Skip to content

Commit

Permalink
update tests
Browse files Browse the repository at this point in the history
  • Loading branch information
@Krusty93
Krusty93 committed Feb 20, 2025
1 parent 29c7a31 commit 62e70b6
Show file tree
Hide file tree
Showing 7 changed files with 100 additions and 58 deletions.
3 changes: 1 addition & 2 deletions infra/modules/azure_github_environment_bootstrap/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -108,12 +108,11 @@
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| <a name="input_apim_id"></a> [apim\_id](#input\_apim\_id) | (Optional) ID of the APIM instance | `string` | `null` | no |
| <a name="input_dns_zone_resource_group_id"></a> [dns\_zone\_resource\_group\_id](#input\_dns\_zone\_resource\_group\_id) | Id of the resource group holding public DNS zones | `string` | n/a | yes |
| <a name="input_entraid_groups"></a> [entraid\_groups](#input\_entraid\_groups) | Azure Entra Id groups to give role to | <pre>object({<br/> admins_object_id = string<br/> devs_object_id = string<br/> externals_object_id = optional(string, null)<br/> })</pre> | n/a | yes |
| <a name="input_environment"></a> [environment](#input\_environment) | Values which are used to generate resource names and location short names. They are all mandatory except for domain, which should not be used only in the case of a resource used by multiple domains. | <pre>object({<br/> prefix = string<br/> env_short = string<br/> location = string<br/> domain = string<br/> instance_number = string<br/> })</pre> | n/a | yes |
| <a name="input_github_private_runner"></a> [github\_private\_runner](#input\_github\_private\_runner) | n/a | <pre>object({<br/> container_app_environment_id = string<br/> container_app_environment_location = string<br/> polling_interval_in_seconds = optional(number, 30)<br/> min_instances = optional(number, 0)<br/> max_instances = optional(number, 30)<br/> labels = optional(list(string), [])<br/> key_vault = object({<br/> name = string<br/> resource_group_name = string<br/> secret_name = optional(string, "github-runner-pat")<br/> })<br/> cpu = optional(number, 0.5)<br/> memory = optional(string, "1Gi")<br/> })</pre> | n/a | yes |
| <a name="input_keyvault_common_ids"></a> [keyvault\_common\_ids](#input\_keyvault\_common\_ids) | Id of the KeyVault containing common secrets | `list(string)` | `[]` | no |
| <a name="input_nat_gateway_resource_group_id"></a> [nat\_gateway\_resource\_group\_id](#input\_nat\_gateway\_resource\_group\_id) | Id of the resource group hosting NAT Gateways | `string` | n/a | yes |
| <a name="input_nat_gateway_resource_group_id"></a> [nat\_gateway\_resource\_group\_id](#input\_nat\_gateway\_resource\_group\_id) | (Optional) Id of the resource group hosting NAT Gateways | `string` | `null` | no |
| <a name="input_opex_resource_group_id"></a> [opex\_resource\_group\_id](#input\_opex\_resource\_group\_id) | Id of the resource group containing Opex dashboards | `string` | n/a | yes |
| <a name="input_pep_vnet_id"></a> [pep\_vnet\_id](#input\_pep\_vnet\_id) | ID of the VNet holding Private Endpoint-dedicated subnet | `string` | n/a | yes |
| <a name="input_private_dns_zone_resource_group_id"></a> [private\_dns\_zone\_resource\_group\_id](#input\_private\_dns\_zone\_resource\_group\_id) | Id of the resource group holding private DNS zones | `string` | n/a | yes |
Expand Down
2 changes: 1 addition & 1 deletion infra/modules/azure_github_environment_bootstrap/id_infra_cd_iam.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@ resource "azurerm_role_assignment" "infra_cd_rg_network_contributor" {

# NAT Gateway
resource "azurerm_role_assignment" "infra_cd_rg_nat_gw_network_contributor" {
count = var.private_dns_zone_resource_group_id == var.nat_gateway_resource_group_id ? 0 : 1 # avoid duplicated assignment on the same rg
count = (var.private_dns_zone_resource_group_id == var.nat_gateway_resource_group_id) || (var.nat_gateway_resource_group_id == null) ? 0 : 1 # avoid duplicated assignment on the same rg

