Merge branch 'custom-gcr-project' of github.com:mmontan/terraform-google-kubernetes-engine into custom-gcr-project

mmontan · mmontan · commit f1be84b3763b · 2019-10-04T13:20:16.000-07:00
diff --git a/examples/workload_metadata_config/main.tf b/examples/workload_metadata_config/main.tf
@@ -40,8 +40,9 @@ module "gke" {
   subnetwork              = var.subnetwork
   ip_range_pods           = var.ip_range_pods
   ip_range_services       = var.ip_range_services
-  create_service_account  = false
-  service_account         = var.compute_engine_service_account
+  create_service_account  = true
+  grant_registry_access   = true
+  registry_project_id     = var.registry_project_id
   enable_private_endpoint = true
   enable_private_nodes    = true
   master_ipv4_cidr_block  = "172.16.0.0/28"
diff --git a/examples/workload_metadata_config/variables.tf b/examples/workload_metadata_config/variables.tf
@@ -48,7 +48,6 @@ variable "ip_range_services" {
   description = "The secondary ip range to use for pods"
 }
 
-variable "compute_engine_service_account" {
-  description = "Service account to associate to the nodes in the cluster"
+variable "registry_project_id" {
+  description = "Project name for the GCR registry"
 }
-
diff --git a/test/fixtures/workload_metadata_config/example.tf b/test/fixtures/workload_metadata_config/example.tf
@@ -25,5 +25,5 @@ module "example" {
   subnetwork                     = google_compute_subnetwork.main.name
   ip_range_pods                  = google_compute_subnetwork.main.secondary_ip_range[0].range_name
   ip_range_services              = google_compute_subnetwork.main.secondary_ip_range[1].range_name
-  compute_engine_service_account = var.compute_engine_service_account
+  registry_project_id = var.registry_project_id
 }
diff --git a/test/integration/workload_metadata_config/controls/gcloud.rb b/test/integration/workload_metadata_config/controls/gcloud.rb
@@ -13,8 +13,10 @@
 # limitations under the License.
 
 project_id = attribute('project_id')
+registry_project_id = attribute('registry_project_id')
 location = attribute('location')
 cluster_name = attribute('cluster_name')
+service_account = attribute('service_account')
 
 control "gcloud" do
   title "Google Compute Engine GKE configuration"
@@ -55,4 +57,20 @@
       end
     end
   end
+
+  describe command("gcloud projects get-iam-policy #{registry_project_id} --format=json") do
+    its(:exit_status) { should eq 0 }
+    its(:stderr) { should eq '' }
+
+    let!(:iam) do
+      if subject.exit_status == 0
+        JSON.parse(subject.stdout)
+      else
+        {}
+      end
+    end
+    it "has expected registry roles" do
+      expect(iam['bindings']).to include("members" => ["serviceAccount:#{service_account}"], "role" => "roles/storage.objectViewer")
+    end
+  end
 end
diff --git a/test/integration/workload_metadata_config/inspec.yml b/test/integration/workload_metadata_config/inspec.yml
@@ -9,3 +9,9 @@ attributes:
   - name: project_id
     required: true
     type: string
+  - name: service_account
+    required: true
+    type: string
+  - name: registry_project_id
+    required: false
+    type: string

Original file line number	Diff line number	Diff line change
`@@ -48,7 +48,6 @@ variable "ip_range_services" {`
`48`	`48`	`description = "The secondary ip range to use for pods"`
`49`	`49`	`}`
`50`	`50`
`51`		`-variable "compute_engine_service_account" {`
`52`		`- description = "Service account to associate to the nodes in the cluster"`
	`51`	`+variable "registry_project_id" {`
	`52`	`+ description = "Project name for the GCR registry"`
`53`	`53`	`}`
`54`		`-`
Original file line number	Diff line number	Diff line change
`@@ -25,5 +25,5 @@ module "example" {`
`25`	`25`	`subnetwork = google_compute_subnetwork.main.name`
`26`	`26`	`ip_range_pods = google_compute_subnetwork.main.secondary_ip_range[0].range_name`
`27`	`27`	`ip_range_services = google_compute_subnetwork.main.secondary_ip_range[1].range_name`
`28`		`- compute_engine_service_account = var.compute_engine_service_account`
	`28`	`+ registry_project_id = var.registry_project_id`
`29`	`29`	`}`