From 170a988f081431c10f9f9195c23d5a3510e13975 Mon Sep 17 00:00:00 2001 From: Martijn van Schaardenburg Date: Tue, 23 Sep 2025 20:38:10 +0000 Subject: [PATCH 1/5] chore: Migrate simple_cloud_run kitchen -> cft --- Makefile | 2 +- build/int.cloudbuild.yaml | 52 +++++++------------ kitchen.yml | 40 -------------- .../simple_cloud_run/controls/gcloud.rb | 30 ----------- test/integration/simple_cloud_run/inspec.yml | 28 ---------- 5 files changed, 20 insertions(+), 132 deletions(-) delete mode 100644 kitchen.yml delete mode 100644 test/integration/simple_cloud_run/controls/gcloud.rb delete mode 100644 test/integration/simple_cloud_run/inspec.yml diff --git a/Makefile b/Makefile index 9f71d742..3efbc918 100644 --- a/Makefile +++ b/Makefile @@ -93,4 +93,4 @@ docker_test_integration: -e TF_VAR_project_id \ -v "$(CURDIR)":/workspace \ $(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \ - /usr/local/bin/test_integration.sh + cft test run all diff --git a/build/int.cloudbuild.yaml b/build/int.cloudbuild.yaml index 2c815d54..00cefe34 100644 --- a/build/int.cloudbuild.yaml +++ b/build/int.cloudbuild.yaml @@ -17,18 +17,19 @@ steps: - id: swap-module-refs name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['module-swapper'] -- id: secure cloud run on foundation - name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', 'cft test run TestSecureCloudRun --test-dir /workspace/test/integration --verbose'] - env: - - 'TF_VAR_org_id=$_SFB_ORG_ID' - - 'TF_VAR_billing_account=$_BILLING_ACCOUNT' - - 'TF_VAR_terraform_sa=$_SFB_TF_SA_NAME' - - 'TF_VAR_cloudbuild_project_id=$_SFB_CLOUDBUILD_PROJECT_ID' - - 'TF_VAR_seed_project_id=$_SFB_SEED_PROJECT_ID' - - 'TF_VAR_domain=test.blueprints.joonix.net' - - 'TF_VAR_resource_names_suffix=$SHORT_SHA' - allowFailure: true +# Temporarily disble this one +##- id: secure cloud run on foundation +## name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' +## args: ['/bin/bash', '-c', 'cft test run TestSecureCloudRun --test-dir /workspace/test/integration --verbose'] +## env: +## - 'TF_VAR_org_id=$_SFB_ORG_ID' +## - 'TF_VAR_billing_account=$_BILLING_ACCOUNT' +## - 'TF_VAR_terraform_sa=$_SFB_TF_SA_NAME' +## - 'TF_VAR_cloudbuild_project_id=$_SFB_CLOUDBUILD_PROJECT_ID' +## - 'TF_VAR_seed_project_id=$_SFB_SEED_PROJECT_ID' +## - 'TF_VAR_domain=test.blueprints.joonix.net' +## - 'TF_VAR_resource_names_suffix=$SHORT_SHA' +## allowFailure: true - id: prepare name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && prepare_environment'] @@ -49,34 +50,19 @@ steps: # - 'TF_VAR_create_access_context_manager_access_policy=false' # waitFor: # - prepare -- id: create - name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do create'] +- id: simple-cloud-run waitFor: - - prepare -- id: converge + - prepare name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge'] - waitFor: - - create -- id: verify - name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify'] - waitFor: - - converge -- id: destroy - name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy'] - waitFor: - - verify -- id: create all + args: ['/bin/bash', '-c', 'cft test run TestSimple --verbose'] +- id: create cloud-run-with-cmek waitFor: - - destroy + - simple-cloud-run name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && source_test_env && init_credentials && cft test run TestCloudRunWithCMEK --test-dir test/integration --stage init --verbose'] - id: converge cloud-run-with-cmek waitFor: - - create all + - create cloud-run-with-cmek name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && source_test_env && init_credentials && cft test run TestCloudRunWithCMEK --test-dir test/integration --stage apply --verbose'] - id: verify cloud-run-with-cmek diff --git a/kitchen.yml b/kitchen.yml deleted file mode 100644 index 4d5a7ac6..00000000 --- a/kitchen.yml +++ /dev/null @@ -1,40 +0,0 @@ -# Copyright 2021 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - ---- -driver: - name: terraform - verify_version: false - -provisioner: - name: terraform - -verifier: - name: terraform - -platforms: - - name: default - -suites: - - name: simple_cloud_run - driver: - root_module_directory: test/fixtures/simple_cloud_run/ - verifier: - color: false - systems: - - name: simple_cloud_run