Updates for integration test CI pipeline

This commit includes changes necessary for enabling the integration
testing CI pipeline being defined in Concourse. The Makefile has been
updated to reference `test/ci_integration.sh` from the `make
test_integration` target which will export the correct Cloud SDK
environment variables based on environment variables coming out of the
CI pipeline (namely `$SERVICE_ACCOUNT_JSON` and `$PROJECT_ID`), handle
teardown of the environment correctly, and allow for the exit code of
the verify step to be communicated back to CI (instead of the exit code
from the destroy step). Also included is the
`test/fixtures/simulated_ci_environment` scenario which can be used to
setup a project and the same dependencies that are established by the CI
pipeline. This will allow a module consumer to be able to test locally
(or via the docker container) in the same way that CI testing is
happening remotely.

Author: glarizza

Gemfile

@@ -15,5 +15,5 @@
 ruby '2.5.3'
 
 source 'https://rubygems.org/' do
-  gem 'kitchen-terraform', '~> 4.0.3'
+  gem 'kitchen-terraform', '~> 4.3'
 end

Makefile

@@ -67,12 +67,7 @@ check_headers:
 # Integration tests
 .PHONY: test_integration
 test_integration:
-	bundle install
-	bundle exec kitchen create
-	bundle exec kitchen converge
-	bundle exec kitchen converge
-	bundle exec kitchen verify
-	bundle exec kitchen destroy
+	./test/ci_integration.sh
 
 .PHONY: generate_docs
 generate_docs:
@@ -89,6 +84,7 @@ docker_run:
 	docker run --rm -it \
 		-e CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE=${CREDENTIALS_PATH} \
 		-e GOOGLE_APPLICATION_CREDENTIALS=${CREDENTIALS_PATH} \
+		-e TF_VAR_project_id \
 		-v $(CURDIR):/cft/workdir \
 		${DOCKER_REPO_BASE_KITCHEN_TERRAFORM} \
 		/bin/bash
@@ -98,6 +94,7 @@ docker_create:
 	docker run --rm -it \
 		-e CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE=${CREDENTIALS_PATH} \
 		-e GOOGLE_APPLICATION_CREDENTIALS=${CREDENTIALS_PATH} \
+		-e TF_VAR_project_id \
 		-v $(CURDIR):/cft/workdir \
 		${DOCKER_REPO_BASE_KITCHEN_TERRAFORM} \
 		/bin/bash -c "kitchen create"
@@ -107,6 +104,7 @@ docker_converge:
 	docker run --rm -it \
 		-e CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE=${CREDENTIALS_PATH} \
 		-e GOOGLE_APPLICATION_CREDENTIALS=${CREDENTIALS_PATH} \
+		-e TF_VAR_project_id \
 		-v $(CURDIR):/cft/workdir \
 		${DOCKER_REPO_BASE_KITCHEN_TERRAFORM} \
 		/bin/bash -c "kitchen converge && kitchen converge"
@@ -116,6 +114,7 @@ docker_verify:
 	docker run --rm -it \
 		-e CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE=${CREDENTIALS_PATH} \
 		-e GOOGLE_APPLICATION_CREDENTIALS=${CREDENTIALS_PATH} \
+		-e TF_VAR_project_id \
 		-v $(CURDIR):/cft/workdir \
 		${DOCKER_REPO_BASE_KITCHEN_TERRAFORM} \
 		/bin/bash -c "kitchen verify"
@@ -125,6 +124,7 @@ docker_destroy:
 	docker run --rm -it \
 		-e CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE=${CREDENTIALS_PATH} \
 		-e GOOGLE_APPLICATION_CREDENTIALS=${CREDENTIALS_PATH} \
+		-e TF_VAR_project_id \
 		-v $(CURDIR):/cft/workdir \
 		${DOCKER_REPO_BASE_KITCHEN_TERRAFORM} \
 		/bin/bash -c "kitchen destroy"

examples/multi_vpc/outputs.tf

@@ -60,11 +60,6 @@ output "network_01_routes" {
   description = "The routes associated with network-01"
 }
 
