a6a99ed0f60ed38f2fca54a310c7ddfee3126b93fb90509e", + "zh:efbe757f0764a1dd69d23a440c03eaf69a8e5742ad63e814212611a16d769eb6", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} + +provider "registry.terraform.io/hashicorp/null" { + version = "3.2.2" + constraints = ">= 2.1.0" + hashes = [ + "h1:IMVAUHKoydFrlPrl9OzasDnw/8ntZFerCC9iXw1rXQY=", + "zh:3248aae6a2198f3ec8394218d05bd5e42be59f43a3a7c0b71c66ec0df08b69e7", + "zh:32b1aaa1c3013d33c245493f4a65465eab9436b454d250102729321a44c8ab9a", + "zh:38eff7e470acb48f66380a73a5c7cdd76cc9b9c9ba9a7249c7991488abe22fe3", + "zh:4c2f1faee67af104f5f9e711c4574ff4d298afaa8a420680b0cb55d7bbc65606", + "zh:544b33b757c0b954dbb87db83a5ad921edd61f02f1dc86c6186a5ea86465b546", + "zh:696cf785090e1e8cf1587499516b0494f47413b43cb99877ad97f5d0de3dc539", + "zh:6e301f34757b5d265ae44467d95306d61bef5e41930be1365f5a8dcf80f59452", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:913a929070c819e59e94bb37a2a253c228f83921136ff4a7aa1a178c7cce5422", + "zh:aa9015926cd152425dbf86d1abdbc74bfe0e1ba3d26b3db35051d7b9ca9f72ae", + "zh:bb04798b016e1e1d49bcc76d62c53b56c88c63d6f2dfe38821afef17c416a0e1", + "zh:c23084e1b23577de22603cff752e59128d83cfecc2e6819edadd8cf7a10af11e", + ] +} + +provider "registry.terraform.io/hashicorp/random" { + version = "3.6.2" + constraints = ">= 2.2.0" + hashes = [ + "h1:VavG5unYCa3SYISMKF9pzc3718M0bhPlcbUZZGl7wuo=", + "zh:0ef01a4f81147b32c1bea3429974d4d104bbc4be2ba3cfa667031a8183ef88ec", + "zh:1bcd2d8161e89e39886119965ef0f37fcce2da9c1aca34263dd3002ba05fcb53", + "zh:37c75d15e9514556a5f4ed02e1548aaa95c0ecd6ff9af1119ac905144c70c114", + "zh:4210550a767226976bc7e57d988b9ce48f4411fa8a60cd74a6b246baf7589dad", + "zh:562007382520cd4baa7320f35e1370ffe84e46ed4e2071fdc7e4b1a9b1f8ae9b", + "zh:5efb9da90f665e43f22c2e13e0ce48e86cae2d960aaf1abf721b497f32025916", + "zh:6f71257a6b1218d02a573fc9bff0657410404fb2ef23bc66ae8cd968f98d5ff6", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:9647e18f221380a85f2f0ab387c68fdafd58af6193a932417299cdcae4710150", + "zh:bb6297ce412c3c2fa9fec726114e5e0508dd2638cad6a0cb433194930c97a544", + "zh:f83e925ed73ff8a5ef6e3608ad9225baa5376446349572c2449c0c0b3cf184b7", + "zh:fbef0781cb64de76b1df1ca11078aecba7800d82fd4a956302734999cfd9a4af", + ] +} + +provider "registry.terraform.io/hashicorp/time" { + version = "0.12.0" + constraints = ">= 0.5.0" + hashes = [ + "h1:Os2Ok7txtlUJHh6Hg7o+74Ql85SnRb/fGmah22yXpLw=", + "zh:019a4c09af254ef80b72cf0d843dfe72d99483e227138cf5b514a1b9977ab4c3", + "zh:0ae310ec740ebc6f275529507d60bb747d0bf39e72fc5a2fa90d74486006132c", + "zh:13d6aec117f05237fbf8c7d91d6ebb19797b00aa87e7a812642d3ea4738a394e", + "zh:2e87abbc261f9317d0c2ef26e01d5fabf77679da7d2cac6f47df7d198f720989", + "zh:4a6d471176ce0264455aa7d5457b8702f78400010c201c1719708958a1b7b647", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:8978d5474a6da30bc0ad21c17db188d6918cacf3df3f6506b72ef3a268d53e2e", + "zh:b109efe138dfcb45dc04a9cc6809d185ab8b0ebc12040847c2dac430fda5af68", + "zh:b58e039b9106ac0a8de3c07f53b5279d7f0215fb35f2d23df642dfce0875382f", + "zh:ba2cbb2e515922d13efe3a46647be84f5426fcfcaa0f1520b3efeab8db847ed3", + "zh:c6c1ef1f26f25bca3abb5e07fa33dca37ed39cc26d0ff877964f2ffe5edd618c", + "zh:f8e171f923b7d2e789abd034072465dec3e6133c3a7644b7a7a965a74d52224e", + ] +} diff --git a/README.md b/README.md index 099b7f4..c851f95 100644 --- a/README.md +++ b/README.md @@ -37,8 +37,8 @@ code by adding a `module` configuration and setting its `source` parameter to UR | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.5.0 | -| [google](#requirement\_google) | >= 4.69.0, <5.0.0 | +| [terraform](#requirement\_terraform) | >= 1.9.0 | +| [google](#requirement\_google) | 5.38.0 | ## Providers @@ -48,8 +48,8 @@ No providers. | Name | Source | Version | |------|--------|---------| -| [project](#module\_project) | terraform-google-modules/project-factory/google | = 14.2.0 | -| [projects\_iam\_bindings](#module\_projects\_iam\_bindings) | terraform-google-modules/iam/google//modules/projects_iam | 7.6.0 | +| [project](#module\_project) | terraform-google-modules/project-factory/google | = 15.0.1 | +| [projects\_iam\_bindings](#module\_projects\_iam\_bindings) | terraform-google-modules/iam/google//modules/projects_iam | 7.7.1 | ## Resources diff --git a/tests/simple-project/main.tf b/tests/simple-project/main.tf new file mode 100644 index 0000000..17afe22 --- /dev/null +++ b/tests/simple-project/main.tf @@ -0,0 +1,17 @@ +# ---------------------------------------------------------------------------- +# TEST RESOURCES +# These resources are directly tested. +# ---------------------------------------------------------------------------- +locals { + project_name = "inspec-project" + +} + +module "simple-project" { + source = "../../" + + project_name = local.project_name + billing_account = var.billing_account + activate_apis = var.activate_apis + folder_id = var.folder_id +} diff --git a/tests/simple-project/outputs.tf b/tests/simple-project/outputs.tf new file mode 100644 index 0000000..dafea28 --- /dev/null +++ b/tests/simple-project/outputs.tf @@ -0,0 +1,28 @@ +output "project_name" { + value = module.simple-project.project_name +} + +output "project_id" { + value = module.simple-project.project_id +} + +output "service_account_display_name" { + value = module.simple-project.service_account_display_name +} + +output "service_account_email" { + value = module.simple-project.service_account_email +} + + +output "activate_apis" { + value = var.activate_apis +} + +output "organization_id" { + value = var.org_id +} + +output "folder_id" { + value = var.folder_id +} diff --git a/tests/simple-project/terraform.tfvars.example b/tests/simple-project/terraform.tfvars.example new file mode 100644 index 0000000..2691513 --- /dev/null +++ b/tests/simple-project/terraform.tfvars.example @@ -0,0 +1,5 @@ +# Run the following command to get the billing account: +# gcloud beta billing accounts list | grep -i cis_card | awk '{ print $1 }' + +billing_account = "" + diff --git a/tests/simple-project/variables.tf b/tests/simple-project/variables.tf new file mode 100644 index 0000000..7817b10 --- /dev/null +++ b/tests/simple-project/variables.tf @@ -0,0 +1,22 @@ + + +variable "activate_apis" { + type = list(string) + default = [ + "compute.googleapis.com", + "cloudresourcemanager.googleapis.com" + ] +} + +# This