local - backend: local - controls: - - gcloud - diff --git a/test/integration/simple_cloud_run/controls/gcloud.rb b/test/integration/simple_cloud_run/controls/gcloud.rb deleted file mode 100644 index 2837441e..00000000 --- a/test/integration/simple_cloud_run/controls/gcloud.rb +++ /dev/null @@ -1,30 +0,0 @@ -# Copyright 2021 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -control "gcloud" do - title "gcloud" - - describe command("gcloud --project=#{attribute("project_id")} services list --enabled") do - its(:exit_status) { should eq 0 } - its(:stderr) { should eq "" } - its(:stdout) { should match "run.googleapis.com" } - end - - describe command("gcloud --project=#{attribute("project_id")} run services list --region=#{attribute("service_location")} --format=json") do - its(:exit_status) { should eq 0 } - its(:stderr) { should eq '' } - its(:stdout) { should include "#{attribute('service_status')}" } - its(:stdout) { should include "#{attribute('service_name')}" } - end -end diff --git a/test/integration/simple_cloud_run/inspec.yml b/test/integration/simple_cloud_run/inspec.yml deleted file mode 100644 index 05845b8a..00000000 --- a/test/integration/simple_cloud_run/inspec.yml +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: simple_cloud_run -attributes: - - name: project_id - required: true - type: string - - name: service_status - required: true - type: string - - name: service_name - required: true - type: string - - name: service_location - required: true - type: string From 538f179161c7997a33bef705a3b0135a2fa95152 Mon Sep 17 00:00:00 2001 From: Martijn van Schaardenburg Date: Tue, 23 Sep 2025 20:59:49 +0000 Subject: [PATCH 2/5] fix ambiguity and actually upload test --- build/int.cloudbuild.yaml | 2 +- .../simple_cloud_run/simple_test.go | 49 +++++++++++++++++++ 2 files changed, 50 insertions(+), 1 deletion(-) create mode 100644 test/integration/simple_cloud_run/simple_test.go diff --git a/build/int.cloudbuild.yaml b/build/int.cloudbuild.yaml index 00cefe34..14196b5f 100644 --- a/build/int.cloudbuild.yaml +++ b/build/int.cloudbuild.yaml @@ -54,7 +54,7 @@ steps: waitFor: - prepare name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', 'cft test run TestSimple --verbose'] + args: ['/bin/bash', '-c', 'cft test run TestSimpleCloudRun --verbose'] - id: create cloud-run-with-cmek waitFor: - simple-cloud-run diff --git a/test/integration/simple_cloud_run/simple_test.go b/test/integration/simple_cloud_run/simple_test.go new file mode 100644 index 00000000..1c7647a6 --- /dev/null +++ b/test/integration/simple_cloud_run/simple_test.go @@ -0,0 +1,49 @@ +// Copyright 2025 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// https://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package simple_cloud_run + +import ( + "fmt" + "testing" + + "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/gcloud" + "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft" + "github.com/stretchr/testify/assert" +) + +func TestSimpleCloudRun(t *testing.T) { + + cloudRun := tft.NewTFBlueprintTest(t) + + cloudRun.DefineVerify( + func(assert *assert.Assertions) { + projectID := cloudRun.GetStringOutput("project_id") + location := cloudRun.GetStringOutput("service_location") + serviceName := cloudRun.GetStringOutput("service_name") + serviceStatus := cloudRun.GetStringOutput("service_status") + + gcProjectOps := gcloud.WithCommonArgs([]string{"--project", projectID, "--format", "json"}) + projectOp := gcloud.Run(t, "services list --enabled --filter='config.name=run.googleapis.com'", gcProjectOps).Array()[0] + + assert.Equal("run.googleapis.com", projectOp.Get("config").Get("name").String(), "should have the right API enabled") + + gcOps := gcloud.WithCommonArgs([]string{"--project", projectID, "--region", location, "--format", "json"}) + + op := gcloud.Run(t, fmt.Sprintf("run services list --filter=%q", serviceName), gcOps).Array()[0] + + assert.Equal(serviceStatus, op.Get("status").Get("conditions").Array()[0].Get("type").String(), "should have the right service status") + }) + cloudRun.Test() +} From 0d7eb7da3705f6698d574ef2c6bc58bfbb6a99c4 Mon Sep 17 00:00:00 2001 From: Martijn van Schaardenburg Date: Tue, 23 Sep 2025 21:11:09 +0000 Subject: [PATCH 3/5] random_id_length --- test/setup/main.tf | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/test/setup/main.tf b/test/setup/main.tf index 3a581258..7e38a08a 100644 --- a/test/setup/main.tf +++ b/test/setup/main.tf @@ -137,13 +137,14 @@ module "project" { source = "terraform-google-modules/project-factory/google" version = "~> 17.0" - name = "ci-cloud-run" - random_project_id = "true" - org_id = var.org_id - folder_id = var.folder_id - billing_account = var.billing_account - default_service_account = "keep" - deletion_policy = "DELETE" + name = "ci-cloud-run" + random_project_id = "true" + random_project_id_length = 6 + org_id = var.org_id + folder_id = var.folder_id + billing_account = var.billing_account + default_service_account = "keep" + deletion_policy = "DELETE" activate_apis = flatten(values(local.per_module_services)) } From 80c7021e22204ff0bcb8cf3bdff45ca8e26e0219 Mon Sep 17 00:00:00 2001 From: Martijn van Schaardenburg Date: Wed, 24 Sep 2025 16:17:06 +0000 Subject: [PATCH 4/5] reenable disabled test --- build/int.cloudbuild.yaml | 25 +++++++++---------- .../simple_cloud_run/simple_test.go | 3 +-- 2 files changed, 13 insertions(+), 15 deletions(-) diff --git a/build/int.cloudbuild.yaml b/build/int.cloudbuild.yaml index 14196b5f..257ef14e 100644 --- a/build/int.cloudbuild.yaml +++ b/build/int.cloudbuild.yaml @@ -17,19 +17,18 @@ steps: - id: swap-module-refs name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['module-swapper'] -# Temporarily disble this one -##- id: secure cloud run on foundation -## name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' -## args: ['/bin/bash', '-c', 'cft test run TestSecureCloudRun --test-dir /workspace/test/integration --verbose'] -## env: -## - 'TF_VAR_org_id=$_SFB_ORG_ID' -## - 'TF_VAR_billing_account=$_BILLING_ACCOUNT' -## - 'TF_VAR_terraform_sa=$_SFB_TF_SA_NAME' -## - 'TF_VAR_cloudbuild_project_id=$_SFB_CLOUDBUILD_PROJECT_ID' -## - 'TF_VAR_seed_project_id=$_SFB_SEED_PROJECT_ID' -## - 'TF_VAR_domain=test.blueprints.joonix.net' -## - 'TF_VAR_resource_names_suffix=$SHORT_SHA' -## allowFailure: true +- id: secure cloud run on foundation + name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' + args: ['/bin/bash', '-c', 'cft test run TestSecureCloudRun --test-dir /workspace/test/integration --verbose'] + env: + - 'TF_VAR_org_id=$_SFB_ORG_ID' + - 'TF_VAR_billing_account=$_BILLING_ACCOUNT' + - 'TF_VAR_terraform_sa=$_SFB_TF_SA_NAME' + - 'TF_VAR_cloudbuild_project_id=$_SFB_CLOUDBUILD_PROJECT_ID' + - 'TF_VAR_seed_project_id=$_SFB_SEED_PROJECT_ID' + - 'TF_VAR_domain=test.blueprints.joonix.net' + - 'TF_VAR_resource_names_suffix=$SHORT_SHA' + allowFailure: true - id: prepare name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && prepare_environment'] diff --git a/test/integration/simple_cloud_run/simple_test.go b/test/integration/simple_cloud_run/simple_test.go index 1c7647a6..035af1f3 100644 --- a/test/integration/simple_cloud_run/simple_test.go +++ b/test/integration/simple_cloud_run/simple_test.go @@ -24,7 +24,6 @@ import ( ) func TestSimpleCloudRun(t *testing.T) { - cloudRun := tft.NewTFBlueprintTest(t) cloudRun.DefineVerify( @@ -41,7 +40,7 @@ func TestSimpleCloudRun(t *testing.T) { gcOps := gcloud.WithCommonArgs([]string{"--project", projectID, "--region", location, "--format", "json"}) - op := gcloud.Run(t, fmt.Sprintf("run services list --filter=%q", serviceName), gcOps).Array()[0] + op := gcloud.Run(t, fmt.Sprintf("run services list --filter=metadata.name=%q", serviceName), gcOps).Array()[0] assert.Equal(serviceStatus, op.Get("status").Get("conditions").Array()[0].Get("type").String(), "should have the right service status") }) From e9c701f488738e8289dce1058f76bcd8549d972f Mon Sep 17 00:00:00 2001 From: Martijn van Schaardenburg Date: Wed, 24 Sep 2025 16:21:35 +0000 Subject: [PATCH 5/5] increase random suffix length --- test/setup/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/setup/main.tf b/test/setup/main.tf index 7e38a08a..c61614d1 100644 --- a/test/setup/main.tf +++ b/test/setup/main.tf @@ -139,7 +139,7 @@ module "project" { name = "ci-cloud-run" random_project_id = "true" - random_project_id_length = 6 + random_project_id_length = 8 org_id = var.org_id folder_id = var.folder_id billing_account = var.billing_account