From c4cd6a953452825b3494a9d32344eb51a801a468 Mon Sep 17 00:00:00 2001 From: Ravina Dhruve Date: Thu, 7 Dec 2023 22:45:07 -0800 Subject: [PATCH] (internal) Add validation test coverage --- .github/workflows/ci-pull-request.yaml | 9 +++ .gitignore | 35 +++++++++ test/Makefile | 2 +- .../organization/main.tf | 71 +++++++++++++++++++ .../single/main.tf | 54 ++++++++++++++ .../organization/main.tf | 68 ++++++++++++++++++ .../secure_threat_detection/single/main.tf | 44 ++++++++++++ test/functional.sh | 19 +++++ 8 files changed, 301 insertions(+), 1 deletion(-) create mode 100644 .gitignore create mode 100644 test/examples/secure_config_posture_identity_access/organization/main.tf create mode 100644 test/examples/secure_config_posture_identity_access/single/main.tf create mode 100644 test/examples/secure_threat_detection/organization/main.tf create mode 100644 test/examples/secure_threat_detection/single/main.tf create mode 100755 test/functional.sh diff --git a/.github/workflows/ci-pull-request.yaml b/.github/workflows/ci-pull-request.yaml index 635bbe7..1639f72 100644 --- a/.github/workflows/ci-pull-request.yaml +++ b/.github/workflows/ci-pull-request.yaml @@ -33,6 +33,13 @@ jobs: build-and-test: name: Build and Test runs-on: ubuntu-latest + strategy: + matrix: + example: + - "secure_config_posture_identity_access/single/main.tf" + - "secure_config_posture_identity_access/organization/main.tf" + - "secure_threat_detection/single/main.tf" + - "secure_threat_detection/organization/main.tf" steps: - name: Set up Go uses: actions/setup-go@v2 @@ -54,4 +61,6 @@ jobs: # - name: Build # run: go build ./... - name: Test + env: + EXAMPLES: examples/${{ matrix.example }} run: make test diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..96cc1d5 --- /dev/null +++ b/.gitignore @@ -0,0 +1,35 @@ +.idea + +# Local .terraform directories +**/.terraform/* + +# .tfstate files +*.tfstate +*.tfstate.* + +# Crash log files +crash.log + +# Ignore any .tfvars files that are generated automatically for each Terraform run. Most +# .tfvars files are managed as part of configuration and so should be included in +# version control. +# +# example.tfvars +terraform.tfvars +*.tfvars + +# Ignore override files as they are usually used to override resources locally and so +# are not checked in +override.tf +override.tf.json +*_override.tf +*_override.tf.json + +.terraform.lock.hcl +.envrc +**/.envrc + +*.patch + +# MacOS +.DS_Store diff --git a/test/Makefile b/test/Makefile index f49cee8..e02115d 100644 --- a/test/Makefile +++ b/test/Makefile @@ -1,2 +1,2 @@ test: - @echo "Functional Tests to be added here." \ No newline at end of file + ./functional.sh \ No newline at end of file diff --git a/test/examples/secure_config_posture_identity_access/organization/main.tf b/test/examples/secure_config_posture_identity_access/organization/main.tf new file mode 100644 index 0000000..cbbfc99 --- /dev/null +++ b/test/examples/secure_config_posture_identity_access/organization/main.tf @@ -0,0 +1,71 @@ +provider "google" { + project = "mytestproject" + region = "us-west1" +} + +module "organization-posture" { + source = "../../../..//modules/services/service-principal" + project_id = "mytestproject" + service_account_name = "sysdig-secure" + is_organizational = true + organization_domain = "mytestorg.com" +} + +terraform { + + required_providers { + sysdig = { + source = "sysdiglabs/sysdig" + version = "~> 1.18.2" + } + } +} + +provider "sysdig" { + sysdig_secure_url = "test_sysdig_secure_endpoint" + sysdig_secure_api_token = "test_sysdig_secure_api_token" +} + +resource "sysdig_secure_cloud_auth_account" "gcp_project_mytestproject" { + enabled = true + provider_id = "mytestproject" + provider_type = "PROVIDER_GCP" + + feature { + + secure_identity_entitlement { + enabled = true + components = ["COMPONENT_SERVICE_PRINCIPAL/secure-posture"] + } + + secure_config_posture { + enabled = true + components = ["COMPONENT_SERVICE_PRINCIPAL/secure-posture"] + } + } + component { + type = "COMPONENT_SERVICE_PRINCIPAL" + instance = "secure-posture" + service_principal_metadata = jsonencode({ + gcp = { + key = module.organization-posture.service_account_key + } + }) + } + component { + type = "COMPONENT_SERVICE_PRINCIPAL" + instance = "secure-onboarding" + service_principal_metadata = jsonencode({ + gcp = { + key = module.organization-posture.service_account_key + } + }) + } + depends_on = [module.organization-posture] +} + +resource "sysdig_secure_organization" "gcp_organization_mytestproject" { + management_account_id = sysdig_secure_cloud_auth_account.gcp_project_mytestproject.id + depends_on = [module.organization-posture] +} + diff --git a/test/examples/secure_config_posture_identity_access/single/main.tf b/test/examples/secure_config_posture_identity_access/single/main.tf new file mode 100644 index 0000000..67ecee1 --- /dev/null +++ b/test/examples/secure_config_posture_identity_access/single/main.tf @@ -0,0 +1,54 @@ +provider "google" { + project = "mytestproject" + region = "us-west1" +} + +module "project-posture" { + source = "../../../..