are secrets. They are passsed in terraform.tfvars file +variable "billing_account" { + type = string +} + +variable "org_id" { + type = string +} + +variable "folder_id" { + type = string +} diff --git a/tests/simple-project/versions.tf b/tests/simple-project/versions.tf new file mode 100644 index 0000000..bfb98ab --- /dev/null +++ b/tests/simple-project/versions.tf @@ -0,0 +1,3 @@ +terraform { + required_version = ">= 1.9.0" +} diff --git a/tests/simple_project.tftest.hcl b/tests/simple_project.tftest.hcl new file mode 100644 index 0000000..9da36da --- /dev/null +++ b/tests/simple_project.tftest.hcl @@ -0,0 +1,17 @@ +run "simple_project_test" { + + module { + source = "./tests/simple-project" + } + + variables { + org_id = "123456789" + folder_id = "123456789" + billing_account = "" + } + + assert { + condition = simple-project.id != null + error_message = "Project does not exist!" + } +} \ No newline at end of file From 8dc026a03c11f4f044fca7583c9858ce0e82ff8e Mon Sep 17 00:00:00 2001 From: Paul Xu Date: Wed, 17 Jul 2024 20:48:16 -0400 Subject: [PATCH 19/34] update tests --- README.md | 2 +- main.tf | 7 ++++--- tests/simple-project/main.tf | 1 + tests/simple_project.tftest.hcl | 6 ------ version.tf | 2 +- 5 files changed, 7 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index c851f95..5aafad2 100644 --- a/README.md +++ b/README.md @@ -48,7 +48,7 @@ No providers. | Name | Source | Version | |------|--------|---------| -| [project](#module\_project) | terraform-google-modules/project-factory/google | = 15.0.1 | +| [project](#module\_project) | terraform-google-modules/project-factory/google | ~> 15.0 | | [projects\_iam\_bindings](#module\_projects\_iam\_bindings) | terraform-google-modules/iam/google//modules/projects_iam | 7.7.1 | ## Resources diff --git a/main.tf b/main.tf index a776561..92ac40f 100644 --- a/main.tf +++ b/main.tf @@ -1,6 +1,6 @@ module "project" { source = "terraform-google-modules/project-factory/google" - version = "= 15.0.1" + version = "~> 15.0" name = var.project_name random_project_id = true @@ -21,8 +21,9 @@ module "project" { # ----------------------------- module "projects_iam_bindings" { - source = "terraform-google-modules/iam/google//modules/projects_iam" - version = "7.7.1" + source = "terraform-google-modules/iam/google//modules/projects_iam" + version = "7.7.1" + mode = "authoritative" projects = [module.project.project_id] bindings = { diff --git a/tests/simple-project/main.tf b/tests/simple-project/main.tf index 17afe22..3588097 100644 --- a/tests/simple-project/main.tf +++ b/tests/simple-project/main.tf @@ -14,4 +14,5 @@ module "simple-project" { billing_account = var.billing_account activate_apis = var.activate_apis folder_id = var.folder_id + org_id = var.org_id } diff --git a/tests/simple_project.tftest.hcl b/tests/simple_project.tftest.hcl index 9da36da..3d1d021 100644 --- a/tests/simple_project.tftest.hcl +++ b/tests/simple_project.tftest.hcl @@ -4,12 +4,6 @@ run "simple_project_test" { source = "./tests/simple-project" } - variables { - org_id = "123456789" - folder_id = "123456789" - billing_account = "" - } - assert { condition = simple-project.id != null error_message = "Project does not exist!" diff --git a/version.tf b/version.tf index ddb8142..8515a14 100644 --- a/version.tf +++ b/version.tf @@ -3,7 +3,7 @@ terraform { required_providers { google = { - source = "hashicorp/google" + source = "hashicorp/google" version = "5.38.0" } } From 2adec40528a14128cf24fca618c540ab30d4ce20 Mon Sep 17 00:00:00 2001 From: Paul Xu Date: Wed, 17 Jul 2024 21:06:40 -0400 Subject: [PATCH 20/34] update tests --- tests/simple_project.tftest.hcl | 42 ++++++++++++++++++++++++++++++++- 1 file changed, 41 insertions(+), 1 deletion(-) diff --git a/tests/simple_project.tftest.hcl b/tests/simple_project.tftest.hcl index 3d1d021..d12c386 100644 --- a/tests/simple_project.tftest.hcl +++ b/tests/simple_project.tftest.hcl @@ -5,7 +5,47 @@ run "simple_project_test" { } assert { - condition = simple-project.id != null + condition = output.project_id != null error_message = "Project does not exist!" } + + assert { + condition = output.project_name == "inspec-project" + error_message = "Project name is not correct!" + } + + assert { + condition = google_project.lifecycle_state == "ACTIVE" + error_message = "Project is not active" + } + + assert { + condition = google_project.parent[0].type == "folder" + error_message = "Project parent type is not 'folder'" + } + + assert { + condition = google_project.test_project.parent[0].id == var.folder_id + error_message = "Project parent ID does not match" + } + + // assert { + // condition = length([for api in var.activated_apis : api if contains(google_project_service.test_activated_apis[*].service, api)]) == length(var.activated_apis) + // error_message = "Not all APIs are activated" + // } + + // assert { + // condition = contains(google_project_iam_binding.test_logging_logWriter.members, "serviceAccount:${var.service_account_email}") + // error_message = "Logging IAM binding does not include the service account" + // } + + // assert { + // condition = contains(google_project_iam_binding.test_monitoring_metricWriter.members, "serviceAccount:${var.service_account_email}") + // error_message = "Monitoring IAM binding does not include the service account" + // } + + // assert { + // condition = contains(google_project_iam_binding.test_stackdriver_resourceMetadata_writer.members, "serviceAccount:${var.service_account_email}") + // error_message = "Stackdriver IAM binding does not include the service account" + // } } \ No newline at end of file From 185f4e74250056cf20dc1a929ab07e9c2e513afc Mon Sep 17 00:00:00 2001 From: Paul Xu Date: Wed, 17 Jul 2024 21:21:27 -0400 Subject: [PATCH 21/34] update tests --- tests/simple_project.tftest.hcl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/simple_project.tftest.hcl b/tests/simple_project.tftest.hcl index d12c386..fd3560e 100644 --- a/tests/simple_project.tftest.hcl +++ b/tests/simple_project.tftest.hcl @@ -15,7 +15,7 @@ run "simple_project_test" { } assert { - condition = google_project.lifecycle_state == "ACTIVE" + condition = google_project.project.lifecycle_state == "ACTIVE" error_message = "Project is not active" } From 241532fd7a2dc930cb2cc01e8cf6f16643a9edcc