-output "network_01_route_data" {
-  value       = "${local.network_01_routes}"
-  description = "The route data for network 01 that was passed into the network module"
-}
-
 # vpc 2
 output "network_02_name" {
   value       = "${module.test-vpc-module-02.network_name}"
@@ -110,8 +105,3 @@ output "network_02_routes" {
   value       = "${module.test-vpc-module-02.routes}"
   description = "The routes associated with network-02"
 }
-
-output "network_02_route_data" {
-  value       = "${local.network_02_routes}"
-  description = "The route data for network 02 that was passed into the network module"
-}

examples/secondary_ranges/main.tf

@@ -27,7 +27,7 @@ resource "random_string" "random_suffix" {
 module "vpc-secondary-ranges" {
   source       = "../../"
   project_id   = "${var.project_id}"
-  network_name = "test-network-${local.network_name}"
+  network_name = "${local.network_name}"
 
   subnets = [
     {

examples/simple_project_with_regional_network/main.tf

@@ -27,7 +27,7 @@ resource "random_string" "random_suffix" {
 module "test-vpc-module" {
   source       = "../../"
   project_id   = "${var.project_id}"
-  network_name = "test-network-${local.network_name}"
+  network_name = "${local.network_name}"
   routing_mode = "REGIONAL"
 
   subnets = [

test/ci_integration.sh

@@ -0,0 +1,68 @@
+#! /bin/bash
+# Copyright 2018 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Entry point for CI Integration Tests.  This script is expected to be run
+# inside the same docker image specified in the CI Pipeline definition.
+
+# Always clean up.
+DELETE_AT_EXIT="$(mktemp -d)"
+
+finish() {
+  echo 'BEGIN: finish() trap handler' >&2
+  set +e
+  bundle exec kitchen destroy
+  [[ -d "${DELETE_AT_EXIT}" ]] && rm -rf "${DELETE_AT_EXIT}"
+  echo 'END: finish() trap handler' >&2
+}
+
+# Map the input parameters provided by Concourse CI, or whatever mechanism is
+# running the tests to Terraform input variables.  Also setup credentials for
+# use with kitchen-terraform, inspec, and gcloud.
+setup_environment() {
+  local tmpfile
+  tmpfile="$(mktemp)"
+  echo "${SERVICE_ACCOUNT_JSON}" > "${tmpfile}"
+
+  # Terraform and most other tools respect GOOGLE_CREDENTIALS
+  export GOOGLE_CREDENTIALS="${SERVICE_ACCOUNT_JSON}"
+  # gcloud variables
+  export CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE="${tmpfile}"
+  export CLOUDSDK_CORE_PROJECT="${PROJECT_ID}"
+  export GOOGLE_APPLICATION_CREDENTIALS="${tmpfile}"
+
+  # Terraform input variables
+  export TF_VAR_project_id="${PROJECT_ID}"
+}
+
+main() {
+  set -eu
+  # Setup trap handler to auto-cleanup
+  export TMPDIR="${DELETE_AT_EXIT}"
+  trap finish EXIT
+
+  # Setup environment
+  setup_environment
+  set -x
+  # Execute the test lifecycle
+  bundle install --path vendor
+  bundle exec kitchen create
+  bundle exec kitchen converge -c 4
+  bundle exec kitchen verify
+}
+
+# if script is being executed and not sourced.
+if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then
+  main "$@"
+fi

test/fixtures/all_examples/test_output.tf

@@ -18,5 +18,6 @@
 // They do not need to be included in real-world uses of this module
 
 output "project_id" {
-  value = "${var.project_id}"
+  value       = "${var.project_id}"
+  description = "The ID of the project to which resources are applied."
 }

