feat: adding tests for the major submodules (#3)

Co-authored-by: Awais Malik <awmalik@google.com>
GoogleCloudPlatform · Aug 24, 2023 · 330969f · 330969f
1 parent 7b9bcdc
commit 330969f
Show file tree

Hide file tree

Showing 48 changed files with 859 additions and 155 deletions.
diff --git a/build/int.cloudbuild.yaml b/build/int.cloudbuild.yaml
@@ -21,9 +21,166 @@ steps:
   - 'TF_VAR_org_id=$_ORG_ID'
   - 'TF_VAR_folder_id=$_FOLDER_ID'
   - 'TF_VAR_billing_account=$_BILLING_ACCOUNT'
+  secretEnv: ['TFE_TOKEN']
+- id: sleep
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'sleep 120']
+  waitFor:
+    - "prepare"
+- id: docker-push
+  name: "gcr.io/cloud-builders/docker"
+  script: |
+    #!/usr/bin/env bash
+    source test/setup/outputs.env
+    docker build -t us-central1-docker.pkg.dev/$_SETUP_PROJECT_ID/hashicorp/tfc-agent:latest -f examples/tfc-agent-gke-custom/Dockerfile examples/tfc-agent-gke-custom
+    docker push us-central1-docker.pkg.dev/$_SETUP_PROJECT_ID/hashicorp/tfc-agent:latest
+  waitFor:
+    - "sleep"
+- id: packer-init
+  name: 'hashicorp/packer:1.9.1'
+  script: |
+    #!/usr/bin/env bash
+    source test/setup/outputs.env
+    packer init -var project_id=$_SETUP_PROJECT_ID examples/tfc-agent-mig-vm-packer/packer/packer.pkr.hcl
+  waitFor:
+    - "sleep"
+  env:
+  - 'TFC_AGENT_VERSION=$_TFC_AGENT_VERSION'
+- id: packer-build
+  name: 'hashicorp/packer:1.9.1'
+  script: |
+    #!/usr/bin/env bash
+    source test/setup/outputs.env
+    packer build -force -var project_id=$_SETUP_PROJECT_ID examples/tfc-agent-mig-vm-packer/packer
+  env:
+  - 'TFC_AGENT_VERSION=$_TFC_AGENT_VERSION'
+  waitFor:
+    - "packer-init"
+- id: init-all
+  waitFor:
+    - "sleep"
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run all --stage init --verbose']
+- id: apply-oidc
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestOidcSimple --stage apply --verbose']
+  secretEnv: ['TFE_TOKEN']
+  waitFor:
+    - "init-all"
+- id: verify-oidc
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestOidcSimple --stage verify --verbose']
+  secretEnv: ['TFE_TOKEN']
+  waitFor:
+    - "apply-oidc"
+- id: destroy-oidc
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestOidcSimple --stage destroy --verbose']
+  secretEnv: ['TFE_TOKEN']
+  waitFor:
+    - "verify-oidc"
+- id: apply-gke-custom
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestTfcAgentGkeCustom --stage apply --verbose']
+  secretEnv: ['TFE_TOKEN']
+  waitFor:
+    - "init-all"
+    - "docker-push"
+- id: verify-gke-custom
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestTfcAgentGkeCustom --stage verify --verbose']
+  secretEnv: ['TFE_TOKEN']
+  waitFor:
+    - "apply-gke-custom"
+- id: destroy-gke-custom
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestTfcAgentGkeCustom --stage destroy --verbose']
+  secretEnv: ['TFE_TOKEN']
+  waitFor:
+    - "verify-gke-custom"
+- id: apply-gke-simple
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestTfcAgentGkeSimple --stage apply --verbose']
+  secretEnv: ['TFE_TOKEN']
+  waitFor:
+    - "init-all"
+- id: verify-gke-simple
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestTfcAgentGkeSimple --stage verify --verbose']
+  secretEnv: ['TFE_TOKEN']
+  waitFor:
+    - "apply-gke-simple"
+- id: destroy-gke-simple
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestTfcAgentGkeSimple --stage destroy --verbose']
+  secretEnv: ['TFE_TOKEN']
+  waitFor:
+    - "verify-gke-simple"
+- id: apply-mig-con-simple
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestTfcAgentMigContainerVmSimple --stage apply --verbose']
+  secretEnv: ['TFE_TOKEN']
+  waitFor:
+    - "init-all"
+- id: verify-mig-con-simple
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestTfcAgentMigContainerVmSimple --stage verify --verbose']
+  secretEnv: ['TFE_TOKEN']
+  waitFor:
+    - "apply-mig-con-simple"
+- id: destroy-mig-con-simple
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestTfcAgentMigContainerVmSimple --stage destroy --verbose']
+  secretEnv: ['TFE_TOKEN']
+  waitFor:
+    - "verify-mig-con-simple"
+- id: apply-mig-packer
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestTfcAgentMigVmPacker --stage apply --verbose']
+  secretEnv: ['TFE_TOKEN']
+  waitFor:
+    - "init-all"
+    - "packer-build"
+- id: verify-mig-packer
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestTfcAgentMigVmPacker --stage verify --verbose']
+  secretEnv: ['TFE_TOKEN']
+  waitFor:
+    - "apply-mig-packer"
+- id: destroy-mig-packer
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestTfcAgentMigVmPacker --stage destroy --verbose']
+  secretEnv: ['TFE_TOKEN']
+  waitFor:
+    - "verify-mig-packer"
+- id: apply-mig-simple
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestTfcAgentMigVmSimple --stage apply --verbose']
+  secretEnv: ['TFE_TOKEN']
+  waitFor:
+    - "init-all"
+- id: verify-mig-simple
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestTfcAgentMigVmSimple --stage verify --verbose']
+  secretEnv: ['TFE_TOKEN']
+  waitFor:
+    - "apply-mig-simple"
+- id: destroy-mig-simple
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestTfcAgentMigVmSimple --stage destroy --verbose']
+  secretEnv: ['TFE_TOKEN']
+  waitFor:
+    - "verify-mig-simple"
 tags:
 - 'ci'
 - 'integration'
 substitutions:
   _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools'
-  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1'
+  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.14'
+  _TFC_AGENT_VERSION: '1.12.0'
+availableSecrets:
+  secretManager:
+  - versionName: $_TFE_TOKEN_SECRET_ID/versions/latest
+    env: 'TFE_TOKEN'
+options:
+  machineType: 'E2_HIGHCPU_32'
diff --git a/examples/oidc-simple/README.md b/examples/oidc-simple/README.md
@@ -20,6 +20,7 @@ This example showcases how to configure [Workload Identity Federation](https://c
 | Name | Description |
 |------|-------------|
 | pool\_name | Pool name |
+| project\_id | The project id to create Workload Identity Federation pool and example Service Account |
 | provider\_name | Provider name |
 | sa\_email | Example SA email |
 