Mon Sep 17 00:00:00 2001 From: Paul Xu Date: Wed, 17 Jul 2024 21:29:01 -0400 Subject: [PATCH 22/34] update tests --- tests/simple_project.tftest.hcl | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/tests/simple_project.tftest.hcl b/tests/simple_project.tftest.hcl index fd3560e..8ac10e9 100644 --- a/tests/simple_project.tftest.hcl +++ b/tests/simple_project.tftest.hcl @@ -4,6 +4,10 @@ run "simple_project_test" { source = "./tests/simple-project" } + resource "google_project" "project" { + project_id = module.simple-project.project_id + } + assert { condition = output.project_id != null error_message = "Project does not exist!" @@ -20,12 +24,12 @@ run "simple_project_test" { } assert { - condition = google_project.parent[0].type == "folder" + condition = google_project.project.parent[0].type == "folder" error_message = "Project parent type is not 'folder'" } assert { - condition = google_project.test_project.parent[0].id == var.folder_id + condition = google_project.project.parent[0].id == var.folder_id error_message = "Project parent ID does not match" } From be5cada486804f7db19852c15fb960f0f3443443 Mon Sep 17 00:00:00 2001 From: Paul Xu Date: Wed, 17 Jul 2024 21:34:12 -0400 Subject: [PATCH 23/34] update tests --- tests/simple-project/main.tf | 5 +++++ tests/simple-project/versions.tf | 7 +++++++ tests/simple_project.tftest.hcl | 4 ---- 3 files changed, 12 insertions(+), 4 deletions(-) diff --git a/tests/simple-project/main.tf b/tests/simple-project/main.tf index 3588097..b01da8f 100644 --- a/tests/simple-project/main.tf +++ b/tests/simple-project/main.tf @@ -16,3 +16,8 @@ module "simple-project" { folder_id = var.folder_id org_id = var.org_id } + +resource "google_project" "project" { + name = module.simple-project.project_name + project_id = module.simple-project.project_id +} diff --git a/tests/simple-project/versions.tf b/tests/simple-project/versions.tf index bfb98ab..8515a14 100644 --- a/tests/simple-project/versions.tf +++ b/tests/simple-project/versions.tf @@ -1,3 +1,10 @@ terraform { required_version = ">= 1.9.0" + + required_providers { + google = { + source = "hashicorp/google" + version = "5.38.0" + } + } } diff --git a/tests/simple_project.tftest.hcl b/tests/simple_project.tftest.hcl index 8ac10e9..7e46f28 100644 --- a/tests/simple_project.tftest.hcl +++ b/tests/simple_project.tftest.hcl @@ -4,10 +4,6 @@ run "simple_project_test" { source = "./tests/simple-project" } - resource "google_project" "project" { - project_id = module.simple-project.project_id - } - assert { condition = output.project_id != null error_message = "Project does not exist!" From 47f59902965d2d313625fc25bf15453204976b29 Mon Sep 17 00:00:00 2001 From: Paul Xu Date: Wed, 17 Jul 2024 21:39:40 -0400 Subject: [PATCH 24/34] rename steps --- .github/workflows/kitchen-tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/kitchen-tests.yml b/.github/workflows/kitchen-tests.yml index 774461d..9085ad9 100644 --- a/.github/workflows/kitchen-tests.yml +++ b/.github/workflows/kitchen-tests.yml @@ -62,7 +62,7 @@ jobs: cache-from: type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:buildcache cache-to: type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:buildcache - kitchen-tests: + terraform-tests: needs: docker runs-on: ubuntu-latest container: From 00755e01ab456bbaaba7b73db2bd767858825ddc Mon Sep 17 00:00:00 2001 From: Paul Xu Date: Wed, 17 Jul 2024 21:49:37 -0400 Subject: [PATCH 25/34] define resource --- README.md | 8 ++++++-- main.tf | 6 ++++++ tests/simple-project/main.tf | 5 ----- tests/simple-project/versions.tf | 7 ------- 4 files changed, 12 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index 5aafad2..544e0db 100644 --- a/README.md +++ b/README.md @@ -42,7 +42,9 @@ code by adding a `module` configuration and setting its `source` parameter to UR ## Providers -No providers. +| Name | Version | +|------|---------| +| [google](#provider\_google) | 5.38.0 | ## Modules @@ -53,7 +55,9 @@ No providers. ## Resources -No resources. +| Name | Type | +|------|------| +| [google_project.project](https://registry.terraform.io/providers/hashicorp/google/5.38.0/docs/resources/project) | resource | ## Inputs diff --git a/main.tf b/main.tf index 92ac40f..18d875e 100644 --- a/main.tf +++ b/main.tf @@ -15,6 +15,12 @@ module "project" { labels = var.labels } +resource "google_project" "project" { + project_id = module.project.project_id + name = module.project.project_name + org_id = var.org_id +} + # ----------------------------- # iam permissions diff --git a/tests/simple-project/main.tf b/tests/simple-project/main.tf index b01da8f..3588097 100644 --- a/tests/simple-project/main.tf +++ b/tests/simple-project/main.tf @@ -16,8 +16,3 @@ module "simple-project" { folder_id = var.folder_id org_id = var.org_id } - -resource "google_project" "project" { - name = module.simple-project.project_name - project_id = module.simple-project.project_id -} diff --git a/tests/simple-project/versions.tf b/tests/simple-project/versions.tf index 8515a14..bfb98ab 100644 --- a/tests/simple-project/versions.tf +++ b/tests/simple-project/versions.tf @@ -1,10 +1,3 @@ terraform { required_version = ">= 1.9.0" - - required_providers { - google = { - source = "hashicorp/google" - version = "5.38.0" - } - } } From c7f5bb5c4e3e561a5097d125763930644afc9791 Mon Sep 17 00:00:00 2001 From: Paul Xu Date: Wed, 17 Jul 2024 22:03:44 -0400 Subject: [PATCH 26/34] define resource --- README.md | 8 ++------ main.tf | 7 ------- tests/simple_project.tftest.hcl | 6 +++++- 3 files changed, 7 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index 544e0db..5aafad2 100644 --- a/README.md +++ b/README.md @@ -42,9 +42,7 @@ code by adding a `module` configuration and setting its `source` parameter to UR ## Providers -| Name | Version | -|------|---------| -| [google](#provider\_google) | 5.38.0 | +No providers. ## Modules @@ -55,9 +53,7 @@ code by adding a `module` configuration and setting its `source` parameter to UR ## Resources -| Name | Type | -|------|------| -| [google_project.project](https://registry.terraform.io/providers/hashicorp/google/5.38.0/docs/resources/project) | resource | +No resources. ## Inputs diff --git a/main.tf b/main.tf index 18d875e..b429b5c 100644 --- a/main.tf +++ b/main.tf @@ -15,13 +15,6 @@ module "project" { labels = var.labels } -resource "google_project" "project" { - project_id = module.project.project_id - name = module.project.project_name - org_id = var.org_id -} - - # ----------------------------- # iam permissions # ----------------------------- diff --git a/tests/simple_project.tftest.hcl b/tests/simple_project.tftest.hcl index 7e46f28..10802bf 100644 --- a/tests/simple_project.tftest.hcl +++ b/tests/simple_project.tftest.hcl @@ -15,7 +15,11 @@ run "simple_project_test" { } assert { - condition = google_project.project.lifecycle_state == "ACTIVE" + condition = module.simple-project.name == "inspect-project" + } + + assert { + condition = module.simple-project.lifecycle_state == "ACTIVE" error_message = "Project is not active" } From 41961ddf79ad33b3d39c65e44984a3334558a4f4 Mon Sep 17 00:00:00 2001 From: Paul Xu Date: Wed, 17 Jul 2024 22:05:34 -0400 Subject: [PATCH 27/34] define resource --- tests/simple_project.tftest.hcl | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/simple_project.tftest.hcl b/tests/simple_project.tftest.hcl index 10802bf..9145c51 100644 --- a/tests/simple_project.tftest.hcl +++ b/tests/simple_project.tftest.hcl @@ -16,6 +16,7 @@ run "simple_project_test" { assert { condition = module.simple-project.name == "inspect-project" + error_message = "Project name is not correct!" } assert { From eabd52809501197f133fbe66a1ec8503199e0e07 Mon Sep 17 00:00:00 2001 From: Paul Xu Date: Wed, 17 Jul 2024 22:55:26 -0400 Subject: [PATCH 28/34] write more tests --- .github/workflows/kitchen-tests.yml | 2 ++ README.md | 4 +++- outputs.tf | 12 ++++++++++- tests/simple-project/outputs.tf | 32 +++++++++++++++++++++------- tests/simple_project.tftest.hcl | 33 ++++++++--------------------- 5 files changed, 49 insertions(+), 34 deletions(-) diff --git a/.github/workflows/kitchen-tests.yml b/.github/workflows/kitchen-tests.yml index 9085ad9..162dfd0 100644 --- a/.github/workflows/kitchen-tests.yml +++ b/.github/workflows/kitchen-tests.yml @@ -75,6 +75,8 @@ jobs: echo "$GCP_CREDENTIAL_JSON" | base64 -d > /tmp/credentials.json env: GCP_CREDENTIAL_JSON: ${{ secrets.GCP_CI_CREDENTIAL_JSON}} + - name: Print billing account + run: echo ${{ secrets.GCP_BURWOOD_BILLING_ACCOUNT }} - name: Run terraform test run: | terraform init diff --git a/README.md b/README.md index 5aafad2..e2677d1 100644 --- a/README.md +++ b/README.md @@ -74,11 +74,13 @@ No resources. | Name | Description | |------|-------------| -| [activate\_apis](#output\_activate\_apis) | Active Google APIS | +| [activate\_apis](#output\_activate\_apis) | Activate APIs | +| [enabled\_apis](#output\_enabled\_apis) | Active Google APIS | | [folder\_id](#output\_folder\_id) | Folder ID | | [org\_id](#output\_org\_id) | Organization ID | | [project\_id](#output\_project\_id) | Project ID | | [project\_name](#output\_project\_name) | Project Name | +| [roles](#output\_roles) | Roles | | [service\_account\_display\_name](#output\_service\_account\_display\_name) | Name of service account | | [service\_account\_email](#output\_service\_account\_email) | Email for service account | diff --git a/outputs.tf b/outputs.tf index c18f752..b444a02 100644 --- a/outputs.tf +++ b/outputs.tf @@ -18,8 +18,18 @@ output "service_account_email" { value = module.project.service_account_email } -output "activate_apis" { +output "enabled_apis" { description = "Active Google APIS" + value = module.project.enabled_apis +} + +output "roles" { + description = "Roles" + value = module.projects_iam_bindings.roles +} + +output "activate_apis" { + description = "Activate APIs" value = var.activate_apis } diff --git a/tests/simple-project/outputs.tf b/tests/simple-project/outputs.tf index dafea28..b444a02 100644 --- a/tests/simple-project/outputs.tf +++ b/tests/simple-project/outputs.tf @@ -1,28 +1,44 @@ output "project_name" { - value = module.simple-project.project_name + description = "Project Name" + value = module.project.project_name } output "project_id" { - value = module.simple-project.project_id + description = "Project ID" + value = module.project.project_id } output "service_account_display_name" { - value = module.simple-project.service_account_display_name + description = "Name of service account" + value = module.project.service_account_display_name } output "service_account_email" { - value = module.simple-project.service_account_email + description = "Email for service account" + value = module.project.service_account_email } +output "enabled_apis" { + description = "Active Google APIS" + value = module.project.enabled_apis +} + +output "roles" { + description = "Roles" + value = module.projects_iam_bindings.roles +} output "activate_apis" { - value = var.activate_apis + description = "Activate APIs" + value = var.activate_apis } -output "organization_id" { - value = var.org_id +output "org_id" { + description = "Organization ID" + value = var.org_id } output "folder_id" { - value = var.folder_id + description = "Folder ID" + value = var.folder_id } diff --git a/tests/simple_project.tftest.hcl b/tests/simple_project.tftest.hcl index 9145c51..8d26f85 100644 --- a/tests/simple_project.tftest.hcl +++ b/tests/simple_project.tftest.hcl @@ -15,42 +15,27 @@ run "simple_project_test" { } assert { - condition = module.simple-project.name == "inspect-project" - error_message = "Project name is not correct!" - } - - assert { - condition = module.simple-project.lifecycle_state == "ACTIVE" - error_message = "Project is not active" + condition = contains(output.enabled_apis, "compute.googleapis.com") + error_message = "Compute API is not enabled!" } assert { - condition = google_project.project.parent[0].type == "folder" - error_message = "Project parent type is not 'folder'" + condition = contains(output.enabled_apis, "cloudresourcemanager.googleapis.com") + error_message = "Cloud Resource Manager API is not enabled!" } assert { - condition = google_project.project.parent[0].id == var.folder_id - error_message = "Project parent ID does not match" + condition = contains(output.roles, "roles/stackdriver.resourceMetadata.writer") + error_message = "Stackdriver IAM binding does not include the service account" } // assert { - // condition = length([for api in var.activated_apis : api if contains(google_project_service.test_activated_apis[*].service, api)]) == length(var.activated_apis) - // error_message = "Not all APIs are activated" - // } - - // assert { - // condition = contains(google_project_iam_binding.test_logging_logWriter.members, "serviceAccount:${var.service_account_email}") - // error_message = "Logging IAM binding does not include the service account" - // } - - // assert { - // condition = contains(google_project_iam_binding.test_monitoring_metricWriter.members, "serviceAccount:${var.service_account_email}") + // condition = lookup(output.roles, "roles/monitoring.metricWriter") == "serviceAccount:${output.service_account_email}" // error_message = "Monitoring IAM binding does not include the service account" // } // assert { - // condition = contains(google_project_iam_binding.test_stackdriver_resourceMetadata_writer.members, "serviceAccount:${var.service_account_email}") - // error_message = "Stackdriver IAM binding does not include the service account" + // condition = lookup(output.roles, "roles/monitoring.metricWriter") == "serviceAccount:${output.service_account_email}" + // error_message = "Monitoring IAM binding does not include the service account" // } } \ No newline at end of file From 2ef2d245cebc5d21b688cd9faaea4e5f169e4fab Mon Sep 17 00:00:00 2001 From: Paul Xu Date: Wed, 17 Jul 2024 22:59:51 -0400 Subject: [PATCH 29/34] write more tests --- tests/simple-project/outputs.tf | 29 ++++++++++------------------- 1 file changed, 10 insertions(+), 19 deletions(-) diff --git a/tests/simple-project/outputs.tf b/tests/simple-project/outputs.tf index b444a02..f266b52 100644 --- a/tests/simple-project/outputs.tf +++ b/tests/simple-project/outputs.tf @@ -1,44 +1,35 @@ output "project_name" { - description = "Project Name" - value = module.project.project_name + value = module.simple-project.project_name } output "project_id" { - description = "Project ID" - value = module.project.project_id + value = module.simple-project.project_id } output "service_account_display_name" { - description = "Name of service account" - value = module.project.service_account_display_name + value = module.simple-project.service_account_display_name } output "service_account_email" { - description = "Email for service account" - value = module.project.service_account_email + value = module.simple-project.service_account_email } output "enabled_apis" { - description = "Active Google APIS" - value = module.project.enabled_apis + value = module.simple-project.enabled_apis } output "roles" { - description = "Roles" - value = module.projects_iam_bindings.roles + value = module.simple-project.roles } output "activate_apis" { - description = "Activate APIs" - value = var.activate_apis + value = var.activate_apis } -output "org_id" { - description = "Organization ID" - value = var.org_id +output "organization_id" { + value = var.org_id } output "folder_id" { - description = "Folder ID" - value = var.folder_id + value = var.folder_id } From fec4411d89328cd6800c85922b525619e5d9d34a Mon Sep 17 00:00:00 2001 From: Paul Xu Date: Wed, 17 Jul 2024 23:13:27 -0400 Subject: [PATCH 30/34] write more tests --- .github/workflows/kitchen-tests.yml | 2 -- README.md | 1 + outputs.tf | 5 +++++ tests/simple-project/outputs.tf | 4 ++++ tests/simple_project.tftest.hcl | 23 ++++++++++++++--------- 5 files changed, 24 insertions(+), 11 deletions(-) diff --git a/.github/workflows/kitchen-tests.yml b/.github/workflows/kitchen-tests.yml index 162dfd0..9085ad9 100644 --- a/.github/workflows/kitchen-tests.yml +++ b/.github/workflows/kitchen-tests.yml @@ -75,8 +75,6 @@ jobs: echo "$GCP_CREDENTIAL_JSON" | base64 -d > /tmp/credentials.json env: GCP_CREDENTIAL_JSON: ${{ secrets.GCP_CI_CREDENTIAL_JSON}} - - name: Print billing account - run: echo ${{ secrets.GCP_BURWOOD_BILLING_ACCOUNT }} - name: Run terraform test run: | terraform init diff --git a/README.md b/README.md index e2677d1..dc16885 100644 --- a/README.md +++ b/README.md @@ -77,6 +77,7 @@ No resources. | [activate\_apis](#output\_activate\_apis) | Activate APIs | | [enabled\_apis](#output\_enabled\_apis) | Active Google APIS | | [folder\_id](#output\_folder\_id) | Folder ID | +| [members](#output\_members) | Members | | [org\_id](#output\_org\_id) | Organization ID | | [project\_id](#output\_project\_id) | Project ID | | [project\_name](#output\_project\_name) | Project Name | diff --git a/outputs.tf b/outputs.tf index b444a02..c439c4f 100644 --- a/outputs.tf +++ b/outputs.tf @@ -28,6 +28,11 @@ output "roles" { value = module.projects_iam_bindings.roles } +output "members" { + description = "Members" + value = module.projects_iam_bindings.members +} + output "activate_apis" { description = "Activate APIs" value = var.activate_apis diff --git a/tests/simple-project/outputs.tf b/tests/simple-project/outputs.tf index f266b52..d93b974 100644 --- a/tests/simple-project/outputs.tf +++ b/tests/simple-project/outputs.tf @@ -22,6 +22,10 @@ output "roles" { value = module.simple-project.roles } +output "members" { + value = module.simple-project.members +} + output "activate_apis" { value = var.activate_apis } diff --git a/tests/simple_project.tftest.hcl b/tests/simple_project.tftest.hcl index 8d26f85..54c38de 100644 --- a/tests/simple_project.tftest.hcl +++ b/tests/simple_project.tftest.hcl @@ -24,18 +24,23 @@ run "simple_project_test" { error_message = "Cloud Resource Manager API is not enabled!" } + assert { + condition = contains(output.members, "serviceAccount:${output.service_account_email}") + error_message = "Service account not a member to the project!" + } + assert { condition = contains(output.roles, "roles/stackdriver.resourceMetadata.writer") - error_message = "Stackdriver IAM binding does not include the service account" + error_message = "Stackdriver IAM binding not created!" } - // assert { - // condition = lookup(output.roles, "roles/monitoring.metricWriter") == "serviceAccount:${output.service_account_email}" - // error_message = "Monitoring IAM binding does not include the service account" - // } + assert { + condition = contains(output.roles, "roles/monitoring.metricWriter") + error_message = "Monitoring IAM binding not created!" + } - // assert { - // condition = lookup(output.roles, "roles/monitoring.metricWriter") == "serviceAccount:${output.service_account_email}" - // error_message = "Monitoring IAM