scope = var.nat_gateway_resource_group_id
role_definition_name = "Network Contributor"
Expand Down
121 changes: 86 additions & 35 deletions infra/modules/azure_github_environment_bootstrap/tests/mono_repo.tftest.hcl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,6 @@ run "validate_github_repository" {
pep_vnet_id = run.setup_tests.pep_vnet_id
private_dns_zone_resource_group_id = run.setup_tests.private_dns_zone_resource_group_id
opex_resource_group_id = run.setup_tests.opex_resource_group_id
nat_gateway_resource_group_id = run.setup_tests.dns_zone_resource_group_id

tags = run.setup_tests.tags
}
Expand Down Expand Up @@ -157,10 +156,9 @@ run "validate_github_branch_protection" {
}
}

pep_vnet_id = run.setup_tests.pep_vnet_id
dns_zone_resource_group_id = run.setup_tests.dns_zone_resource_group_id
opex_resource_group_id = run.setup_tests.opex_resource_group_id
nat_gateway_resource_group_id = run.setup_tests.dns_zone_resource_group_id
pep_vnet_id = run.setup_tests.pep_vnet_id
private_dns_zone_resource_group_id = run.setup_tests.private_dns_zone_resource_group_id
opex_resource_group_id = run.setup_tests.opex_resource_group_id

tags = run.setup_tests.tags
}
Expand Down Expand Up @@ -231,10 +229,9 @@ run "validate_github_default_branch_override" {
}
}

pep_vnet_id = run.setup_tests.pep_vnet_id
dns_zone_resource_group_id = run.setup_tests.dns_zone_resource_group_id
opex_resource_group_id = run.setup_tests.opex_resource_group_id
nat_gateway_resource_group_id = run.setup_tests.dns_zone_resource_group_id
pep_vnet_id = run.setup_tests.pep_vnet_id
private_dns_zone_resource_group_id = run.setup_tests.private_dns_zone_resource_group_id
opex_resource_group_id = run.setup_tests.opex_resource_group_id

tags = run.setup_tests.tags
}
Expand Down Expand Up @@ -299,10 +296,9 @@ run "validate_github_id_app" {
}
}

pep_vnet_id = run.setup_tests.pep_vnet_id
dns_zone_resource_group_id = run.setup_tests.dns_zone_resource_group_id
opex_resource_group_id = run.setup_tests.opex_resource_group_id
nat_gateway_resource_group_id = run.setup_tests.dns_zone_resource_group_id
pep_vnet_id = run.setup_tests.pep_vnet_id
private_dns_zone_resource_group_id = run.setup_tests.private_dns_zone_resource_group_id
opex_resource_group_id = run.setup_tests.opex_resource_group_id

tags = run.setup_tests.tags
}
Expand Down Expand Up @@ -353,7 +349,6 @@ run "validate_github_id_infra" {
azurerm_role_assignment.infra_ci_rg_st_blob_reader,
azurerm_role_assignment.infra_ci_rg_st_queue_reader,
azurerm_role_assignment.infra_ci_rg_st_table_reader,
azurerm_role_assignment.infra_ci_rg_ext_pagopa_dns_reader,
azurerm_key_vault_access_policy.infra_ci_kv_common,
azurerm_role_assignment.infra_cd_subscription_reader,
azurerm_role_assignment.infra_cd_subscription_rbac_admin,
Expand All @@ -370,7 +365,6 @@ run "validate_github_id_infra" {
azurerm_role_assignment.infra_ci_rg_st_queue_contributor,
azurerm_role_assignment.infra_ci_rg_st_table_contributor,
azurerm_role_assignment.infra_cd_rg_ext_network_dns_zone_contributor,
azurerm_role_assignment.infra_cd_rg_ext_network_contributor,
azurerm_role_assignment.infra_cd_rg_private_dns_zone_contributor,
azurerm_role_assignment.infra_cd_rg_network_contributor,
azurerm_role_assignment.infra_cd_rg_nat_gw_network_contributor,
Expand Down Expand Up @@ -420,10 +414,9 @@ run "validate_github_id_infra" {
}

pep_vnet_id = run.setup_tests.pep_vnet_id
dns_zone_resource_group_id = run.setup_tests.dns_zone_resource_group_id
private_dns_zone_resource_group_id = run.setup_tests.private_dns_zone_resource_group_id
opex_resource_group_id = run.setup_tests.opex_resource_group_id
nat_gateway_resource_group_id = run.setup_tests.dns_zone_resource_group_id
nat_gateway_resource_group_id = run.setup_tests.nat_gateway_resource_group_id

tags = run.setup_tests.tags
}
Expand Down Expand Up @@ -503,11 +496,6 @@ run "validate_github_id_infra" {
error_message = "The Infra CI managed identity can't read Storage Account tables at resource group scope"
}