diff --git a/examples/oidc-simple/main.tf b/examples/oidc-simple/main.tf
@@ -19,6 +19,11 @@ data "tfe_organization" "tfc_org" {
   name = var.tfc_org_name
 }
 
+locals {
+  tfc_project   = "${var.tfc_project_name} ${random_string.suffix.result}"
+  tfc_workspace = "${var.tfc_workspace_name}-${random_string.suffix.result}"
+}
+
 # Random ID for the workload_identity_pool_id
 # will avoid errors due to GCP's 30-day hold on deleted pools
 resource "random_string" "suffix" {
@@ -29,13 +34,13 @@ resource "random_string" "suffix" {
 
 # Create a new project in Terraform Cloud
 resource "tfe_project" "tfc_project" {
+  name         = local.tfc_project
   organization = data.tfe_organization.tfc_org.name
-  name         = var.tfc_project_name
 }
 
 # Create a new workspace which uses the agent to run Terraform
 resource "tfe_workspace" "tfc_workspace" {
-  name         = var.tfc_workspace_name
+  name         = local.tfc_workspace
   organization = data.tfe_organization.tfc_org.name
   project_id   = tfe_project.tfc_project.id
 }

diff --git a/examples/oidc-simple/outputs.tf b/examples/oidc-simple/outputs.tf
@@ -14,6 +14,11 @@
  * limitations under the License.
  */
 
