From 6890e8d04bd66b88e1fb4b70dc3ee15d137276b7 Mon Sep 17 00:00:00 2001 From: ocofaigh Date: Thu, 18 Sep 2025 20:57:48 +0100 Subject: [PATCH 1/7] fix(deps): update DA dependencies + example / tests cleanup --- README.md | 2 +- common-dev-assets | 2 +- examples/advanced/README.md | 14 + examples/{complete => advanced}/main.tf | 79 ++--- examples/{complete => advanced}/outputs.tf | 0 examples/{complete => advanced}/provider.tf | 0 examples/{complete => advanced}/variables.tf | 0 examples/{complete => advanced}/version.tf | 0 examples/complete/README.md | 56 ---- examples/fscloud/README.md | 13 +- examples/fscloud/main.tf | 42 +-- ibm_catalog.json | 12 +- tests/other_test.go | 35 ++- tests/pr_test.go | 289 +++---------------- 14 files changed, 159 insertions(+), 385 deletions(-) create mode 100644 examples/advanced/README.md rename examples/{complete => advanced}/main.tf (84%) rename examples/{complete => advanced}/outputs.tf (100%) rename examples/{complete => advanced}/provider.tf (100%) rename examples/{complete => advanced}/variables.tf (100%) rename examples/{complete => advanced}/version.tf (100%) delete mode 100644 examples/complete/README.md diff --git a/README.md b/README.md index 1cd4be7b..79146fd0 100644 --- a/README.md +++ b/README.md @@ -19,8 +19,8 @@ This module is used to provision and configure an IBM Cloud [Secrets Manager](ht * [fscloud](./modules/fscloud) * [secrets](./modules/secrets) * [Examples](./examples) + * [Advanced example](./examples/advanced) * [Basic example](./examples/basic) - * [Complete example with BYOK encryption](./examples/complete) * [Financial Services Cloud profile example with KYOK encryption](./examples/fscloud) * [Contributing](#contributing) diff --git a/common-dev-assets b/common-dev-assets index 47c0edbc..325cfd0d 160000 --- a/common-dev-assets +++ b/common-dev-assets @@ -1 +1 @@ -Subproject commit 47c0edbc6d669874511116e4cb645097d10561b9 +Subproject commit 325cfd0d91902e08079644092bbf298c4872f388 diff --git a/examples/advanced/README.md b/examples/advanced/README.md new file mode 100644 index 00000000..8f6bc0c6 --- /dev/null +++ b/examples/advanced/README.md @@ -0,0 +1,14 @@ +# Advanced example + +An example that configures: + +- A new resource group if one is not passed in. +- A new Key Protect instance and root key +- A new Event Notifications instance +- An s2s auth policy to allow Secrets Manager to manage Event Notifications service credentials +- A new Secretes Manager instance +- A new secret group with a new Event Notifications service credential secret and an arbitrary secret +- A new arbitrary secret in the default secret group +- A sample code engine project that builds a code engine job and outputs User IBM Cloud IAM API Keys +- A custom credential engine using the code engine project +- A custom credential secret diff --git a/examples/complete/main.tf b/examples/advanced/main.tf similarity index 84% rename from examples/complete/main.tf rename to examples/advanced/main.tf index 9170d017..e82d5328 100644 --- a/examples/complete/main.tf +++ b/examples/advanced/main.tf @@ -1,3 +1,7 @@ +############################################################################## +# Resource group +############################################################################## + module "resource_group" { source = "terraform-ibm-modules/resource-group/ibm" version = "1.3.0" @@ -6,6 +10,10 @@ module "resource_group" { existing_resource_group_name = var.resource_group } +############################################################################## +# Key Protect instance and root key +############################################################################## + module "key_protect" { source = "terraform-ibm-modules/kms-all-inclusive/ibm" version = "5.1.25" @@ -25,7 +33,11 @@ module "key_protect" { ] } -module "event_notification" { +############################################################################## +# Event Notifications +############################################################################## + +module "event_notifications" { source = "terraform-ibm-modules/event-notifications/ibm" version = "2.7.0" resource_group_id = module.resource_group.resource_group_id @@ -35,14 +47,13 @@ module "event_notification" { region = var.en_region } +# s2s auth policy required for Secrets Manager to manage Event Notifications service credentials resource "ibm_iam_authorization_policy" "en_policy" { source_service_name = "secrets-manager" roles = ["Key Manager"] target_service_name = "event-notifications" - target_resource_instance_id = module.event_notification.guid - description = "Allow the Secret manager Key Manager role access to event-notifications with guid ${module.event_notification.guid}." - # Scope of policy now includes the key, so ensure to create new policy before - # destroying old one to prevent any disruption to every day services. + target_resource_instance_id = module.event_notifications.guid + description = "Grant Secret Manager a 'Key Manager' role to the Event Notifications instance ${module.event_notifications.guid} for managing service credentials." lifecycle { create_before_destroy = true } @@ -53,6 +64,10 @@ resource "time_sleep" "wait_for_en_policy" { create_duration = "30s" } +############################################################################## +# Secrets Manager +############################################################################## + module "secrets_manager" { depends_on = [time_sleep.wait_for_en_policy] source = "../.." @@ -65,30 +80,29 @@ module "secrets_manager" { is_hpcs_key = false kms_key_crn = module.key_protect.keys["${var.prefix}-sm.${var.prefix}-sm-key"].crn enable_event_notification = true - existing_en_instance_crn = module.event_notification.crn + existing_en_instance_crn = module.event_notifications.crn secrets = [ + # Example creating new secrets group with secrets in it { secret_group_name = "${var.prefix}-secret-group" - secrets = [{ - secret_name = "${var.prefix}-kp-key-crn" - secret_type = "arbitrary" - secret_payload_password = module.key_protect.keys["${var.prefix}-sm.