binding does not include the service account" - // } + assert { + condition = contains(output.roles, "roles/logging.logWriter") + error_message = "Logging IAM binding not created!" + } } \ No newline at end of file From 5daebff25c6f6b47688a9659fa913aac7d849a5f Mon Sep 17 00:00:00 2001 From: Paul Xu Date: Thu, 18 Jul 2024 15:53:01 -0400 Subject: [PATCH 31/34] remove ruby and kitchen-terraform --- .kitchen.yml | 20 ------ .tool-versions | 1 - Dockerfile | 28 -------- Gemfile | 3 - examples/simple-project/main.tf | 17 ----- examples/simple-project/outputs.tf | 28 -------- .../simple-project/terraform.tfvars.example | 5 -- examples/simple-project/variables.tf | 22 ------- examples/simple-project/versions.tf | 3 - test/README.md | 66 ------------------- .../simple-project/controls/project.rb | 49 -------------- test/integration/simple-project/inspec.yml | 40 ----------- 12 files changed, 282 deletions(-) delete mode 100644 .kitchen.yml delete mode 100644 Dockerfile delete mode 100644 Gemfile delete mode 100644 examples/simple-project/main.tf delete mode 100644 examples/simple-project/outputs.tf delete mode 100644 examples/simple-project/terraform.tfvars.example delete mode 100644 examples/simple-project/variables.tf delete mode 100644 examples/simple-project/versions.tf delete mode 100644 test/README.md delete mode 100644 test/integration/simple-project/controls/project.rb delete mode 100644 test/integration/simple-project/inspec.yml diff --git a/.kitchen.yml b/.kitchen.yml deleted file mode 100644 index 3f1ae71..0000000 --- a/.kitchen.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- -provisioner: - name: terraform - -verifier: - name: terraform - systems: - - name: inspec-gcp - backend: gcp - -platforms: - - name: terraform - -suites: - - name: simple-project - driver: - name: terraform - root_module_directory: examples/simple-project - parallelism: 4 - command_timeout: 1800 diff --git a/.tool-versions b/.tool-versions index 414a1f9..3874604 100644 --- a/.tool-versions +++ b/.tool-versions @@ -1,2 +1 @@ terraform 1.9.2 -ruby 3.3.3 diff --git a/Dockerfile b/Dockerfile deleted file mode 100644 index 0aeb4f1..0000000 --- a/Dockerfile +++ /dev/null @@ -1,28 +0,0 @@ -FROM hashicorp/terraform:1.9.2 - -COPY .tool-versions .tool-versions - -# Update and install all of the required packages. -# At the end, remove the apk cache -RUN apk upgrade && \ - apk add --update \ - bash \ - curl-dev \ - curl \ - linux-headers \ - "ruby-dev=~$(grep ruby .tool-versions | awk '{print $2}' | tr -d '\n')" \ - "ruby-full=~$(grep ruby .tool-versions | awk '{print $2}' | tr -d '\n')" \ - build-base \ - python3 && \ - rm -rf /var/cache/apk/* - -RUN mkdir /usr/app -WORKDIR /usr/app - -COPY Gemfile* ./ -RUN gem install bundler && \ - bundle config set system 'true' && \ - bundle install - - -ENTRYPOINT ["/bin/bash"] \ No newline at end of file diff --git a/Gemfile b/Gemfile deleted file mode 100644 index ddc69d8..0000000 --- a/Gemfile +++ /dev/null @@ -1,3 +0,0 @@ -source "https://rubygems.org/" do - gem "kitchen-terraform", "~> 7.0.2" - end \ No newline at end of file diff --git a/examples/simple-project/main.tf b/examples/simple-project/main.tf deleted file mode 100644 index 17afe22..0000000 --- a/examples/simple-project/main.tf +++ /dev/null @@ -1,17 +0,0 @@ -# ---------------------------------------------------------------------------- -# TEST RESOURCES -# These resources are directly tested. -# ---------------------------------------------------------------------------- -locals { - project_name = "inspec-project" - -} - -module "simple-project" { - source = "../../" - - project_name = local.project_name - billing_account = var.billing_account - activate_apis = var.activate_apis - folder_id = var.folder_id -} diff --git a/examples/simple-project/outputs.tf b/examples/simple-project/outputs.tf deleted file mode 100644 index dafea28..0000000 --- a/examples/simple-project/outputs.tf +++ /dev/null @@ -1,28 +0,0 @@ -output "project_name" { - value = module.simple-project.project_name -} - -output "project_id" { - value = module.simple-project.project_id -} - -output "service_account_display_name" { - value = module.simple-project.service_account_display_name -} - -output "service_account_email" { - value = module.simple-project.service_account_email -} - - -output "activate_apis" { - value = var.activate_apis -} - -output "organization_id" { - value = var.org_id -} - -output "folder_id" { - value = var.folder_id -} diff --git a/examples/simple-project/terraform.tfvars.example b/examples/simple-project/terraform.tfvars.example deleted file mode 100644 index 2691513..0000000 --- a/examples/simple-project/terraform.tfvars.example +++ /dev/null @@ -1,5 +0,0 @@ -# Run the following command to get the billing account: -# gcloud beta billing accounts list | grep -i cis_card | awk '{ print $1 }' - -billing_account = "" - diff --git a/examples/simple-project/variables.tf b/examples/simple-project/variables.tf deleted file mode 100644 index 7817b10..0000000 --- a/examples/simple-project/variables.tf +++ /dev/null @@ -1,22 +0,0 @@ - - -variable "activate_apis" { - type = list(string) - default = [ - "compute.googleapis.com", - "cloudresourcemanager.googleapis.com" - ] -} - -# This are secrets. They are passsed in terraform.tfvars file -variable "billing_account" { - type = string -} - -variable "org_id" { - type = string -} - -variable "folder_id" { - type = string -} diff --git a/examples/simple-project/versions.tf b/examples/simple-project/versions.tf deleted file mode 100644 index bfb98ab..0000000 --- a/examples/simple-project/versions.tf +++ /dev/null @@ -1,3 +0,0 @@ -terraform { - required_version = ">= 1.9.0" -} diff --git a/test/README.md b/test/README.md deleted file mode 100644 index f3b7a8a..0000000 --- a/test/README.md +++ /dev/null @@ -1,66 +0,0 @@ -# Example InSpec Profile For GCP - -This example shows the implementation of an InSpec profile for GCP that depends on the [InSpec GCP Resource Pack](https://github.com/inspec/inspec-gcp). See the [README](https://github.com/inspec/inspec-gcp) for instructions on setting up appropriate GCP credentials. - -## Create a profile - -``` -$ inspec init profile --platform gcp my-profile -Create new profile at /Users/spaterson/my-profile - * Create directory libraries - * Create file README.md - * Create directory controls - * Create file controls/example.rb - * Create file inspec.yml - * Create file attributes.yml - * Create file libraries/.gitkeep - -``` - -## Update `attributes.yml` to point to your project - -``` -gcp_project_id: 'my-gcp-project' -``` - -## Run the tests - -``` -$ cd gcp-profile/ -$ inspec exec . -t gcp:// --attrs attributes.yml - -Profile: GCP InSpec Profile (my-profile) -Version: 0.1.0 -Target: gcp://local-service-account@my-gcp-project.iam.gserviceaccount.com - - ✔ gcp-single-region-1.0: Ensure single region has the correct properties. - ✔ Region europe-west2 zone_names should include "europe-west2-a" - ✔ gcp-regions-loop-1.0: Ensure regions have the correct properties in bulk. - ✔ Region asia-east1 should be up - ✔ Region asia-northeast1 should be up - ✔ Region asia-south1 should be up - ✔ Region asia-southeast1 should be up - ✔ Region australia-southeast1 should be up - ✔ Region europe-north1 should be up - ✔ Region europe-west1 should be up - ✔ Region europe-west2 should be up - ✔ Region europe-west3 should be up - ✔ Region europe-west4 should be up - ✔ Region northamerica-northeast1 should be up - ✔ Region southamerica-east1 should be up - ✔ Region us-central1 should be up - ✔ Region us-east1 should be up - ✔ Region us-east4 should be up - ✔ Region us-west1 should be up - ✔ Region us-west2 should be up - - -Profile: Google Cloud Platform Resource Pack (inspec-gcp) -Version: 0.5.0 -Target: gcp://local-service-account@my-gcp-project.iam.gserviceaccount.com - - No tests executed. - -Profile Summary: 2 successful controls, 0 control failures, 0 controls skipped -Test Summary: 18 successful, 0 failures, 0 skipped -``` \ No newline at end of file diff --git a/test/integration/simple-project/controls/project.rb b/test/integration/simple-project/controls/project.rb deleted file mode 100644 index 1db6849..0000000 --- a/test/integration/simple-project/controls/project.rb +++ /dev/null @@ -1,49 +0,0 @@ -title "Test creation of a GCP Project" - -project_id = attribute("project_id") -project_name = attribute("project_name") -organization_id = attribute("organization_id") -folder_id = attribute("folder_id") -service_account_email = attribute("service_account_email") -activated_apis = attribute('activated_apis') - - -describe google_project(project: project_id) do - it { should exist } - its('project_id') { should eq project_id } -end - -describe google_project(project: project_id) do - its('lifecycle_state') { should eq "ACTIVE" } -end - -describe google_project(project: project_id) do - its('name') { should eq project_name } -end - -describe google_project(project: project_id) do - its('parent.type') { should eq "folder" } - its('parent.id') {should eq folder_id.to_s} -end - -activated_apis.each do |api| - describe google_project_service(project: project_id, name: api) do - it { should exist } - its('state') { should cmp "ENABLED" } - end -end - -describe google_project_iam_binding(project: project_id, role: 'roles/stackdriver.resourceMetadata.writer') do - it { should exist } - its('members') {should include "serviceAccount:#{service_account_email}" } -end - -describe google_project_iam_binding(project: project_id, role: 'roles/monitoring.metricWriter') do - it { should exist } - its('members') {should include "serviceAccount:#{service_account_email}" } -end - -describe google_project_iam_binding(project: project_id, role: 'roles/logging.logWriter') do - it { should exist } - its('members') {should include "serviceAccount:#{service_account_email}" } -end diff --git a/test/integration/simple-project/inspec.yml b/test/integration/simple-project/inspec.yml deleted file mode 100644 index c9ed8ad..0000000 --- a/test/integration/simple-project/inspec.yml +++ /dev/null @@ -1,40 +0,0 @@ -name: simple-project -title: GCP InSpec Profile -maintainer: Brown CIS -copyright: Brown University -license: MIT -summary: An InSpec Compliance Profile For GCP -version: 0.1.0 -inspec_version: ">= 2.3.5" -attributes: - - name: project_id - required: true - description: "The GCP project identifier." - type: string - - name: project_name - required: true - description: "The GCP project name." - type: string - - name: organization_id - required: true - description: "The GCP organization identifier." - - name: folder_id - required: true - description: "The GCP parent folder identifier." - - name: service_account_display_name - required: true - description: "The GCP service_account_display_name" - type: string - - name: service_account_email - required: true - description: "The GCP service_account_display_name" - type: string - - name: activated_apis - required: true - description: "The GCP active activate_apis" -depends: - - name: inspec-gcp - git: https://github.com/inspec/inspec-gcp.git - tag: v1.10.37 -supports: - - platform: gcp From cf9c004885f372495abff94a78eea49666d78539 Mon Sep 17 00:00:00 2001 From: Paul Xu Date: Thu, 18 Jul 2024 15:54:13 -0400 Subject: [PATCH 32/34] Update github actions --- .github/workflows/kitchen-tests.yml | 86 --------------------------- .github/workflows/terraform-tests.yml | 36 +++++++++++ 2 files changed, 36 insertions(+), 86 deletions(-) delete mode 100644 .github/workflows/kitchen-tests.yml create mode 100644 .github/workflows/terraform-tests.yml diff --git a/.github/workflows/kitchen-tests.yml b/.github/workflows/kitchen-tests.yml deleted file mode 100644 index 9085ad9..0000000 --- a/.github/workflows/kitchen-tests.yml +++ /dev/null @@ -1,86 +0,0 @@ -name: kitchen-tests - -on: - push: - branches: - - 'main' - tags: - - 'v*.*.*' - pull_request: - branches: - - 'main' - -env: - REGISTRY: ghcr.io - IMAGE_NAME: brownuniversity/terraform-gcp-project - -jobs: - docker: - runs-on: ubuntu-latest - outputs: - full_image_id: ${{ steps.save_full_image_id.outputs.full_image_id }} - steps: - - uses: actions/checkout@v4 - - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Log in to the Container registry - uses: docker/login-action@v3 - with: - registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Extract metadata (tags, labels) for Docker - id: meta - uses: docker/metadata-action@v5 - with: - images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - tags: | - type=ref,event=branch - type=ref,event=pr - type=semver,pattern={{major}}.