fix:adds test assertion for log sink writer identity

terraform-google-modules · Aug 4, 2022 · ef43513 · ef43513
1 parent b997fa1
commit ef43513
Show file tree

Hide file tree

Showing 6 changed files with 22 additions and 2 deletions.
diff --git a/examples/logbucket/folder/README.md b/examples/logbucket/folder/README.md
@@ -18,5 +18,6 @@ This example configures a folder-level log sink that feeds a logging log bucket
 | log\_bucket\_project | The project where the log bucket is created. |
 | log\_sink\_destination\_uri | A fully qualified URI for the log sink. |
 | log\_sink\_folder\_id | The folder id where the log sink is created. |
+| log\_sink\_writer\_identity | Writer identity for the log sink that writes to the log bucket. |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/examples/logbucket/folder/outputs.tf b/examples/logbucket/folder/outputs.tf
@@ -33,3 +33,8 @@ output "log_sink_destination_uri" {
   description = "A fully qualified URI for the log sink."
   value       = module.destination.destination_uri
 }
+
+output "log_sink_writer_identity" {
+  description = "Writer identity for the log sink that writes to the log bucket."
+  value       = module.log_export.writer_identity
+}
diff --git a/examples/logbucket/organization/README.md b/examples/logbucket/organization/README.md
@@ -18,5 +18,6 @@ This example configures a organization-level log sink that feeds a Cloud Log Buc
 | log\_bucket\_project | The project where the log bucket is created. |
 | log\_sink\_destination\_uri | A fully qualified URI for the log sink. |
 | log\_sink\_organization\_id | The organization id where the log sink is created. |
+| log\_sink\_writer\_identity | Writer identity for the log sink that writes to the log bucket. |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/examples/logbucket/organization/outputs.tf b/examples/logbucket/organization/outputs.tf
@@ -33,3 +33,8 @@ output "log_sink_destination_uri" {
   description = "A fully qualified URI for the log sink."
   value       = module.destination.destination_uri
 }
+
+output "log_sink_writer_identity" {
+  description = "Writer identity for the log sink that writes to the log bucket."
+  value       = module.log_export.writer_identity
+}
diff --git a/test/integration/logbucket-folder/logbucket_folder_test.go b/test/integration/logbucket-folder/logbucket_folder_test.go
@@ -37,6 +37,7 @@ func TestLogBucketFolderModule(t *testing.T) {
 		logBucketName := insSimpleT.GetStringOutput("log_bucket_name")
 		logSinkFolderId := insSimpleT.GetStringOutput("log_sink_folder_id")
 		logSinkDestination := insSimpleT.GetStringOutput("log_sink_destination_uri")
+		logSinkWriterId := insSimpleT.GetStringOutput("log_sink_writer_identity")
 
 		logBucketDetails := gcloud.Runf(t, fmt.Sprintf("logging buckets describe %s --location=%s --project=%s", logBucketName, "global", projectId))
 
@@ -50,6 +51,9 @@ func TestLogBucketFolderModule(t *testing.T) {
 		assert.Equal(logSinkDestination, logSinkDetails.Get("destination").String(), "log sink destination should match")
 		assert.Equal("resource.type = gce_instance", logSinkDetails.Get("filter").String(), "log sink filter should match")
 
+		//assert writer id has the bucketWriter role
+		logSinkServiceAccount := gcloud.Runf(t, fmt.Sprintf("projects get-iam-policy %s --flatten bindings --filter bindings.role:roles/logging.bucketWriter", projectId))
+		assert.Contains(logSinkServiceAccount.Array()[0].Get("bindings.members").String(), logSinkWriterId, "log sink has expected identity")
 	})
 	insSimpleT.Test()
 }
diff --git a/test/integration/logbucket-org/logbucket_org_test.go b/test/integration/logbucket-org/logbucket_org_test.go
@@ -34,12 +34,13 @@ func TestLogBucketOrgModule(t *testing.T) {
 	insSimpleT.DefineVerify(func(assert *assert.Assertions) {
 		insSimpleT.DefaultVerify(assert)
 
-		project_id := insSimpleT.GetStringOutput("log_bucket_project")
+		projectId := insSimpleT.GetStringOutput("log_bucket_project")
 		logBucketName := insSimpleT.GetStringOutput("log_bucket_name")
 		logSinkOrgId := insSimpleT.GetStringOutput("log_sink_organization_id")
 		logSinkDestination := insSimpleT.GetStringOutput("log_sink_destination_uri")
+		logSinkWriterId := insSimpleT.GetStringOutput("log_sink_writer_identity")
 
-		logBucketDetails := gcloud.Runf(t, fmt.Sprintf("logging buckets describe %s --location=%s --project=%s", logBucketName, "global", project_id))
+		logBucketDetails := gcloud.Runf(t, fmt.Sprintf("logging buckets describe %s --location=%s --project=%s", logBucketName, "global", projectId))
 
 		// assert log bucket name, retention days & location
 		assert.Equal(logSinkDestination[len(logApiFdqm)+1:], logBucketDetails.Get("name").String(), "log bucket name should match")
@@ -51,6 +52,9 @@ func TestLogBucketOrgModule(t *testing.T) {
 		assert.Equal(logSinkDestination, logSinkDetails.Get("destination").String(), "log sink destination should match")
 		assert.Equal("resource.type = gce_instance", logSinkDetails.Get("filter").String(), "log sink filter should match")
 
+		//assert writer id has the bucketWriter role
+		logSinkServiceAccount := gcloud.Runf(t, "projects get-iam-policy %s --flatten bindings --filter bindings.role:roles/logging.bucketWriter", projectId)
+		assert.Contains(logSinkServiceAccount.Array()[0].Get("bindings.members").String(), logSinkWriterId, "log sink SA has expected role")
 	})
 	insSimpleT.Test()
 }