updates to tests to ensure auth policy clashes don't occur (#327)

Author: ocofaigh

.catalog-onboard-pipeline.yaml

@@ -9,13 +9,17 @@ offerings:
       - name: security-enforced
         mark_ready: true
         install_type: fullstack
+        pre_validation: "tests/scripts/pre-validate.sh solutions/security-enforced"
+        post_validation: "tests/scripts/post-validate.sh"
         scc:
           instance_id: 1c7d5f78-9262-44c3-b779-b28fe4d88c37
           region: us-south
           scope_resource_group_var_name: existing_resource_group_name
       - name: fully-configurable
         mark_ready: true
         install_type: fullstack
+        pre_validation: "tests/scripts/pre-validate.sh solutions/fully-configurable"
+        post_validation: "tests/scripts/post-validate.sh"
         scc:
           instance_id: 1c7d5f78-9262-44c3-b779-b28fe4d88c37
           region: us-south

solutions/fully-configurable/catalogValidationValues.json.template

@@ -1,6 +1,5 @@
 {
   "ibmcloud_api_key": $VALIDATION_APIKEY,
-  "existing_resource_group_name": "geretain-test-secrets-manager",
   "prefix": $PREFIX,
   "service_plan": "trial",
   "kms_encryption_enabled": true,

solutions/security-enforced/catalogValidationValues.json.template

@@ -1,6 +1,5 @@
 {
   "ibmcloud_api_key": $VALIDATION_APIKEY,
-  "existing_resource_group_name": "geretain-test-secrets-manager",
   "prefix": $PREFIX,
   "service_plan": "trial",
   "existing_kms_instance_crn": $HPCS_US_SOUTH_CRN,

tests/new-rg/README.md

@@ -0,0 +1 @@
+The terraform code in this directory is used for by catalog pipeline

tests/new-rg/main.tf

@@ -0,0 +1,11 @@
+##############################################################################
+# Resource Group
+##############################################################################
+
+module "resource_group" {
+  source  = "terraform-ibm-modules/resource-group/ibm"
+  version = "1.2.0"
+  # if an existing resource group is not set (null) create a new one using prefix
+  resource_group_name          = var.resource_group == null ? "${var.prefix}-resource-group" : null
+  existing_resource_group_name = var.resource_group
+}

tests/new-rg/outputs.tf

@@ -0,0 +1,13 @@
+##############################################################################
+# Outputs
+##############################################################################
+
+output "resource_group_id" {
+  value       = module.resource_group.resource_group_id
+  description = "Resource group ID."
+}
+
+output "resource_group_name" {
+  value       = module.resource_group.resource_group_name
+  description = "Resource group name."
+}

tests/new-rg/provider.tf

@@ -0,0 +1,3 @@
+provider "ibm" {
+  ibmcloud_api_key = var.ibmcloud_api_key
+}

tests/new-rg/variables.tf

@@ -0,0 +1,17 @@
+variable "ibmcloud_api_key" {
+  type        = string
+  description = "The IBM Cloud API Key."
+  sensitive   = true
+}
+
+variable "prefix" {
+  type        = string
+  description = "Prefix to append to all resources created by this example."
+  default     = "sm"
+}
+
+variable "resource_group" {
+  type        = string
+  description = "The name of an existing resource group to provision resources in. If not specified, a new resource group is created with the `prefix` variable."
+  default     = null
+}

tests/new-rg/version.tf

@@ -0,0 +1,9 @@
+terraform {
+  required_version = ">= 1.9.0"
+  required_providers {
+    ibm = {
+      source  = "ibm-cloud/ibm"
+      version = ">= 1.76.1"
+    }
+  }
+}

