chore(CI): migrate tests to CFT

Author: apeabody

.kitchen.yml

@@ -159,19 +159,6 @@ suites:
       systems:
         - name: stub_domains_upstream_nameservers
           backend: local
-  - name: "workload_identity"
-    transport:
-      root_module_directory: test/fixtures/workload_identity
-    verifier:
-      systems:
-        - name: gcloud
-          backend: local
-          controls:
-            - gcloud
-        - name: gcp
-          backend: gcp
-          controls:
-            - gcp
   - name: "workload_metadata_config"
     transport:
       root_module_directory: test/fixtures/workload_metadata_config
@@ -202,30 +189,13 @@ suites:
           controls:
             - gcloud
             - kubectl
-  - name: "node_pool"
-    transport:
-      root_module_directory: test/fixtures/node_pool
-    verifier:
-      systems:
-        - name: node_pool
-          backend: local
-          controls:
-            - gcloud
-            - kubectl
   - name: "sandbox_enabled"
     transport:
       root_module_directory: test/fixtures/sandbox_enabled
     verifier:
       systems:
         - name: sandbox_enabled
           backend: local
-  - name: "safer_cluster_iap_bastion"
-    transport:
-      root_module_directory: test/fixtures/safer_cluster_iap_bastion
-    verifier:
-      systems:
-        - name: safer_cluster_iap_bastion
-          backend: local
   - name: "simple_zonal_with_asm"
     transport:
       root_module_directory: test/fixtures/simple_zonal_with_asm

build/int.cloudbuild.yaml

@@ -369,17 +369,17 @@ steps:
   waitFor:
     - create-all
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge node-pool-local']
+  args: ['/bin/bash', '-c', 'cft test run TestNodePool --stage apply --verbose']
 - id: verify node-pool-local
   waitFor:
     - converge node-pool-local
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify node-pool-local']
+  args: ['/bin/bash', '-c', 'cft test run TestNodePool --stage verify --verbose']
 - id: destroy node-pool-local
   waitFor:
     - verify node-pool-local
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy node-pool-local']
+  args: ['/bin/bash', '-c', 'cft test run TestNodePool --stage destroy --verbose']
 - id: init sandbox-enabled-local
   waitFor:
     - create-all
@@ -404,32 +404,32 @@ steps:
   waitFor:
     - create-all
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge workload-identity-local']
+  args: ['/bin/bash', '-c', 'cft test run TestWorkloadIdentity --stage apply --verbose']
 - id: verify workload-identity-local
   waitFor:
     - converge workload-identity-local
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify workload-identity-local']
+  args: ['/bin/bash', '-c', 'cft test run TestWorkloadIdentity --stage verify --verbose']
 - id: destroy workload-identity-local
   waitFor:
     - verify workload-identity-local
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy workload-identity-local']
+  args: ['/bin/bash', '-c', 'cft test run TestWorkloadIdentity --stage destroy --verbose']
 - id: converge safer-cluster-iap-bastion-local
   waitFor:
     - create-all
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge safer-cluster-iap-bastion-local']
+  args: ['/bin/bash', '-c', 'cft test run TestSaferClusterIapBastion --stage apply --verbose']
 - id: verify safer-cluster-iap-bastion-local
   waitFor:
     - converge safer-cluster-iap-bastion-local
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify safer-cluster-iap-bastion-local']
+  args: ['/bin/bash', '-c', 'cft test run TestSaferClusterIapBastion --stage verify --verbose']
 - id: destroy safer-cluster-iap-bastion-local
   waitFor:
     - verify safer-cluster-iap-bastion-local
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy safer-cluster-iap-bastion-local']
+  args: ['/bin/bash', '-c', 'cft test run TestSaferClusterIapBastion --stage teardown --verbose']
 - id: init simple-zonal-with-asm-local
   waitFor:
     - create-all

examples/node_pool/main.tf

@@ -43,6 +43,7 @@ module "gke" {
   disable_legacy_metadata_endpoints = false
   cluster_autoscaling               = var.cluster_autoscaling
   deletion_protection               = false
+  service_account                   = "default"
 
   node_pools = [
     {

examples/workload_identity/main.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2018 Google LLC
+ * Copyright 2018-2024 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -24,6 +24,10 @@ provider "kubernetes" {
   host                   = "https://${module.gke.endpoint}"
   token                  = data.google_client_config.default.access_token
   cluster_ca_certificate = base64decode(module.gke.ca_certificate)
+
+  ignore_annotations = [
+    "^iam.gke.io\\/.*"
+  ]
 }
 