assert {
condition = azurerm_role_assignment.infra_ci_rg_ext_pagopa_dns_reader != null
error_message = "The Infra CI managed identity can't read external DNS configuration at resource group scope"
}

assert {
condition = length(azurerm_key_vault_access_policy.infra_ci_kv_common) == 0
error_message = "The Infra CI managed identity is not allowed to read from common Key Vault"
Expand Down Expand Up @@ -583,11 +571,6 @@ run "validate_github_id_infra" {
error_message = "The Infra CD managed identity can't write Storage Account tables at resource group scope"
}

assert {
condition = azurerm_role_assignment.infra_cd_rg_ext_network_contributor != null
error_message = "The Infra CD managed identity can't edit DNS zone at resource group scope"
}

assert {
condition = azurerm_role_assignment.infra_cd_rg_private_dns_zone_contributor != null
error_message = "The Infra CD managed identity can't associate Private DNS zone and private endpoints at resource group scope"
Expand All @@ -604,6 +587,76 @@ run "validate_github_id_infra" {
}
}

run "validate_github_id_infra_duplicate_nat_role_assignment" {
command = plan

plan_options {
target = [
azurerm_role_assignment.infra_cd_rg_nat_gw_network_contributor,
azurerm_role_assignment.infra_cd_rg_network_contributor,
]
}

variables {
environment = {
prefix = run.setup_tests.environment.prefix
env_short = run.setup_tests.environment.env_short
location = run.setup_tests.environment.location
domain = run.setup_tests.environment.domain
app_name = run.setup_tests.environment.app_name
instance_number = run.setup_tests.environment.instance_number
}

subscription_id = run.setup_tests.subscription_id
tenant_id = run.setup_tests.tenant_id

entraid_groups = {
admins_object_id = run.setup_tests.entraid_groups.admins_object_id
devs_object_id = run.setup_tests.entraid_groups.devs_object_id
externals_object_id = run.setup_tests.entraid_groups.externals_object_id
}

terraform_storage_account = {
name = run.setup_tests.terraform_storage_account.name
resource_group_name = run.setup_tests.terraform_storage_account.resource_group_name
}

repository = {
name = run.setup_tests.repository.name
description = run.setup_tests.repository.description
topics = run.setup_tests.repository.topics
reviewers_teams = run.setup_tests.repository.reviewers_teams
app_cd_policy_tags = run.setup_tests.repository.app_cd_policy_tags
}

github_private_runner = {
container_app_environment_id = run.setup_tests.github_private_runner.container_app_environment_id
container_app_environment_location = run.setup_tests.github_private_runner.container_app_environment_location
key_vault = {
name = run.setup_tests.github_private_runner.key_vault.name
resource_group_name = run.setup_tests.github_private_runner.key_vault.resource_group_name
}
}

pep_vnet_id = run.setup_tests.pep_vnet_id
private_dns_zone_resource_group_id = run.setup_tests.private_dns_zone_resource_group_id
opex_resource_group_id = run.setup_tests.opex_resource_group_id
nat_gateway_resource_group_id = run.setup_tests.private_dns_zone_resource_group_id

tags = run.setup_tests.tags
}

assert {
condition = azurerm_role_assignment.infra_cd_rg_nat_gw_network_contributor == []
error_message = "The Infra CD has a duplicate role on the same resource group"
}

assert {
condition = azurerm_role_assignment.infra_cd_rg_network_contributor != null
error_message = "The Infra CD has a duplicate role on the same resource group"
}
}

run "validate_rbac_entraid" {
command = plan

Expand Down Expand Up @@ -659,10 +712,9 @@ run "validate_rbac_entraid" {
}
}

pep_vnet_id = run.setup_tests.pep_vnet_id
dns_zone_resource_group_id = run.setup_tests.dns_zone_resource_group_id
opex_resource_group_id = run.setup_tests.opex_resource_group_id
nat_gateway_resource_group_id = run.setup_tests.dns_zone_resource_group_id
pep_vnet_id = run.setup_tests.pep_vnet_id
private_dns_zone_resource_group_id = run.setup_tests.private_dns_zone_resource_group_id
opex_resource_group_id = run.setup_tests.opex_resource_group_id

tags = run.setup_tests.tags
}
Expand Down Expand Up @@ -743,10 +795,9 @@ run "validate_github_id_opex" {
}
}