+output "project_id" {
+  description = "The project id to create Workload Identity Federation pool and example Service Account"
+  value       = var.project_id
+}
+
 output "pool_name" {
   description = "Pool name"
   value       = module.oidc.pool_name

diff --git a/examples/tfc-agent-gke-custom/README.md b/examples/tfc-agent-gke-custom/README.md
@@ -79,19 +79,19 @@ If running from your own system, you will need:
 | tfc\_agent\_pool\_name | Terraform Cloud agent pool name to be created | `string` | `"tfc-agent-gke-custom-pool"` | no |
 | tfc\_agent\_pool\_token\_description | Terraform Cloud agent pool token description | `string` | `"tfc-agent-gke-custom-pool-token"` | no |
 | tfc\_org\_name | Terraform Cloud org name where the agent pool will be created | `string` | n/a | yes |
-| tfc\_project\_name | Terraform Cloud project name to be created | `string` | `"GCP agents GKE"` | no |
+| tfc\_project\_name | Terraform Cloud project name to be created | `string` | `"GCP agents GKE custom"` | no |
 | tfc\_workspace\_name | Terraform Cloud workspace name to be created | `string` | `"tfc-agent-gke-custom"` | no |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
 | ca\_certificate | The cluster CA certificate (base64 encoded) |
-| client\_token | The bearer token for auth |
 | cluster\_name | GKE cluster name |
 | kubernetes\_endpoint | The cluster endpoint |
 | location | GKE cluster location |
 | network\_name | Name of the VPC |
+| project\_id | The Google Cloud Platform project ID to deploy Terraform Cloud agent cluster |
 | service\_account | The default service account used for TFC agent nodes |
 | subnet\_name | Name of the subnet in the VPC |
 

diff --git a/examples/tfc-agent-gke-custom/main.tf b/examples/tfc-agent-gke-custom/main.tf
@@ -22,15 +22,28 @@ data "tfe_organization" "tfc_org" {
   name = var.tfc_org_name
 }
 
+locals {
+  tfc_project    = "${var.tfc_project_name} ${random_string.suffix.result}"
+  tfc_workspace  = "${var.tfc_workspace_name}-${random_string.suffix.result}"
+  tfc_agent_pool = "${var.tfc_agent_pool_name}-${random_string.suffix.result}"
+  network_name   = "tfc-gke-custom-${random_string.suffix.result}"
+}
+
+resource "random_string" "suffix" {
+  length  = 4
+  special = false
+  upper   = false
+}
+
 # Create a new project in Terraform Cloud
 resource "tfe_project" "tfc_project" {
+  name         = local.tfc_project
   organization = data.tfe_organization.tfc_org.name
-  name         = var.tfc_project_name
 }
 
 # Create a new workspace which uses the agent to run Terraform
 resource "tfe_workspace" "tfc_workspace" {
-  name           = var.tfc_workspace_name
+  name           = local.tfc_workspace
   organization   = data.tfe_organization.tfc_org.name
   project_id     = tfe_project.tfc_project.id
   agent_pool_id  = tfe_agent_pool.tfc_agent_pool.id
@@ -39,7 +52,7 @@ resource "tfe_workspace" "tfc_workspace" {
 
 # Create a new agent pool in organization
 resource "tfe_agent_pool" "tfc_agent_pool" {
-  name         = var.tfc_agent_pool_name
+  name         = local.tfc_agent_pool
   organization = data.tfe_organization.tfc_org.name
 }
 
@@ -49,24 +62,36 @@ resource "tfe_agent_token" "tfc_agent_token" {
   description   = var.tfc_agent_pool_token_description
 }
 
-# Allow GKE to pull images from Google Artifact Registry
+# Allow GKE to view storage objects
 resource "google_project_iam_member" "gar_viewer" {
   project = var.project_id
   role    = "roles/storage.objectViewer"
-  member  = "serviceAccount:${module.tfc_agent_gke.service_account}"
+  member  = "serviceAccount:${google_service_account.tfc_agent_service_account.email}"
 }
 