 module "gke" {

test/fixtures/safer_cluster_iap_bastion/example.tf

@@ -15,7 +15,7 @@
  */
 
 locals {
-  test_command = "gcloud beta compute ssh ${module.example.bastion_name} --tunnel-through-iap --verbosity=error --project ${var.project_ids[1]} --zone ${module.example.bastion_zone} --ssh-flag=\"-T\" -q -- curl -sS https://${module.example.endpoint}/version -k"
+  test_command = "gcloud beta compute ssh ${module.example.bastion_name} --tunnel-through-iap --verbosity=error --project ${var.project_ids[1]} --zone ${module.example.bastion_zone} --ssh-flag='-T' -q -- curl -sS https://${module.example.endpoint}/version -k"
 }
 
 module "example" {

test/integration/node_pool/node_pool_test.go

@@ -0,0 +1,60 @@
+// Copyright 2022-2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//	http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+package node_pool
+
+import (
+	"fmt"
+	"testing"
+	"time"
+
+	"github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/gcloud"
+	"github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft"
+	"github.com/stretchr/testify/assert"
+	"github.com/terraform-google-modules/terraform-google-kubernetes-engine/test/integration/testutils"
+	gkeutils "github.com/terraform-google-modules/terraform-google-kubernetes-engine/test/integration/utils"
+)
+
+func TestNodePool(t *testing.T) {
+	bpt := tft.NewTFBlueprintTest(t,
+		tft.WithRetryableTerraformErrors(testutils.RetryableTransientErrors, 3, 2*time.Minute),
+	)
+
+	bpt.DefineVerify(func(assert *assert.Assertions) {
+		//Skipping Default Verify as the Verify Stage fails due to change in Client Cert Token
+		// bpt.DefaultVerify(assert)
+		gkeutils.TGKEVerify(t, bpt, assert) // Verify Resources
+
+		projectId := bpt.GetStringOutput("project_id")
+		location := bpt.GetStringOutput("location")
+		clusterName := bpt.GetStringOutput("cluster_name")
+
+		op := gcloud.Runf(t, "container clusters describe %s --zone %s --project %s", clusterName, location, projectId)
+		assert.Contains([]string{"RUNNING", "RECONCILING"}, op.Get("status").String(), "Cluster is Running")
+
+
+		for _, np := range op.Get("nodePools").Array() {
+			npName := np.Get("name").String()
+			switch npName {
+
+			//TODO
+
+			case "pool-03":
+				assert.JSONEq(fmt.Sprintf(`["%s-b", "%s-c"]`, location, location) , np.Get("locations").String())
+			}
+		}
+
+	})
+
+	bpt.Test()
+}

test/integration/safer_cluster_iap_bastion/controls/e2e.rb

@@ -0,0 +1,49 @@
+// Copyright 2022-2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//	http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+package safer_cluster_iap_bastion
+
+import (
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/gcloud"
+	"github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft"
+	"github.com/stretchr/testify/assert"
+	"github.com/terraform-google-modules/terraform-google-kubernetes-engine/test/integration/testutils"
+	gkeutils "github.com/terraform-google-modules/terraform-google-kubernetes-engine/test/integration/utils"
+)
+
+func TestSaferClusterIapBastion(t *testing.T) {
+	bpt := tft.NewTFBlueprintTest(t,
+		tft.WithRetryableTerraformErrors(testutils.RetryableTransientErrors, 3, 2*time.Minute),
+	)
+
+	bpt.DefineVerify(func(assert *assert.Assertions) {
+		//Skipping Default Verify as the Verify Stage fails due to change in Client Cert Token
+		// bpt.DefaultVerify(assert)
+		gkeutils.TGKEVerify(t, bpt, assert) // Verify Resources
+
+		test_command, _ := strings.CutPrefix(bpt.GetStringOutput("test_command"), "gcloud ")
+		cluster_version := bpt.GetStringOutput("cluster_version")
+
+		op := gcloud.Runf(t, test_command,
+			gcloud.WithCommonArgs([]string{""}),
+		)
+
+		assert.Equal(cluster_version, op.Get("gitVersion").String(), "SSH into VM and verify connectivity to GKE")
+	})
+
+	bpt.Test()
+}