{{minor}} - - # NOTE: We are tapping into json output because tags could become a list if prior step is modified - - id: save_full_image_id - run: echo "full_image_id=${{ fromJSON(steps.meta.outputs.json).tags[0] }}" >> $GITHUB_OUTPUT - - - name: print_tag - run: echo "${{ fromJSON(steps.meta.outputs.json).tags[0] }}" - - - name: Build and push Docker image - uses: docker/build-push-action@v4 - with: - context: . - push: true - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - cache-from: type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:buildcache - cache-to: type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:buildcache - - terraform-tests: - needs: docker - runs-on: ubuntu-latest - container: - image: "${{ needs.docker.outputs.full_image_id }}" - - steps: - - uses: actions/checkout@v4 - - name: Create Credential File - run: | - echo "$GCP_CREDENTIAL_JSON" | base64 -d > /tmp/credentials.json - env: - GCP_CREDENTIAL_JSON: ${{ secrets.GCP_CI_CREDENTIAL_JSON}} - - name: Run terraform test - run: | - terraform init - terraform test - env: - TF_VAR_billing_account: ${{ secrets.GCP_BURWOOD_BILLING_ACCOUNT }} - TF_VAR_org_id: ${{ secrets.GCP_ORG_ID }} - TF_VAR_folder_id: ${{ secrets.GCP_CCV_CI_FOLDER_ID }} - GOOGLE_APPLICATION_CREDENTIALS: /tmp/credentials.json diff --git a/.github/workflows/terraform-tests.yml b/.github/workflows/terraform-tests.yml new file mode 100644 index 0000000..bbcbcbd --- /dev/null +++ b/.github/workflows/terraform-tests.yml @@ -0,0 +1,36 @@ +name: terraform-tests + +on: + push: + branches: + - 'main' + tags: + - 'v*.*.*' + pull_request: + branches: + - 'main' + + +jobs: + terraform-tests: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Create Credential File + run: | + echo "$GCP_CREDENTIAL_JSON" | base64 -d > /tmp/credentials.json + env: + GCP_CREDENTIAL_JSON: ${{ secrets.GCP_CI_CREDENTIAL_JSON}} + - name: Setup Terraform + uses: hashicorp/setup-terraform@v3 + with: + terraform_version: 1.9.2 + - name: Run terraform test + run: | + terraform init + terraform test + env: + TF_VAR_billing_account: ${{ secrets.GCP_BURWOOD_BILLING_ACCOUNT }} + TF_VAR_org_id: ${{ secrets.GCP_ORG_ID }} + TF_VAR_folder_id: ${{ secrets.GCP_CCV_CI_FOLDER_ID }} + GOOGLE_APPLICATION_CREDENTIALS: /tmp/credentials.json From 5783d47c8ee0ec1df3c6840306f566f852361473 Mon Sep 17 00:00:00 2001 From: Paul Xu Date: Thu, 18 Jul 2024 16:08:04 -0400 Subject: [PATCH 33/34] move terraform.tfvars.example --- tests/{simple-project => }/terraform.tfvars.example | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename tests/{simple-project => }/terraform.tfvars.example (100%) diff --git a/tests/simple-project/terraform.tfvars.example b/tests/terraform.tfvars.example similarity index 100% rename from tests/simple-project/terraform.tfvars.example rename to tests/terraform.tfvars.example From 0ceca05a0a7d078de680a1a4eb3b4beaf5733e28 Mon Sep 17 00:00:00 2001 From: Paul Xu Date: Thu, 18 Jul 2024 16:29:36 -0400 Subject: [PATCH 34/34] update README --- README.md | 42 +++++++++--------------------------------- 1 file changed, 9 insertions(+), 33 deletions(-) diff --git a/README.md b/README.md index dc16885..b348ec2 100644 --- a/README.md +++ b/README.md @@ -99,31 +99,27 @@ Use [GitLab Flow](https://docs.gitlab.com/ee/topics/gitlab_flow.html#production- ### Version managers -We recommend using [asdf](https://asdf-vm.com) to manage your versions of Terrafom and Ruby. +We recommend using [asdf](https://asdf-vm.com) to manage your versions of Terraform. ``` brew install asdf ``` -Alternatively you can use [tfenv](https://github.com/tfutils/tfenv) and [rbenv](https://github.com/rbenv/rbenv) +### Terraform -### Terraform and Ruby - -The tests can simply run in CI. If you want to run the tests locally, you will need to install the version of terraform and Ruby specified in the `.tool-versions` file. +You can also install the latest version of terraform version via brew. ``` -asdf plugin-add terraform https://github.com/asdf-community/asdf-hashicorp.git -asdf plugin add ruby https://github.com/asdf-vm/asdf-ruby.git -asdf install +brew tap hashicorp/tap +brew install hashicorp/tap/terraform ``` #### Pre-commit hooks -You should make sure that pre-commit hooks are installed to run the formater, linter, etc. Install and configure terraform [pre-commit hooks](https://github.com/antonbabenko/pre-commit-terraform) as follows: -Install rependencies +You should make sure that pre-commit hooks are installed to run the formater, linter, etc. Install and configure terraform [pre-commit hooks](https://github.com/antonbabenko/pre-commit-terraform) as follows: ``` -brew bundle install +brew install pre-commit ``` Install the pre-commit hook globally @@ -159,27 +155,7 @@ to set and uset the `GOOGLE_APPLICATION_CREDENTIALS` variable. ### Testing -This repository uses Kitchen-Terraform to test the terraform modules. In the [examples](/examples) directory you can find examples of how each module can be used. Those examples are fed to [Test Kitchen][https://kitchen.ci/]. To install test kitchen, first make sure you have Ruby and bundler installed. - -``` -gem install bundler -``` - -Then install the prerequisites for test kitchen. - -``` -bundle install -``` - -You'll need to add some common credentials and secret variables - -And now you're ready to run test kitchen. Test kitchen has a couple main commands: - -- `bundle exec kitchen create` initializes terraform. -- `bundle exec kitchen converge` runs our terraform examples. -- `bundle exec kitchen verify` runs our inspec scripts against a converged kitchen. -- `bundle exec kitchen destroy` destroys infrastructure. -- `bundle exec kitchen test` does all the above. +The tests can be run locally with `terraform test` after running `terraform init`. You will need to supply `org_id`, `folder_id`, and `billing_account` variables through `terraform.tfvars` file. Please see `terraform.tfvars.example` file for an example. ### CI @@ -189,4 +165,4 @@ This project has three workflows enabled: 2. Realease Drafter: When merging to master, a release is drafted using the [Release-Drafter Action](https://github.com/marketplace/actions/release-drafter) -3. `Kitchen test` runs on PR, merge to main and releases. +3. `terraform test` runs on PR, merge to main and releases.