mirror of
https://github.com/letic/terraform-provider-google.git
synced 2024-10-07 11:11:13 +00:00
227 lines
6.2 KiB
Go
227 lines
6.2 KiB
Go
|
package google
|
||
|
|
||
|
import (
|
||
|
"fmt"
|
||
|
"reflect"
|
||
|
"testing"
|
||
|
|
||
|
"github.com/hashicorp/terraform/helper/acctest"
|
||
|
"github.com/hashicorp/terraform/helper/resource"
|
||
|
"github.com/hashicorp/terraform/terraform"
|
||
|
)
|
||
|
|
||
|
func TestAccBinaryAuthorizationPolicy_basic(t *testing.T) {
|
||
|
t.Parallel()
|
||
|
|
||
|
org := getTestOrgFromEnv(t)
|
||
|
pid := "tf-test-" + acctest.RandString(10)
|
||
|
resource.Test(t, resource.TestCase{
|
||
|
PreCheck: func() { testAccPreCheck(t) },
|
||
|
Providers: testAccProviders,
|
||
|
Steps: []resource.TestStep{
|
||
|
{
|
||
|
Config: testAccBinaryAuthorizationPolicyBasic(pid, pname, org),
|
||
|
},
|
||
|
{
|
||
|
ResourceName: "google_binary_authorization_policy.policy",
|
||
|
ImportState: true,
|
||
|
ImportStateVerify: true,
|
||
|
},
|
||
|
// Destroy the policy without destroying the project so we can check
|
||
|
// that it was restored to the default.
|
||
|
{
|
||
|
Config: testAccBinaryAuthorizationPolicyDefault(pid, pname, org),
|
||
|
Check: testAccCheckBinaryAuthorizationPolicyDefault(pid),
|
||
|
},
|
||
|
},
|
||
|
})
|
||
|
}
|
||
|
|
||
|
func TestAccBinaryAuthorizationPolicy_full(t *testing.T) {
|
||
|
t.Parallel()
|
||
|
|
||
|
org := getTestOrgFromEnv(t)
|
||
|
pid := "tf-test-" + acctest.RandString(10)
|
||
|
note := acctest.RandString(10)
|
||
|
attestor := acctest.RandString(10)
|
||
|
resource.Test(t, resource.TestCase{
|
||
|
PreCheck: func() { testAccPreCheck(t) },
|
||
|
Providers: testAccProviders,
|
||
|
Steps: []resource.TestStep{
|
||
|
{
|
||
|
Config: testAccBinaryAuthorizationPolicyFull(pid, pname, org, note, attestor),
|
||
|
},
|
||
|
{
|
||
|
ResourceName: "google_binary_authorization_policy.policy",
|
||
|
ImportState: true,
|
||
|
ImportStateVerify: true,
|
||
|
},
|
||
|
// Destroy the policy without destroying the project so we can check
|
||
|
// that it was restored to the default.
|
||
|
{
|
||
|
Config: testAccBinaryAuthorizationPolicyDefault(pid, pname, org),
|
||
|
Check: testAccCheckBinaryAuthorizationPolicyDefault(pid),
|
||
|
},
|
||
|
},
|
||
|
})
|
||
|
}
|
||
|
|
||
|
func TestAccBinaryAuthorizationPolicy_update(t *testing.T) {
|
||
|
t.Parallel()
|
||
|
|
||
|
org := getTestOrgFromEnv(t)
|
||
|
pid := "tf-test-" + acctest.RandString(10)
|
||
|
note := acctest.RandString(10)
|
||
|
attestor := acctest.RandString(10)
|
||
|
resource.Test(t, resource.TestCase{
|
||
|
PreCheck: func() { testAccPreCheck(t) },
|
||
|
Providers: testAccProviders,
|
||
|
Steps: []resource.TestStep{
|
||
|
{
|
||
|
Config: testAccBinaryAuthorizationPolicyBasic(pid, pname, org),
|
||
|
},
|
||
|
{
|
||
|
ResourceName: "google_binary_authorization_policy.policy",
|
||
|
ImportState: true,
|
||
|
ImportStateVerify: true,
|
||
|
},
|
||
|
{
|
||
|
Config: testAccBinaryAuthorizationPolicyFull(pid, pname, org, note, attestor),
|
||
|
},
|
||
|
{
|
||
|
ResourceName: "google_binary_authorization_policy.policy",
|
||
|
ImportState: true,
|
||
|
ImportStateVerify: true,
|
||
|
},
|
||
|
{
|
||
|
Config: testAccBinaryAuthorizationPolicyBasic(pid, pname, org),
|
||
|
},
|
||
|
{
|
||
|
ResourceName: "google_binary_authorization_policy.policy",
|
||
|
ImportState: true,
|
||
|
ImportStateVerify: true,
|
||
|
},
|
||
|
// Destroy the policy without destroying the project so we can check
|
||
|
// that it was restored to the default.