${var.prefix}-sm-key"].crn - }, + secrets = [ + # Example creating Event Notifications service credential secret { - # Arbitrary service credential for source service event notifications, with role Event-Notification-Publisher secret_name = "${var.prefix}-service-credential" secret_type = "service_credentials" #checkov:skip=CKV_SECRET_6 - secret_description = "Created by secrets-manager-module complete example" - service_credentials_source_service_crn = module.event_notification.crn + secret_description = "Created by secrets-manager-module advanced example" + service_credentials_source_service_crn = module.event_notifications.crn service_credentials_source_service_role_crn = "crn:v1:bluemix:public:event-notifications::::serviceRole:Event-Notification-Publisher" }, + # Example creating arbitrary secret { - secret_name = "${var.prefix}-custom-service-credential" + secret_name = "${var.prefix}-arbitrary-example" secret_type = "arbitrary" secret_payload_password = var.ibmcloud_api_key } ] }, + # Example creating secret in existing secret group { secret_group_name = "default" existing_secret_group = true @@ -103,8 +117,11 @@ module "secrets_manager" { } ############################################################################## -# Code Engine Project +# Code Engine configuration +# (required to use create a custom credential) ############################################################################## + +# Create new code engine project module "code_engine_project" { source = "terraform-ibm-modules/code-engine/ibm//modules/project" version = "4.5.13" @@ -112,9 +129,7 @@ module "code_engine_project" { resource_group_id = module.resource_group.resource_group_id } -############################################################################## -# Code Engine Secret -############################################################################## +# Create new code engine secret locals { registry_hostname = "private.de.icr.io" output_image = "${local.registry_hostname}/${resource.ibm_cr_namespace.rg_namespace.name}/custom-engine-job" @@ -133,19 +148,13 @@ module "code_engine_secret" { } } -############################################################################## -# Container Registry Namespace -############################################################################## +# Create new Container Registry namespace resource "ibm_cr_namespace" "rg_namespace" { name = "${var.prefix}-crn" resource_group_id = module.resource_group.resource_group_id } -############################################################################## -# Code Engine Build -############################################################################## - -# For example the region is hardcoded to us-south in order to hardcode the output image and region for creating Code Engine Project and build +# Build example Go application in Code Engine project which dynamically generates User IBM Cloud IAM API Keys module "code_engine_build" { source = "terraform-ibm-modules/code-engine/ibm//modules/build" version = "4.5.13" @@ -161,10 +170,7 @@ module "code_engine_build" { output_image = local.output_image } -############################################################################## -# Code Engine Job -############################################################################## - +# Pull the sample job config from github data "http" "job_config" { url = "https://raw.githubusercontent.com/IBM/secrets-manager-custom-credentials-providers/refs/heads/main/ibmcloud-iam-user-apikey-provider-go/job_config.json" request_headers = { @@ -176,6 +182,7 @@ locals { job_env_variables = jsondecode(data.http.job_config.response_body).job_env_variables } +# Run the Code Engine job module "code_engine_job" { depends_on = [module.code_engine_build] source = "terraform-ibm-modules/code-engine/ibm//modules/job" @@ -194,7 +201,7 @@ module "code_engine_job" { } ############################################################################## -# Custom Credential Engine and secret +# Create Custom Credential engine ############################################################################## module "custom_credential_engine" { @@ -213,8 +220,12 @@ module "custom_credential_engine" { iam_credential_secret_name = "${var.prefix}-test-iam-secret" } -# Currently the main module cannot be called again as some of the count for resources depends on a computable input existing_en_instance_crn which will give error if the value is not available during planning -# As a workaround the secret manager secret is directly being created via module call +############################################################################## +# Create Custom Credential secret +# (using secrets-manager-secret to create the custom credential secret as it +# can only be done after the Custom Credential engine is configured) +############################################################################## + module "secret_manager_custom_credential" { depends_on = [module.secrets_manager, module.custom_credential_engine] source = "terraform-ibm-modules/secrets-manager-secret/ibm" diff --git a/examples/complete/outputs.tf b/examples/advanced/outputs.tf similarity index 100% rename from examples/complete/outputs.tf rename to examples/advanced/outputs.tf diff --git a/examples/complete/provider.tf b/examples/advanced/provider.tf similarity index 100% rename from examples/complete/provider.tf rename to examples/advanced/provider.tf diff --git a/examples/complete/variables.tf b/examples/advanced/variables.tf similarity index 100% rename from examples/complete/variables.tf rename to examples/advanced/variables.tf diff --git a/examples/complete/version.tf b/examples/advanced/version.tf similarity index 100% rename from examples/complete/version.tf rename to examples/advanced/version.tf diff --git a/examples/complete/README.md b/examples/complete/README.md deleted file mode 100644 index cc6e3602..00000000 --- a/examples/complete/README.md +++ /dev/null @@ -1,56 +0,0 @@ -# Complete example with BYOK encryption - -This examples handles the provisioning of a new Secrets Manager instance. - - -### Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= v1.9.0 | -| [http](#requirement\_http) | 3.2.1 | -| [ibm](#requirement\_ibm) | >=1.79.0 | -| [time](#requirement\_time) | 0.12.1 | - -### Modules - -| Name | Source | Version | -|------|--------|---------| -| [code\_engine\_build](#module\_code\_engine\_build) | terraform-ibm-modules/code-engine/ibm//modules/build | 4.5.13 | -| [code\_engine\_job](#module\_code\_engine\_job) | terraform-ibm-modules/code-engine/ibm//modules/job | 4.5.13 | -| [code\_engine\_project](#module\_code\_engine\_project) | terraform-ibm-modules/code-engine/ibm//modules/project | 4.5.13 | -| [code\_engine\_secret](#module\_code\_engine\_secret) | terraform-ibm-modules/code-engine/ibm//modules/secret | 4.5.13 | -| [custom\_credential\_engine](#module\_custom\_credential\_engine) | terraform-ibm-modules/secrets-manager-custom-credentials-engine/ibm | 1.0.1 | -| [event\_notification](#module\_event\_notification) | terraform-ibm-modules/event-notifications/ibm | 2.7.0 | -| [key\_protect](#module\_key\_protect) | terraform-ibm-modules/kms-all-inclusive/ibm | 5.1.25 | -| [resource\_group](#module\_resource\_group) | terraform-ibm-modules/resource-group/ibm | 1.3.0 | -| [secret\_manager\_custom\_credential](#module\_secret\_manager\_custom\_credential) | terraform-ibm-modules/secrets-manager-secret/ibm | 1.9.0 | -| [secrets\_manager](#module\_secrets\_manager) | ../.. | n/a | - -### Resources - -| Name | Type | -|------|------| -| [ibm_cr_namespace.rg_namespace](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/cr_namespace) | resource | -| [ibm_iam_authorization_policy.en_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy) | resource | -| [time_sleep.wait_for_en_policy](https://registry.terraform.io/providers/hashicorp/time/0.12.1/docs/resources/sleep) | resource | -| [http_http.job_config](https://registry.terraform.io/providers/hashicorp/http/3.2.1/docs/data-sources/http) | data source | - -### Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [en\_region](#input\_en\_region) | Region where event notification will be created | `string` | `"au-syd"` | no | -| [ibmcloud\_api\_key](#input\_ibmcloud\_api\_key) | The IBM Cloud API key this account authenticates to | `string` | n/a | yes | -| [prefix](#input\_prefix) | Prefix for sm instance | `string` | `"sm-com"` | no | -| [region](#input\_region) | Region where resources will be created | `string` | `"eu-de"` | no | -| [resource\_group](#input\_resource\_group) | An existing resource group name to use for this example, if unset a new resource group will be created | `string` | `null` | no | -| [resource\_tags](#input\_resource\_tags) | Optional list of tags to be added to created resources | `list(string)` | `[]` | no | -| [sm\_service\_plan](#input\_sm\_service\_plan) | The Secrets Manager service plan to provision | `string` | `"trial"` | no | - -### Outputs - -| Name | Description | -|------|-------------| -| [secrets\_manager\_guid](#output\_secrets\_manager\_guid) | GUID of Secrets Manager instance. | - diff --git a/examples/fscloud/README.md b/examples/fscloud/README.md index 1ba51463..3471c3f9 100644 --- a/examples/fscloud/README.md +++ b/examples/fscloud/README.md @@ -2,16 +2,13 @@ An end-to-end example that uses the [Profile for IBM Cloud Framework for Financial Services](https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager/tree/main/modules/fscloud) to deploy a private only Secrets-Manager instance with KYOK encryption -This examples handles the provisioning of Secrets-Manager instance, the IAM engine configuration in the recently created instance and a context-based restriction (CBR) rule to only allow Secret Manager to be accessible from within the VPC.. - -Only private service endpoints are enabled, public are disabled. Secrets Manager instances that are private only do not offer a UI management experience. -The example uses the IBM Cloud Terraform provider to create the following infrastructure: +The example creates the following infrastructure: - A resource group, if one is not passed in. -- A sample virtual private cloud (VPC). -- A sample event notification service. -- A secrets manager instance. -- A context-based restriction (CBR) rule to only allow Secrets Manager to be accessible from within the VPC. +- A CBR zone for Schematics +- An Event Notifications instance. +- A Secrets Manager instance. +- A context-based restriction (CBR) rule to only allow Secrets Manager to be accessible from the Schematics service. :exclamation: **Important:** In this example, only the IBM Secrets Manager instance complies with the IBM Cloud Framework for Financial Services. Other parts of the infrastructure do not necessarily comply. diff --git a/examples/fscloud/main.tf b/examples/fscloud/main.tf index c2c0e9fe..4e2e2b9c 100644 --- a/examples/fscloud/main.tf +++ b/examples/fscloud/main.tf @@ -1,6 +1,7 @@ ############################################################################## # Resource Group ############################################################################## + module "resource_group" { source = "terraform-ibm-modules/resource-group/ibm" version = "1.3.0" @@ -9,37 +10,33 @@ module "resource_group" { existing_resource_group_name = var.resource_group } + ############################################################################## -# Get Cloud Account ID +# Create CBR Zone for Schematics ############################################################################## data "ibm_iam_account_settings" "iam_account_settings" { } -############################################################################## -# VPC -############################################################################## -resource "ibm_is_vpc" "vpc" { - name = "${var.prefix}-vpc" - resource_group = module.resource_group.resource_group_id - tags = var.resource_tags -} - -############################################################################## -# Create CBR Zone -############################################################################## -module "cbr_zone" { +module "cbr_zone_schematics" { source = "terraform-ibm-modules/cbr/ibm//modules/cbr-zone-module" version = "1.33.2" - name = "${var.prefix}-CBR-zone" - zone_description = "CBR Network zone representing VPC" + name = "${var.prefix}-schematics-zone" + zone_description = "CBR Network zone containing Schematics" account_id = data.ibm_iam_account_settings.iam_account_settings.account_id addresses = [{ - type = "vpc", # to bind a specific vpc to the zone - value = ibm_is_vpc.vpc.crn, + type = "serviceRef", + ref = { + account_id = data.ibm_iam_account_settings.iam_account_settings.account_id + service_name = "schematics" + } }] } +############################################################################## +# Event Notifications +############################################################################## + module "event_notification" { source = "terraform-ibm-modules/event-notifications/ibm" version = "2.7.0" @@ -47,7 +44,6 @@ module "event_notification" { name = "${var.prefix}-en" tags = var.resource_tags plan = "lite" - service_endpoints = "public" region = var.region } @@ -65,6 +61,10 @@ locals { kms_service = module.kms_key_crn_parser.service_name } +############################################################################## +# Secrets Manager +############################################################################## + module "secrets_manager" { source = "../../modules/fscloud" resource_group_id = module.resource_group.resource_group_id @@ -76,7 +76,7 @@ module "secrets_manager" { existing_en_instance_crn = module.event_notification.crn cbr_rules = [ { - description = "${var.prefix}-secrets-manager access only from vpc" + description = "${var.prefix}-secrets-manager access only from Schematics" enforcement_mode = "enabled" account_id = data.ibm_iam_account_settings.iam_account_settings.account_id rule_contexts = [{ @@ -87,7 +87,7 @@ module "secrets_manager" { }, { name = "networkZoneId" - value = module.cbr_zone.zone_id + value = module.cbr_zone_schematics.zone_id }] }] operations = [{ diff --git a/ibm_catalog.json b/ibm_catalog.json index 88f245ad..31b20a1f 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -415,7 +415,7 @@ ], "optional": true, "on_by_default": false, - "version": "v3.0.7" + "version": "v3.0.23" }, { "name": "deploy-arch-ibm-kms", @@ -447,7 +447,7 @@ ], "optional": true, "on_by_default": true, - "version": "v5.1.19" + "version": "v5.1.27" }, { "name": "deploy-arch-ibm-cloud-logs", @@ -476,7 +476,7 @@ ], "optional": true, "on_by_default": true, - "version": "v1.6.11" + "version": "v1.6.28" }, { "name": "deploy-arch-ibm-cloud-monitoring", @@ -509,7 +509,7 @@ ], "optional": true, "on_by_default": true, - "version": "v1.6.4" + "version": "v1.7.2" }, { "name": "deploy-arch-ibm-activity-tracker", @@ -533,7 +533,7 @@ ], "optional": true, "on_by_default": true, - "version": "v1.2.25" + "version": "v1.2.34" }, { "name": "deploy-arch-ibm-event-notifications", @@ -561,7 +561,7 @@ ], "optional": true, "on_by_default": true, - "version": "v2.6.11" + "version": "v2.7.2" } ], "dependency_version_2": true, diff --git a/tests/other_test.go b/tests/other_test.go index 7aba4f5f..135745d0 100644 --- a/tests/other_test.go +++ b/tests/other_test.go @@ -9,8 +9,7 @@ import ( "github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/testschematic" ) -func TestRunBasicExample(t *testing.T) { - t.Parallel() +func setupOptions(t *testing.T, prefix string, dir string) *testhelper.TestOptions { var validRegions = []string{ "eu-de", @@ -18,22 +17,37 @@ func TestRunBasicExample(t *testing.T) { "au-syd", } + var region = validRegions[rand.Intn(len(validRegions))] + options := testhelper.TestOptionsDefaultWithVars(&testhelper.TestOptions{ Testing: t, - TerraformDir: "examples/basic", - Prefix: "secrets-mgr-def", - Region: validRegions[rand.Intn(len(validRegions))], + TerraformDir: dir, + Prefix: prefix, + Region: region, + /* + Comment out the 'ResourceGroup' input to force this tests to create a unique resource group. This is because + there is a restriction with the Event Notification service, which allows only one Lite plan instance per resource group. + */ + // ResourceGroup: resourceGroup, }) + return options +} + +func TestRunBasicExample(t *testing.T) { + t.Parallel() + + options := setupOptions(t, "sm-adv", "examples/basic") + output, err := options.RunTestConsistency() assert.Nil(t, err, "This should not have errored") assert.NotNil(t, output, "Expected some output") } -func TestRunCompleteExample(t *testing.T) { +func TestRunAdvancedExample(t *testing.T) { t.Parallel() - options := setupOptions(t, "secrets-mgr", false) + options := setupOptions(t, "sm-adv", "examples/advanced") // need to ignore because of a provider issue: https://github.com/IBM-Cloud/terraform-provider-ibm/issues/4719 options.IgnoreUpdates = testhelper.Exemptions{ @@ -41,6 +55,8 @@ func TestRunCompleteExample(t *testing.T) { "module.code_engine_job.ibm_code_engine_job.ce_job", }, } + // all tests using KMS should run in the same region https://github.ibm.com/GoldenEye/issues/issues/12725 + options.Region = "eu-de" output, err := options.RunTestConsistency() assert.Nil(t, err, "This should not have errored") @@ -59,11 +75,16 @@ func TestFSCloudInSchematics(t *testing.T) { "modules/fscloud/*.tf", "modules/secrets/*.tf", }, + /* + Comment out the 'ResourceGroup' input to force this tests to create a unique resource group. This is because + there is a restriction with the Event Notification service, which allows only one Lite plan instance per resource group. + */ // ResourceGroup: resourceGroup, TemplateFolder: fscloudExampleTerraformDir, Tags: []string{"test-schematic"}, DeleteWorkspaceOnFail: false, WaitJobCompleteMinutes: 60, + TerraformVersion: terraformVersion, }) options.TerraformVars = []testschematic.TestSchematicTerraformVar{ diff --git a/tests/pr_test.go b/tests/pr_test.go index 03016786..9bc56022 100644 --- a/tests/pr_test.go +++ b/tests/pr_test.go @@ -19,28 +19,22 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/common" - "github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/testhelper" "github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/testschematic" ) -const completeExampleTerraformDir = "examples/complete" +/* +Global variables +*/ const fscloudExampleTerraformDir = "examples/fscloud" const fullyConfigurableTerraformDir = "solutions/fully-configurable" const securityEnforcedTerraformDir = "solutions/security-enforced" - const resourceGroup = "geretain-test-secrets-manager" - -// Define a struct with fields that match the structure of the YAML data const yamlLocation = "../common-dev-assets/common-go-assets/common-permanent-resources.yaml" +const terraformVersion = "terraform_v1.10" // This should match the version in the ibm_catalog.json var permanentResources map[string]interface{} - -// Current supported Event Notification