test/fixtures/multi_vpc/outputs.tf

@@ -18,33 +18,3 @@ output "project_id" {
   value       = "${var.project_id}"
   description = "The ID of the project being used"
 }
-
-output "network_01_name" {
-  value       = "${module.example.network_01_name}"
-  description = "The name of the VPC network-01"
-}
-
-output "network_01_routes" {
-  value       = "${module.example.network_01_routes}"
-  description = "The routes associated with network-01"
-}
-
-output "network_01_route_data" {
-  value       = "${module.example.network_01_route_data}"
-  description = "The route data for network 01 that was passed into the network module"
-}
-
-output "network_02_name" {
-  value       = "${module.example.network_02_name}"
-  description = "The name of the VPC network-02"
-}
-
-output "network_02_routes" {
-  value       = "${module.example.network_02_routes}"
-  description = "The routes associated with network-02"
-}
-
-output "network_02_route_data" {
-  value       = "${module.example.network_02_route_data}"
-  description = "The route data for network 02 that was passed into the network module"
-}

test/fixtures/shared/outputs.tf

@@ -19,47 +19,7 @@ output "project_id" {
   description = "The ID of the project being used"
 }
 
-output "network_self_link" {
-  value       = "${module.example.network_self_link}"
-  description = "The URI of the VPC being created"
-}
-
 output "network_name" {
   value       = "${module.example.network_name}"
-  description = "The name of the VPC network being created"
-}
-
-output "subnets_names" {
-  value       = "${module.example.subnets_names}"
-  description = "The names of the subnets being created"
-}
-
-output "subnets_ips" {
-  value       = "${module.example.subnets_ips}"
-  description = "The IP and cidrs of the subnets being created"
-}
-
-output "subnets_regions" {
-  value       = "${module.example.subnets_regions}"
-  description = "The region where subnets will be created"
-}
-
-output "subnets_private_access" {
-  value       = "${module.example.subnets_private_access}"
-  description = "Whether the subnets will have access to Google API's without a public IP"
-}
-
-output "subnets_flow_logs" {
-  value       = "${module.example.subnets_flow_logs}"
-  description = "Whether the subnets will have VPC flow logs enabled"
-}
-
-output "subnets_secondary_ranges" {
-  value       = "${module.example.subnets_secondary_ranges}"
-  description = "The secondary ranges associated with these subnets"
-}
-
-output "routes" {
-  value       = "${module.example.routes}"
-  description = "The routes associated with this VPC"
+  description = "The name of the VPC being created"
 }

test/fixtures/simulated_ci_environment/README.md

@@ -0,0 +1,62 @@
+# Integration Testing
+
+Use this directory to create resources reflecting the same resource fixtures
+created for use by the CI environment CI integration test pipelines.  The intent
+of these resources is to run the integration tests locally as closely as
+possible to how they will run in the CI system.
+
+Once created, store the service account key content into the
+`GOOGLE_CREDENTIALS` environment variable.  This reflects the same behavior as
+used in CI.
+
+For example:
+
+```bash
+terraform init
+terraform apply
+terraform output service_account_private_key > ~/.credentials/network-sa.json
+```
+
+Then, configure the environment (suggest using direnv) like so:
+
+```bash
+export GOOGLE_CREDENTIALS_PATH="${HOME}/.credentials/network-sa.json"
+export GOOGLE_CREDENTIALS="${HOME}/.credentials/network-sa.json"
+export TF_VAR_project_id="network-module"
+```
+
+With these variables set, change to the root of the module and execute the `make test_integration` task.
+This make target is the same that is executed by this module's CI pipeline during integration testing, and
+will run the integration tests from your machine.
+
+Alternatively, to run the integration tests directly from the Docker container used by the module's CI pipeline, copy
+the credentials file to the root of the module and then run the `make test_integration_docker` target:
+
+```
+# Change to the root of the module
+cd /path/to/module
+
+# Copy credentials and run test
+cp $GOOGLE_CREDENTIALS_PATH ./credentials.json
+make test_integration_docker
+```
+
+[^]: (autogen_docs_start)
+
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| billing_account | The billing account id associated with the project, e.g. XXXXXX-YYYYYY-ZZZZZZ | string | - | yes |
+| folder_id | The numeric folder id to create resources | string | - | yes |
+| organization_id | The numeric organization id | string | - | yes |
+| region | The region to deploy to | string | `us-west1` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| service_account_private_key | The SA KEY JSON content.  Store in GOOGLE_CREDENTIALS. |
+
+[^]: (autogen_docs_end)