|
||
|
{
|
||
|
Config: testAccBinaryAuthorizationPolicyDefault(pid, pname, org),
|
||
|
Check: testAccCheckBinaryAuthorizationPolicyDefault(pid),
|
||
|
},
|
||
|
},
|
||
|
})
|
||
|
}
|
||
|
|
||
|
func testAccCheckBinaryAuthorizationPolicyDefault(pid string) resource.TestCheckFunc {
|
||
|
return func(s *terraform.State) error {
|
||
|
config := testAccProvider.Meta().(*Config)
|
||
|
url := fmt.Sprintf("https://binaryauthorization.googleapis.com/v1beta1/projects/%s/policy", pid)
|
||
|
pol, err := sendRequest(config, "GET", url, nil)
|
||
|
if err != nil {
|
||
|
return err
|
||
|
}
|
||
|
delete(pol, "updateTime")
|
||
|
|
||
|
defaultPol := defaultBinaryAuthorizationPolicy(pid)
|
||
|
if !reflect.DeepEqual(pol, defaultPol) {
|
||
|
return fmt.Errorf("Policy for project %s was %v, expected default policy %v", pid, pol, defaultPol)
|
||
|
}
|
||
|
return nil
|
||
|
}
|
||
|
}
|
||
|
|
||
|
func testAccBinaryAuthorizationPolicyDefault(pid, pname, org string) string {
|
||
|
return fmt.Sprintf(`
|
||
|
// Use a separate project since each project can only have one policy
|
||
|
resource "google_project" "project" {
|
||
|
project_id = "%s"
|
||
|
name = "%s"
|
||
|
org_id = "%s"
|
||
|
}
|
||
|
`, pid, pname, org)
|
||
|
}
|
||
|
|
||
|
func testAccBinaryAuthorizationPolicyBasic(pid, pname, org string) string {
|
||
|
return fmt.Sprintf(`
|
||
|
// Use a separate project since each project can only have one policy
|
||
|
resource "google_project" "project" {
|
||
|
project_id = "%s"
|
||
|
name = "%s"
|
||
|
org_id = "%s"
|
||
|
}
|
||
|
|
||
|
resource "google_binary_authorization_policy" "policy" {
|
||
|
project = "${google_project.project.project_id}"
|
||
|
|
||
|
admission_whitelist_patterns {
|
||
|
name_pattern= "gcr.io/google_containers/*"
|
||
|
}
|
||
|
|
||
|
default_admission_rule {
|
||
|
evaluation_mode = "ALWAYS_DENY"
|
||
|
enforcement_mode = "ENFORCED_BLOCK_AND_AUDIT_LOG"
|
||
|
}
|
||
|
}
|
||
|
`, pid, pname, org)
|
||
|
}
|
||
|
|
||
|
func testAccBinaryAuthorizationPolicyFull(pid, pname, org, note, attestor string) string {
|
||
|
return fmt.Sprintf(`
|
||
|
// Use a separate project since each project can only have one policy
|
||
|
resource "google_project" "project" {
|
||
|
project_id = "%s"
|
||
|
name = "%s"
|
||
|
org_id = "%s"
|
||
|
}
|
||
|
|
||
|
resource "google_project_service" "binauthz" {
|
||
|
project = "${google_project.project.project_id}"
|
||
|
service = "binaryauthorization.googleapis.com"
|
||
|
}
|
||
|
|
||
|
resource "google_container_analysis_note" "note" {
|
||
|
project = "${google_project.project.project_id}"
|
||
|
|
||
|
name = "tf-test-%s"
|
||
|
attestation_authority {
|
||
|
hint {
|
||
|
human_readable_name = "My attestor"
|
||
|
}
|
||
|
}
|
||
|
|
||
|
depends_on = ["google_project_service.binauthz"]
|
||
|
}
|
||
|
|
||
|
resource "google_binary_authorization_attestor" "attestor" {
|
||
|
project = "${google_project.project.project_id}"
|
||
|
|
||
|
name = "tf-test-%s"
|
||
|
description = "my description"
|
||
|
attestation_authority_note {
|
||
|
note_reference = "${google_container_analysis_note.note.name}"
|
||
|
}
|
||
|
|
||
|
depends_on = ["google_project_service.binauthz"]
|
||
|
}
|
||
|
|
||
|
resource "google_binary_authorization_policy" "policy" {
|
||
|
project = "${google_project.project.project_id}"
|
||
|
|
||
|
admission_whitelist_patterns {
|
||
|
name_pattern= "gcr.io/google_containers/*"
|
||
|
}
|
||
|
|
||
|
default_admission_rule {
|
||
|
evaluation_mode = "ALWAYS_ALLOW"
|
||
|
enforcement_mode = "ENFORCED_BLOCK_AND_AUDIT_LOG"
|
||
|
}
|
||
|
|
||
|
cluster_admission_rules {
|
||
|
cluster = "us-central1-a.prod-cluster"
|
||
|
evaluation_mode = "REQUIRE_ATTESTATION"
|
||
|
enforcement_mode = "ENFORCED_BLOCK_AND_AUDIT_LOG"
|
||
|
require_attestations_by = ["${google_binary_authorization_attestor.attestor.name}"]
|
||
|
}
|
||
|
}
|
||
|
`, pid, pname, org, note, attestor)
|
||
|
}
|