+# Allow GKE to pull images from Google Artifact Registry
 resource "google_project_iam_member" "gar_reader" {
   project = var.project_id
   role    = "roles/artifactregistry.reader"
-  member  = "serviceAccount:${module.tfc_agent_gke.service_account}"
+  member  = "serviceAccount:${google_service_account.tfc_agent_service_account.email}"
+}
+
+# Create a new service account for the GKE cluster
+resource "google_service_account" "tfc_agent_service_account" {
+  project      = var.project_id
+  account_id   = "tfc-agent-gke-custom"
+  display_name = "Terraform Cloud agent GKE Service Account"
 }
 
 # Create the infrastructure for the agent to run
 module "tfc_agent_gke" {
-  source          = "../../modules/tfc-agent-gke"
-  create_network  = true
-  project_id      = var.project_id
-  tfc_agent_image = var.tfc_agent_image
-  tfc_agent_token = tfe_agent_token.tfc_agent_token.token
+  source                 = "../../modules/tfc-agent-gke"
+  create_network         = true
+  network_name           = local.network_name
+  subnet_name            = local.network_name
+  project_id             = var.project_id
+  tfc_agent_image        = var.tfc_agent_image
+  tfc_agent_token        = tfe_agent_token.tfc_agent_token.token
+  create_service_account = false
+  service_account_email  = google_service_account.tfc_agent_service_account.email
 }
diff --git a/examples/tfc-agent-gke-custom/outputs.tf b/examples/tfc-agent-gke-custom/outputs.tf
@@ -14,18 +14,17 @@
  * limitations under the License.
  */
 
+output "project_id" {
+  description = "The Google Cloud Platform project ID to deploy Terraform Cloud agent cluster"
+  value       = var.project_id
+}
+
 output "kubernetes_endpoint" {
   description = "The cluster endpoint"
   sensitive   = true
   value       = module.tfc_agent_gke.kubernetes_endpoint
 }
 
-output "client_token" {
-  description = "The bearer token for auth"
-  sensitive   = true
-  value       = module.tfc_agent_gke.client_token
-}
-
 output "ca_certificate" {
   description = "The cluster CA certificate (base64 encoded)"
   sensitive   = true

diff --git a/examples/tfc-agent-gke-custom/variables.tf b/examples/tfc-agent-gke-custom/variables.tf
@@ -27,7 +27,7 @@ variable "tfc_org_name" {
 variable "tfc_project_name" {
   type        = string
   description = "Terraform Cloud project name to be created"
-  default     = "GCP agents GKE"
+  default     = "GCP agents GKE custom"
 }
 
 variable "tfc_workspace_name" {

diff --git a/examples/tfc-agent-gke-simple/README.md b/examples/tfc-agent-gke-simple/README.md
@@ -44,21 +44,21 @@ If running from your own system, you will need:
 |------|-------------|------|---------|:--------:|
 | project\_id | The Google Cloud Platform project ID to deploy Terraform Cloud agent cluster | `string` | n/a | yes |
 | tfc\_agent\_pool\_name | Terraform Cloud agent pool name to be created | `string` | `"tfc-agent-gke-simple-pool"` | no |
-| tfc\_agent\_pool\_token\_description\_description | Terraform Cloud agent pool token description | `string` | `"tfc-agent-gke-simple-pool-token"` | no |
+| tfc\_agent\_pool\_token\_description | Terraform Cloud agent pool token description | `string` | `"tfc-agent-gke-simple-pool-token"` | no |
 | tfc\_org\_name | Terraform Cloud org name where the agent pool will be created | `string` | n/a | yes |
-| tfc\_project\_name | Terraform Cloud project name to be created | `string` | `"GCP agents GKE"` | no |
+| tfc\_project\_name | Terraform Cloud project name to be created | `string` | `"GCP agents GKE simple"` | no |
 | tfc\_workspace\_name | Terraform Cloud workspace name to be created | `string` | `"tfc-agent-gke-simple"` | no |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
 | ca\_certificate | The cluster CA certificate (base64 encoded) |
-| client\_token | The bearer token for auth |
 | cluster\_name | GKE cluster name |
 | kubernetes\_endpoint | The GKE cluster endpoint |
 | location | GKE cluster location |
 | network\_name | Name of the VPC |
+| project\_id | The Google Cloud Platform project ID to deploy Terraform Cloud agent cluster |
 | service\_account | The default service account used for TFC agent nodes |
 | subnet\_name | Name of the subnet in the VPC |