pep_vnet_id = run.setup_tests.pep_vnet_id
dns_zone_resource_group_id = run.setup_tests.dns_zone_resource_group_id
opex_resource_group_id = run.setup_tests.opex_resource_group_id
nat_gateway_resource_group_id = run.setup_tests.dns_zone_resource_group_id
pep_vnet_id = run.setup_tests.pep_vnet_id
private_dns_zone_resource_group_id = run.setup_tests.private_dns_zone_resource_group_id
opex_resource_group_id = run.setup_tests.opex_resource_group_id

tags = run.setup_tests.tags
}
Expand Down
4 changes: 2 additions & 2 deletions infra/modules/azure_github_environment_bootstrap/tests/setup/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ No modules.
| [azurerm_container_app_environment.runner](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/container_app_environment) | data source |
| [azurerm_resource_group.common](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
| [azurerm_resource_group.dashboards](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
| [azurerm_resource_group.external](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
| [azurerm_resource_group.vnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source |
| [azurerm_virtual_network.common](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/virtual_network) | data source |

Expand All @@ -36,10 +36,10 @@ No inputs.

| Name | Description |
|------|-------------|
| <a name="output_dns_zone_resource_group_id"></a> [dns\_zone\_resource\_group\_id](#output\_dns\_zone\_resource\_group\_id) | n/a |
| <a name="output_entraid_groups"></a> [entraid\_groups](#output\_entraid\_groups) | n/a |
| <a name="output_environment"></a> [environment](#output\_environment) | n/a |
| <a name="output_github_private_runner"></a> [github\_private\_runner](#output\_github\_private\_runner) | n/a |
| <a name="output_nat_gateway_resource_group_id"></a> [nat\_gateway\_resource\_group\_id](#output\_nat\_gateway\_resource\_group\_id) | n/a |
| <a name="output_opex_resource_group_id"></a> [opex\_resource\_group\_id](#output\_opex\_resource\_group\_id) | n/a |
| <a name="output_pep_vnet_id"></a> [pep\_vnet\_id](#output\_pep\_vnet\_id) | n/a |
| <a name="output_private_dns_zone_resource_group_id"></a> [private\_dns\_zone\_resource\_group\_id](#output\_private\_dns\_zone\_resource\_group\_id) | n/a |
Expand Down
4 changes: 0 additions & 4 deletions infra/modules/azure_github_environment_bootstrap/tests/setup/locals.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,10 +35,6 @@ locals {
resource_group_name = "${local.project}-network-rg-01"
}

dns = {
resource_group_name = "${local.project}-network-rg-01"
}

tf_storage_account = {
name = "tfdevdx"
resource_group_name = "terraform-state-rg"
Expand Down
16 changes: 8 additions & 8 deletions infra/modules/azure_github_environment_bootstrap/tests/setup/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,12 +31,12 @@ data "azurerm_virtual_network" "common" {
resource_group_name = local.vnet.resource_group_name
}

data "azurerm_resource_group" "dashboards" {
name = "dashboards"
data "azurerm_resource_group" "vnet" {
name = local.vnet.resource_group_name
}

data "azurerm_resource_group" "external" {
name = local.dns.resource_group_name
data "azurerm_resource_group" "dashboards" {
name = "dashboards"
}

data "azurerm_resource_group" "common" {
Expand Down Expand Up @@ -114,14 +114,14 @@ output "pep_vnet_id" {
value = data.azurerm_virtual_network.common.id
}

output "dns_zone_resource_group_id" {
value = data.azurerm_resource_group.external.id
}

output "private_dns_zone_resource_group_id" {
value = data.azurerm_resource_group.common.id
}

output "nat_gateway_resource_group_id" {
value = data.azurerm_resource_group.vnet.id
}

output "opex_resource_group_id" {
value = data.azurerm_resource_group.dashboards.id
}
Expand Down
8 changes: 2 additions & 6 deletions infra/modules/azure_github_environment_bootstrap/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,19 +45,15 @@ variable "apim_id" {
default = null
}

variable "dns_zone_resource_group_id" {
type = string
description = "Id of the resource group holding public DNS zones"
}

variable "private_dns_zone_resource_group_id" {
type = string
description = "Id of the resource group holding private DNS zones"
}

variable "nat_gateway_resource_group_id" {
type = string
description = "Id of the resource group hosting NAT Gateways"
default = null
description = "(Optional) Id of the resource group hosting NAT Gateways"
}

variable "opex_resource_group_id" {
Expand Down

0 comments on commit 62e70b6

Please sign in to comment.