tests/pr_test.go

@@ -176,7 +176,7 @@ func TestRunExistingResourcesInstancesFullyConfigurable(t *testing.T) {
 			{Name: "region", Value: region, DataType: "string"},
 			{Name: "existing_resource_group_name", Value: terraform.Output(t, existingTerraformOptions, "resource_group_name"), DataType: "string"},
 			{Name: "existing_event_notification_instance_crn", Value: terraform.Output(t, existingTerraformOptions, "event_notification_instance_crn"), DataType: "string"},
-			{Name: "existing_secrets_manager_kms_key_crn", Value: permanentResources["hpcs_south_root_key_crn"], DataType: "string"},
+			{Name: "existing_secrets_manager_kms_key_crn", Value: terraform.Output(t, existingTerraformOptions, "secrets_manager_kms_key_crn"), DataType: "string"},
 			{Name: "kms_encryption_enabled", Value: true, DataType: "bool"},
 			{Name: "service_plan", Value: "trial", DataType: "string"},
 			{Name: "secret_groups", Value: _secret_group_config(options.Prefix), DataType: "list(object)"},
@@ -282,7 +282,6 @@ func TestRunSecurityEnforcedSchematics(t *testing.T) {
 	// ------------------------------------------------------------------------------------
 	// Provision new RG
 	// ------------------------------------------------------------------------------------
-	region := validRegions[rand.Intn(len(validRegions))]
 	prefix := fmt.Sprintf("sm-se-%s", strings.ToLower(random.UniqueId()))
 	realTerraformDir := ".."
 	tempTerraformDir, _ := files.CopyTerraformFolderToTemp(realTerraformDir, fmt.Sprintf(prefix+"-%s", strings.ToLower(random.UniqueId())))
@@ -294,10 +293,9 @@ func TestRunSecurityEnforcedSchematics(t *testing.T) {
 	require.NotEqual(t, "", val, checkVariable+" environment variable is empty")
 	logger.Log(t, "Tempdir: ", tempTerraformDir)
 	existingTerraformOptions := terraform.WithDefaultRetryableErrors(t, &terraform.Options{
-		TerraformDir: tempTerraformDir + "/tests/new-resources",
+		TerraformDir: tempTerraformDir + "/tests/new-rg",
 		Vars: map[string]interface{}{
 			"prefix": prefix,
-			"region": region,
 		},
 		// Set Upgrade to true to ensure latest version of providers and modules are used by terratest.
 		// This is the same as setting the -upgrade=true flag with terraform.
@@ -361,7 +359,6 @@ func TestRunSecretsManagerSecurityEnforcedUpgradeSchematic(t *testing.T) {
 	// ------------------------------------------------------------------------------------
 	// Provision new RG
 	// ------------------------------------------------------------------------------------
-	region := validRegions[rand.Intn(len(validRegions))]
 	prefix := fmt.Sprintf("sm-se-ug-%s", strings.ToLower(random.UniqueId()))
 	realTerraformDir := ".."
 	tempTerraformDir, _ := files.CopyTerraformFolderToTemp(realTerraformDir, fmt.Sprintf(prefix+"-%s", strings.ToLower(random.UniqueId())))
@@ -373,10 +370,9 @@ func TestRunSecretsManagerSecurityEnforcedUpgradeSchematic(t *testing.T) {
 	require.NotEqual(t, "", val, checkVariable+" environment variable is empty")
 	logger.Log(t, "Tempdir: ", tempTerraformDir)
 	existingTerraformOptions := terraform.WithDefaultRetryableErrors(t, &terraform.Options{
-		TerraformDir: tempTerraformDir + "/tests/new-resources",
+		TerraformDir: tempTerraformDir + "/tests/new-rg",
 		Vars: map[string]interface{}{
 			"prefix": prefix,
-			"region": region,
 		},
 		// Set Upgrade to true to ensure latest version of providers and modules are used by terratest.
 		// This is the same as setting the -upgrade=true flag with terraform.

tests/scripts/post-validate.sh

@@ -0,0 +1,19 @@
+#! /bin/bash
+
+########################################################################################################################
+## This script is used by the catalog pipeline to destroy prerequisite resource required for catalog validation       ##
+########################################################################################################################
+
+set -e
+
+TERRAFORM_SOURCE_DIR="tests/new-rg"
+TF_VARS_FILE="terraform.tfvars"
+
+(
+  cd ${TERRAFORM_SOURCE_DIR}
+  echo "Destroying resource group .."
+  terraform destroy -input=false -auto-approve -var-file=${TF_VARS_FILE} || exit 1
+  rm -f "${TF_VARS_FILE}"
+
+  echo "Post-validation completed successfully"
+)

tests/scripts/pre-validate.sh

@@ -0,0 +1,38 @@
+#! /bin/bash
+
+############################################################################################################
+## This script is used by the catalog pipeline to provision a new resource group
+## (required to ensure auth policies don't clash in account)
+############################################################################################################
+
+set -e
+
+DA_DIR="${1}"
+TERRAFORM_SOURCE_DIR="tests/new-rg"
+JSON_FILE="${DA_DIR}/catalogValidationValues.json"
+TF_VARS_FILE="terraform.tfvars"
+
+(
+  cwd=$(pwd)
+  cd ${TERRAFORM_SOURCE_DIR}
+  echo "Provisioning new resource group .."
+  terraform init || exit 1
+  # $VALIDATION_APIKEY is available in the catalog runtime
+  {
+    echo "ibmcloud_api_key=\"${VALIDATION_APIKEY}\""
+    echo "prefix=\"ocp-$(openssl rand -hex 2)\""
+  } >> ${TF_VARS_FILE}
+  terraform apply -input=false -auto-approve -var-file=${TF_VARS_FILE} || exit 1
+
+  rg_var_name="existing_resource_group_name"
+  rg_value=$(terraform output -state=terraform.tfstate -raw resource_group_name)
+
+  echo "Appending '${rg_var_name}', input variable value to ${JSON_FILE}.."
+
+  cd "${cwd}"
+  jq -r --arg rg_var_name "${rg_var_name}" \
+        --arg rg_value "${rg_value}" \
+        '. + {($rg_var_name): $rg_value}' "${JSON_FILE}" > tmpfile && mv tmpfile "${JSON_FILE}" || exit 1
+
+  echo "Pre-validation complete successfully"
+)