//modules/services/service-principal" + project_id = "mytestproject" + service_account_name = "sysdig-secure" +} + +terraform { + + required_providers { + sysdig = { + source = "sysdiglabs/sysdig" + version = "~> 1.18.2" + } + } +} + +provider "sysdig" { + sysdig_secure_url = "test_sysdig_secure_endpoint" + sysdig_secure_api_token = "test_sysdig_secure_api_token" +} + +resource "sysdig_secure_cloud_auth_account" "gcp_project_mytestproject" { + enabled = true + provider_id = "mytestproject" + provider_type = "PROVIDER_GCP" + + feature { + + secure_identity_entitlement { + enabled = true + components = ["COMPONENT_SERVICE_PRINCIPAL/secure-posture"] + } + + secure_config_posture { + enabled = true + components = ["COMPONENT_SERVICE_PRINCIPAL/secure-posture"] + } + } + component { + type = "COMPONENT_SERVICE_PRINCIPAL" + instance = "secure-posture" + service_principal_metadata = jsonencode({ + gcp = { + key = module.project-posture.service_account_key + } + }) + } + depends_on = [module.project-posture] +} diff --git a/test/examples/secure_threat_detection/organization/main.tf b/test/examples/secure_threat_detection/organization/main.tf new file mode 100644 index 0000000..fe441df --- /dev/null +++ b/test/examples/secure_threat_detection/organization/main.tf @@ -0,0 +1,68 @@ +provider "google" { + project = "mytestproject" + region = "us-west1" +} + +module "organization-threat-detection" { + source = "../../../..//modules/services/webhook-datasource" + project_id = "mytestproject" + push_endpoint = "test_sysdig_secure_cloudingestion_endpoint" + is_organizational = true + organization_domain = "mytestorg.com" +} + +module "organization-posture" { + source = "../../../..//modules/services/service-principal" + project_id = "mytestproject" + service_account_name = "sysdig-secure" + is_organizational = true + organization_domain = "mytestorg.com" +} + +terraform { + + required_providers { + sysdig = { + source = "sysdiglabs/sysdig" + version = "~> 1.18.2" + } + } +} + +provider "sysdig" { + sysdig_secure_url = "test_sysdig_secure_endpoint" + sysdig_secure_api_token = "test_sysdig_secure_api_token" +} + +resource "sysdig_secure_cloud_auth_account" "gcp_project_mytestproject" { + enabled = true + provider_id = "mytestproject" + provider_type = "PROVIDER_GCP" + + feature { + + secure_threat_detection { + enabled = true + components = ["COMPONENT_WEBHOOK_DATASOURCE/secure-runtime"] + } + } + component { + type = "COMPONENT_WEBHOOK_DATASOURCE" + instance = "secure-runtime" + } + component { + type = "COMPONENT_SERVICE_PRINCIPAL" + instance = "secure-onboarding" + service_principal_metadata = jsonencode({ + gcp = { + key = module.organization-posture.service_account_key + } + }) + } +} + +resource "sysdig_secure_organization" "gcp_organization_mytestproject" { + management_account_id = sysdig_secure_cloud_auth_account.gcp_project_mytestproject.id + depends_on = [module.organization-posture] +} + diff --git a/test/examples/secure_threat_detection/single/main.tf b/test/examples/secure_threat_detection/single/main.tf new file mode 100644 index 0000000..494a3ae --- /dev/null +++ b/test/examples/secure_threat_detection/single/main.tf @@ -0,0 +1,44 @@ +provider "google" { + project = "mytestproject" + region = "us-west1" +} + +module "single-project-threat-detection" { + source = "../../../..//modules/services/webhook-datasource" + project_id = "mytestproject" + push_endpoint = "test_sysdig_secure_cloudingestion_endpoint" +} + +terraform { + + required_providers { + sysdig = { + source = "sysdiglabs/sysdig" + version = "~> 1.18.2" + } + } +} + +provider "sysdig" { + sysdig_secure_url = "test_sysdig_secure_endpoint" + sysdig_secure_api_token = "test_sysdig_secure_api_token" +} + +resource "sysdig_secure_cloud_auth_account" "gcp_project_mytestproject" { + enabled = true + provider_id = "mytestproject" + provider_type = "PROVIDER_GCP" + + feature { + + secure_threat_detection { + enabled = true + components = ["COMPONENT_WEBHOOK_DATASOURCE/secure-runtime"] + } + } + component { + type = "COMPONENT_WEBHOOK_DATASOURCE" + instance = "secure-runtime" + } +} + diff --git a/test/functional.sh b/test/functional.sh new file mode 100755 index 0000000..d57be27 --- /dev/null +++ b/test/functional.sh @@ -0,0 +1,19 @@ +#!/usr/bin/env bash + +set -e + +test -n "${EXAMPLES}" || EXAMPLES=$(find examples -type f -name main.tf) + +for example in ${EXAMPLES} ; do + printf "Functional testing - ${example}\n" + example_dir="$(dirname ${example})" + test -d "${example_dir}" || (printf "not an example directory: ${example_dir}\n" ; exit 1) + pushd "${example_dir}" + # run + terraform init + terraform validate + + # cleanup (except configuration file) + git clean -fxde main.tf + popd +done \ No newline at end of file