regions var validRegions = []string{ - // "us-south", # do not run secrets manager tests in us regions "eu-de", // all tests using KMS should run in the same region https://github.ibm.com/GoldenEye/issues/issues/12725 - // "eu-gb", - // "au-syd", } // TestMain will be run before any parallel tests, used to read data from yaml for use with tests @@ -55,216 +49,7 @@ func TestMain(m *testing.M) { os.Exit(m.Run()) } -func setupOptions(t *testing.T, prefix string, checkApplyResultForUpgrade bool) *testhelper.TestOptions { - options := testhelper.TestOptionsDefaultWithVars(&testhelper.TestOptions{ - Testing: t, - TerraformDir: completeExampleTerraformDir, - Prefix: prefix, - Region: validRegions[rand.Intn(len(validRegions))], - CheckApplyResultForUpgrade: checkApplyResultForUpgrade, - /* - Comment out the 'ResourceGroup' input to force this tests to create a unique resource group. This is because - there is a restriction with the Event Notification service, which allows only one Lite plan instance per resource group. - */ - // ResourceGroup: resourceGroup, - }) - - return options -} - -func TestRunFullyConfigurableSchematics(t *testing.T) { - t.Parallel() - - // Set up a schematics test - options := testschematic.TestSchematicOptionsDefault(&testschematic.TestSchematicOptions{ - Testing: t, - TarIncludePatterns: []string{ - "*.tf", - fmt.Sprintf("%s/*.tf", fullyConfigurableTerraformDir), - fmt.Sprintf("%s/*.tf", fscloudExampleTerraformDir), - fmt.Sprintf("%s/*.tf", "modules/secrets"), - fmt.Sprintf("%s/*.tf", "modules/fscloud"), - }, - TemplateFolder: fullyConfigurableTerraformDir, - ResourceGroup: resourceGroup, - Prefix: "sm-fc", - Tags: []string{"test-schematic"}, - DeleteWorkspaceOnFail: false, - WaitJobCompleteMinutes: 60, - }) - - options.TerraformVars = []testschematic.TestSchematicTerraformVar{ - {Name: "ibmcloud_api_key", Value: options.RequiredEnvironmentVars["TF_VAR_ibmcloud_api_key"], DataType: "string", Secure: true}, - {Name: "prefix", Value: options.Prefix, DataType: "string"}, - {Name: "region", Value: validRegions[rand.Intn(len(validRegions))], DataType: "string"}, - {Name: "existing_resource_group_name", Value: resourceGroup, DataType: "string"}, - {Name: "service_plan", Value: "trial", DataType: "string"}, - } - - err := options.RunSchematicTest() - assert.NoError(t, err, "Schematic Test had unexpected error") -} - -func TestRunExistingResourcesInstancesFullyConfigurable(t *testing.T) { - t.Parallel() - - // ------------------------------------------------------------------------------------ - // Provision Event Notification, KMS key and resource group first - // ------------------------------------------------------------------------------------ - region := validRegions[rand.Intn(len(validRegions))] - prefix := fmt.Sprintf("sm-exist-%s", strings.ToLower(random.UniqueId())) - realTerraformDir := ".." - tempTerraformDir, _ := files.CopyTerraformFolderToTemp(realTerraformDir, fmt.Sprintf(prefix+"-%s", strings.ToLower(random.UniqueId()))) - tags := common.GetTagsFromTravis() - - // Verify ibmcloud_api_key variable is set - checkVariable := "TF_VAR_ibmcloud_api_key" - val, present := os.LookupEnv(checkVariable) - require.True(t, present, checkVariable+" environment variable not set") - require.NotEqual(t, "", val, checkVariable+" environment variable is empty") - logger.Log(t, "Tempdir: ", tempTerraformDir) - existingTerraformOptions := terraform.WithDefaultRetryableErrors(t, &terraform.Options{ - TerraformDir: tempTerraformDir + "/tests/existing-resources", - Vars: map[string]interface{}{ - "prefix": prefix, - "region": region, - "resource_tags": tags, - }, - // Set Upgrade to true to ensure latest version of providers and modules are used by terratest. - // This is the same as setting the -upgrade=true flag with terraform. - Upgrade: true, - }) - - terraform.WorkspaceSelectOrNew(t, existingTerraformOptions, prefix) - _, existErr := terraform.InitAndApplyE(t, existingTerraformOptions) - if existErr != nil { - assert.True(t, existErr == nil, "Init and Apply of temp existing resource failed") - } else { - - // ------------------------------------------------------------------------------------ - // Test passing existing RG, EN, and KMS key - // ------------------------------------------------------------------------------------ - options := testschematic.TestSchematicOptionsDefault(&testschematic.TestSchematicOptions{ - Testing: t, - TarIncludePatterns: []string{ - "*.tf", - fmt.Sprintf("%s/*.tf", fullyConfigurableTerraformDir), - fmt.Sprintf("%s/*.tf", "modules/secrets"), - fmt.Sprintf("%s/*.tf", "modules/fscloud"), - }, - TemplateFolder: fullyConfigurableTerraformDir, - ResourceGroup: resourceGroup, - Prefix: "ex-fc", - Tags: []string{"test-schematic"}, - DeleteWorkspaceOnFail: false, - WaitJobCompleteMinutes: 60, - }) - - options.TerraformVars = []testschematic.TestSchematicTerraformVar{ - {Name: "ibmcloud_api_key", Value: options.RequiredEnvironmentVars["TF_VAR_ibmcloud_api_key"], DataType: "string", Secure: true}, - {Name: "prefix", Value: options.Prefix, DataType: "string"}, - {Name: "region", Value: region, DataType: "string"}, - {Name: "existing_resource_group_name", Value: terraform.Output(t, existingTerraformOptions, "resource_group_name"), DataType: "string"}, - {Name: "existing_event_notifications_instance_crn", Value: terraform.Output(t, existingTerraformOptions, "event_notifications_instance_crn"), DataType: "string"}, - {Name: "existing_secrets_manager_kms_key_crn", Value: terraform.Output(t, existingTerraformOptions, "secrets_manager_kms_key_crn"), DataType: "string"}, - {Name: "kms_encryption_enabled", Value: true, DataType: "bool"}, - {Name: "service_plan", Value: "trial", DataType: "string"}, - } - - err := options.RunSchematicTest() - assert.NoError(t, err, "Schematic Test had unexpected error") - } - - // Check if "DO_NOT_DESTROY_ON_FAILURE" is set - envVal, _ := os.LookupEnv("DO_NOT_DESTROY_ON_FAILURE") - // Destroy the temporary existing resources if required - if t.Failed() && strings.ToLower(envVal) == "true" { - fmt.Println("Terratest failed. Debug the test and delete resources manually.") - } else { - logger.Log(t, "START: Destroy (existing resources)") - terraform.Destroy(t, existingTerraformOptions) - terraform.WorkspaceDelete(t, existingTerraformOptions, prefix) - logger.Log(t, "END: Destroy (existing resources)") - } -} - -func TestRunExistingSMInstanceFullyConfigurable(t *testing.T) { - t.Parallel() - - // ------------------------------------------------------------------------------------ - // Provision new RG - // ------------------------------------------------------------------------------------ - region := validRegions[rand.Intn(len(validRegions))] - prefix := fmt.Sprintf("ex-scm-%s", strings.ToLower(random.UniqueId())) - realTerraformDir := ".." - tempTerraformDir, _ := files.CopyTerraformFolderToTemp(realTerraformDir, fmt.Sprintf(prefix+"-%s", strings.ToLower(random.UniqueId()))) - - // Verify ibmcloud_api_key variable is set - checkVariable := "TF_VAR_ibmcloud_api_key" - val, present := os.LookupEnv(checkVariable) - require.True(t, present, checkVariable+" environment variable not set") - require.NotEqual(t, "", val, checkVariable+" environment variable is empty") - logger.Log(t, "Tempdir: ", tempTerraformDir) - existingTerraformOptions := terraform.WithDefaultRetryableErrors(t, &terraform.Options{ - TerraformDir: tempTerraformDir + "/tests/new-resources", - Vars: map[string]interface{}{ - "prefix": prefix, - "region": region, - "provision_secrets_manager": true, - }, - // Set Upgrade to true to ensure latest version of providers and modules are used by terratest. - // This is the same as setting the -upgrade=true flag with terraform. - Upgrade: true, - }) - - terraform.WorkspaceSelectOrNew(t, existingTerraformOptions, prefix) - _, existErr := terraform.InitAndApplyE(t, existingTerraformOptions) - if existErr != nil { - assert.True(t, existErr == nil, "Init and Apply of new resources failed failed") - } else { - options := testschematic.TestSchematicOptionsDefault(&testschematic.TestSchematicOptions{ - Testing: t, - TarIncludePatterns: []string{ - "*.tf", - fmt.Sprintf("%s/*.tf", fullyConfigurableTerraformDir), - fmt.Sprintf("%s/*.tf", "modules/secrets"), - fmt.Sprintf("%s/*.tf", "modules/fscloud"), - }, - TemplateFolder: fullyConfigurableTerraformDir, - ResourceGroup: resourceGroup, - Prefix: "ex-scm", - Tags: []string{"test-schematic"}, - DeleteWorkspaceOnFail: false, - WaitJobCompleteMinutes: 60, - }) - - options.TerraformVars = []testschematic.TestSchematicTerraformVar{ - {Name: "ibmcloud_api_key", Value: options.RequiredEnvironmentVars["TF_VAR_ibmcloud_api_key"], DataType: "string", Secure: true}, - {Name: "prefix", Value: options.Prefix, DataType: "string"}, - {Name: "region", Value: validRegions[rand.Intn(len(validRegions))], DataType: "string"}, - {Name: "existing_resource_group_name", Value: terraform.Output(t, existingTerraformOptions, "resource_group_name"), DataType: "string"}, - {Name: "existing_secrets_manager_crn", Value: terraform.Output(t, existingTerraformOptions, "secrets_manager_crn"), DataType: "string"}, - {Name: "service_plan", Value: "trial", DataType: "string"}, - } - - err := options.RunSchematicTest() - assert.NoError(t, err, "Schematic Test had unexpected error") - } - - // Check if "DO_NOT_DESTROY_ON_FAILURE" is set - envVal, _ := os.LookupEnv("DO_NOT_DESTROY_ON_FAILURE") - // Destroy the temporary existing resources if required - if t.Failed() && strings.ToLower(envVal) == "true" { - fmt.Println("Terratest failed. Debug the test and delete resources manually.") - } else { - logger.Log(t, "START: Destroy (existing resources)") - terraform.Destroy(t, existingTerraformOptions) - terraform.WorkspaceDelete(t, existingTerraformOptions, prefix) - logger.Log(t, "END: Destroy (existing resources)") - } -} - -func TestRunSecurityEnforcedSchematics(t *testing.T) { +func TestRunSecurityEnforced(t *testing.T) { t.Parallel() // ------------------------------------------------------------------------------------ @@ -305,7 +90,6 @@ func TestRunSecurityEnforcedSchematics(t *testing.T) { fmt.Sprintf("%s/*.tf", fullyConfigurableTerraformDir), fmt.Sprintf("%s/*.tf", fscloudExampleTerraformDir), fmt.Sprintf("%s/*.tf", "modules/secrets"), - fmt.Sprintf("%s/*.tf", "modules/fscloud"), }, TemplateFolder: securityEnforcedTerraformDir, ResourceGroup: resourceGroup, @@ -313,6 +97,7 @@ func TestRunSecurityEnforcedSchematics(t *testing.T) { Tags: []string{"test-schematic"}, DeleteWorkspaceOnFail: false, WaitJobCompleteMinutes: 60, + TerraformVersion: terraformVersion, }) options.TerraformVars = []testschematic.TestSchematicTerraformVar{ @@ -340,7 +125,7 @@ func TestRunSecurityEnforcedSchematics(t *testing.T) { } } -func TestRunSecretsManagerSecurityEnforcedUpgradeSchematic(t *testing.T) { +func TestRunSecurityEnforcedUpgrade(t *testing.T) { t.Parallel() // ------------------------------------------------------------------------------------ @@ -379,14 +164,15 @@ func TestRunSecretsManagerSecurityEnforcedUpgradeSchematic(t *testing.T) { fmt.Sprintf("%s/*.tf", securityEnforcedTerraformDir), fmt.Sprintf("%s/*.tf", fullyConfigurableTerraformDir), fmt.Sprintf("%s/*.tf", "modules/secrets"), - fmt.Sprintf("%s/*.tf", "modules/fscloud"), }, - TemplateFolder: securityEnforcedTerraformDir, - ResourceGroup: resourceGroup, - Prefix: "sm-se-ug", - Tags: []string{"test-schematic"}, - DeleteWorkspaceOnFail: false, - WaitJobCompleteMinutes: 60, + TemplateFolder: securityEnforcedTerraformDir, + ResourceGroup: resourceGroup, + Prefix: "sm-se-ug", + Tags: []string{"test-schematic"}, + DeleteWorkspaceOnFail: false, + WaitJobCompleteMinutes: 60, + CheckApplyResultForUpgrade: true, + TerraformVersion: terraformVersion, }) options.TerraformVars = []testschematic.TestSchematicTerraformVar{ @@ -418,7 +204,7 @@ func TestRunSecretsManagerSecurityEnforcedUpgradeSchematic(t *testing.T) { } -func TestSecretsManagerDefaultConfiguration(t *testing.T) { +func TestAddonsDefaultConfiguration(t *testing.T) { t.Parallel() options := testaddons.TestAddonsOptionsDefault(&testaddons.TestAddonOptions{ @@ -433,10 +219,9 @@ func TestSecretsManagerDefaultConfiguration(t *testing.T) { "deploy-arch-ibm-secrets-manager", "fully-configurable", map[string]interface{}{ - "prefix": options.Prefix, - "region": validRegions[rand.Intn(len(validRegions))], - "enable_platform_metrics": "false", // Disable platform metrics for addon tests - "service_plan": "standard", + "prefix": options.Prefix, + "region": validRegions[rand.Intn(len(validRegions))], + "service_plan": "trial", }, ) @@ -444,25 +229,27 @@ func TestSecretsManagerDefaultConfiguration(t *testing.T) { require.NoError(t, err) } -// TestDependencyPermutations runs dependency permutations for the Secrets Manager and all its dependencies -func TestDependencyPermutations(t *testing.T) { - t.Skip() // skipping permutations test until we do a refactor +func TestAddonsExistingSecretsManager(t *testing.T) { + t.Parallel() options := testaddons.TestAddonsOptionsDefault(&testaddons.TestAddonOptions{ - Testing: t, - Prefix: "sm-perm", - AddonConfig: cloudinfo.AddonConfig{ - OfferingName: "deploy-arch-ibm-secrets-manager", - OfferingFlavor: "fully-configurable", - Inputs: map[string]interface{}{ - "prefix": "sm-perm", - "region": validRegions[rand.Intn(len(validRegions))], - "existing_resource_group_name": resourceGroup, - "service_plan": "standard", - }, - }, + Testing: t, + Prefix: "extsm", + ResourceGroup: resourceGroup, + QuietMode: true, // Suppress logs except on failure }) - err := options.RunAddonPermutationTest() - assert.NoError(t, err, "Dependency permutation test should not fail") + options.AddonConfig = cloudinfo.NewAddonConfigTerraform( + options.Prefix, + "deploy-arch-ibm-secrets-manager", + "fully-configurable", + map[string]interface{}{ + "prefix": options.Prefix, + "region": "us-south", + "existing_secrets_manager_crn": permanentResources["privateOnlySecMgrCRN"], + }, + ) + + err := options.RunAddonTest() + require.NoError(t, err) } From fafbcbb26be7e5511168972f3d9f8cbbb9ceb2f5 Mon Sep 17 00:00:00 2001 From: ocofaigh Date: Fri, 19 Sep 2025 20:56:27 +0100 Subject: [PATCH 2/7] test: fix test --- tests/pr_test.go | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/pr_test.go b/tests/pr_test.go index 9bc56022..fab0968f 100644 --- a/tests/pr_test.go +++ b/tests/pr_test.go @@ -247,6 +247,7 @@ func TestAddonsExistingSecretsManager(t *testing.T) { "prefix": options.Prefix, "region": "us-south", "existing_secrets_manager_crn": permanentResources["privateOnlySecMgrCRN"], + "service_plan": "__NULL__", // Plan not needed if using existing instance }, ) From 098211768d0fd9688ad6b386d7a6c61e81c72917 Mon Sep 17 00:00:00 2001 From: ocofaigh Date: Mon, 22 Sep 2025 18:49:59 +0100 Subject: [PATCH 3/7] remove extra validation --- main.tf | 2 +- solutions/fully-configurable/variables.tf | 21 +-------------------- solutions/security-enforced/variables.tf | 7 +------ variables.tf | 6 +++--- 4 files changed, 6 insertions(+), 30 deletions(-) diff --git a/main.tf b/main.tf index c19406f5..777b9a08 100644 --- a/main.tf +++ b/main.tf @@ -6,7 +6,7 @@ locals { # Validation (approach based on https://github.com/hashicorp/terraform/issues/25609#issuecomment-1057614400) # tflint-ignore: terraform_unused_declarations - validate_is_hpcs_key = var.is_hpcs_key && local.kms_service_name != "hs-crypto" ? tobool("When is_hpcs_key is set to true then the key provided through kms_key_crn must be a Hyper Protect Crypto Services key") : true + validate_is_hpcs_key = var.existing_sm_instance_crn == null ? var.is_hpcs_key && local.kms_service_name != "hs-crypto" ? tobool("When is_hpcs_key is set to true then the key provided through kms_key_crn must be a Hyper Protect Crypto Services key") : true : true } locals { diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf index 5d04b73b..a78aef11 100644 --- a/solutions/fully-configurable/variables.tf +++ b/solutions/fully-configurable/variables.tf @@ -68,13 +68,9 @@ variable "service_plan" { type = string description = "The pricing plan to use when provisioning a Secrets Manager instance. Possible values: `standard`, `trial`. You can create only one Trial instance of Secrets Manager per account. Before you can create a new Trial instance, you must delete the existing Trial instance and its reclamation. [Learn more](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-create-instance&interface=ui#upgrade-instance-standard)." validation { - condition = contains(["standard", "trial"], var.service_plan) + condition = var.existing_secrets_manager_crn == null ? contains(["standard", "trial"], var.service_plan) : true error_message = "Only 'standard' and 'trial' are allowed values for 'service_plan'. Applies only if not providing a value for the 'existing_secrets_manager_crn' input." } - validation { - condition = var.existing_secrets_manager_crn == null ? var.service_plan != null : true - error_message = "A value for 'service_plan' is required if not providing a value for 'existing_secrets_manager_crn'" - } } variable "skip_secrets_manager_iam_auth_policy" { @@ -171,21 +167,11 @@ variable "kms_encryption_enabled" { description = "Set to true to enable Secrets Manager Secrets Encryption using customer managed keys. When set to true, a value must be passed for either `existing_kms_instance_crn` or `existing_secrets_manager_kms_key_crn`. Cannot be set to true if passing a value for `existing_secrets_manager_crn`." default = false - validation { - condition = var.kms_encryption_enabled ? var.existing_secrets_manager_crn == null : true - error_message = "'kms_encryption_enabled' should be false if passing a value for 'existing_secrets_manager_crn'." - } - validation { condition = var.existing_secrets_manager_kms_key_crn != null ? var.kms_encryption_enabled : true error_message = "If passing a value for 'existing_secrets_manager_kms_key_crn', you should set 'kms_encryption_enabled' to true." } - validation { - condition = var.existing_kms_instance_crn != null ? var.kms_encryption_enabled : true - error_message = "If passing a value for 'existing_kms_instance_crn', you should set 'kms_encryption_enabled' to true." - } - validation { condition = var.kms_encryption_enabled ? ((var.existing_kms_instance_crn != null || var.existing_secrets_manager_kms_key_crn != null) ? true : false) : true error_message = "Either 'existing_kms_instance_crn' or `existing_secrets_manager_kms_key_crn` is required if 'kms_encryption_enabled' is set to true." @@ -204,11 +190,6 @@ variable "existing_kms_instance_crn" { ]) error_message = "The provided KMS instance CRN in the input 'existing_kms_instance_crn' in not valid." } - - validation { - condition = var.existing_kms_instance_crn != null ? var.existing_secrets_manager_crn == null : true - error_message = "A value should not be passed for 'existing_kms_instance_crn' when passing an existing secrets manager instance using the 'existing_secrets_manager_crn' input." - } } variable "kms_endpoint_type" { diff --git a/solutions/security-enforced/variables.tf b/solutions/security-enforced/variables.tf index 3982a11c..4480eab2 100644 --- a/solutions/security-enforced/variables.tf +++ b/solutions/security-enforced/variables.tf @@ -57,7 +57,7 @@ variable "service_plan" { type = string description = "The pricing plan to use when provisioning a Secrets Manager instance. Possible values: `standard`, `trial`. You can create only one Trial instance of Secrets Manager per account. Before you can create a new Trial instance, you must delete the existing Trial instance and its reclamation. [Learn more](https://cloud.ibm.com/docs/secrets-manager?topic=secrets-manager-create-instance&interface=ui#upgrade-instance-standard)." validation { - condition = contains(["standard", "trial"], var.service_plan) + condition = var.existing_secrets_manager_crn == null ? contains(["standard", "trial"], var.service_plan) : true error_message = "Only 'standard' and 'trial' are allowed values for 'service_plan'. Applies only if not providing a value for the 'existing_secrets_manager_crn' input." } validation { @@ -146,11 +146,6 @@ variable "existing_kms_instance_crn" { ]) error_message = "The provided KMS instance CRN in the input 'existing_kms_instance_crn' in not valid." } - - validation { - condition = var.existing_kms_instance_crn != null ? var.existing_secrets_manager_crn == null : true - error_message = "A value should not be passed for 'existing_kms_instance_crn' when passing an existing secrets manager instance using the 'existing_secrets_manager_crn' input." - } } variable "kms_key_ring_name" { diff --git a/variables.tf b/variables.tf index 182a854e..02d234da 100644 --- a/variables.tf +++ b/variables.tf @@ -22,7 +22,7 @@ variable "sm_service_plan" { description = "The Secrets Manager plan to provision." default = "standard" validation { - condition = contains(["standard", "trial"], var.sm_service_plan) + condition = var.existing_sm_instance_crn == null ? contains(["standard", "trial"], var.sm_service_plan) : true error_message = "The specified `sm_service_plan` is not valid. Possible values are `standard` or `trial`." } } @@ -72,8 +72,8 @@ variable "kms_key_crn" { } validation { - condition = var.kms_encryption_enabled == true && var.kms_key_crn == null ? false : true - error_message = "When setting `var.kms_encryption_enabled` to `tru`e, a value must be passed for `var.kms_key_crn`." + condition = var.existing_sm_instance_crn == null ? var.kms_encryption_enabled == true && var.kms_key_crn == null ? false : true : true + error_message = "When setting `var.kms_encryption_enabled` to `true`, a value must be passed for `var.kms_key_crn`." } } From a8e8d1c8fbdf8c52d0a2e139fbe6b6f5a8af29ec Mon Sep 17 00:00:00 2001 From: ocofaigh Date: Mon, 22 Sep 2025 20:03:31 +0100 Subject: [PATCH 4/7] fix test --- tests/pr_test.go | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/pr_test.go b/tests/pr_test.go index fab0968f..2632b159 100644 --- a/tests/pr_test.go +++ b/tests/pr_test.go @@ -248,6 +248,7 @@ func TestAddonsExistingSecretsManager(t *testing.T) { "region": "us-south", "existing_secrets_manager_crn": permanentResources["privateOnlySecMgrCRN"], "service_plan": "__NULL__", // Plan not needed if using existing instance + "skip_secrets_manager_event_notifications_iam_auth_policy": true, // Skip s2s auth policy for IAM engine - it already exists for the existing Secrets Manager instance }, ) From 9dbd73fd6d2109ac57de7d22bd005d47f90aed3d Mon Sep 17 00:00:00 2001 From: ocofaigh Date: Tue, 23 Sep 2025 11:20:04 +0100 Subject: [PATCH 5/7] test refactor --- .catalog-onboard-pipeline.yaml | 4 --- common-dev-assets | 2 +- tests/existing-resources/main.tf | 11 --------- tests/existing-resources/outputs.tf | 5 ---- tests/new-resources/README.md | 1 - tests/new-resources/main.tf | 25 ------------------- tests/new-resources/outputs.tf | 14 ----------- tests/new-resources/provider.tf | 3 --- tests/new-resources/variables.tf | 27 -------------------- tests/new-resources/version.tf | 9 ------- tests/new-rg/README.md | 1 - tests/new-rg/main.tf | 11 --------- tests/new-rg/outputs.tf | 13 ---------- tests/new-rg/provider.tf | 3 --- tests/new-rg/variables.tf | 17 ------------- tests/new-rg/version.tf | 9 ------- tests/pr_test.go | 22 +++++++++-------- tests/scripts/post-validate.sh | 19 --------------- tests/scripts/pre-validate.sh | 38 ----------------------------- 19 files changed, 13 insertions(+), 221 deletions(-) delete mode 100644 tests/new-resources/README.md delete mode 100644 tests/new-resources/main.tf delete mode 100644 tests/new-resources/outputs.tf delete mode 100644 tests/new-resources/provider.tf delete mode 100644 tests/new-resources/variables.tf delete mode 100644 tests/new-resources/version.tf delete mode 100644 tests/new-rg/README.md delete mode 100644 tests/new-rg/main.tf delete mode 100644 tests/new-rg/outputs.tf delete mode 100644 tests/new-rg/provider.tf delete mode 100644 tests/new-rg/variables.tf delete mode 100644 tests/new-rg/version.tf delete mode 100755 tests/scripts/post-validate.sh delete mode 100755 tests/scripts/pre-validate.sh diff --git a/.catalog-onboard-pipeline.yaml b/.catalog-onboard-pipeline.yaml index a73239bf..8b1b246c 100644 --- a/.catalog-onboard-pipeline.yaml +++ b/.catalog-onboard-pipeline.yaml @@ -9,8 +9,6 @@ offerings: - name: security-enforced mark_ready: true install_type: fullstack - pre_validation: "tests/scripts/pre-validate.sh solutions/security-enforced" - post_validation: "tests/scripts/post-validate.sh" scc: instance_id: 1c7d5f78-9262-44c3-b779-b28fe4d88c37 region: us-south @@ -18,8 +16,6 @@ offerings: - name: fully-configurable mark_ready: true install_type: fullstack - pre_validation: "tests/scripts/pre-validate.sh solutions/fully-configurable" - post_validation: "tests/scripts/post-validate.sh" scc: instance_id: 1c7d5f78-9262-44c3-b779-b28fe4d88c37 region: us-south diff --git a/common-dev-assets b/common-dev-assets index 84e744a2..03fd242c 160000 --- a/common-dev-assets +++ b/common-dev-assets @@ -1 +1 @@ -Subproject commit 84e744a27f774dac276e9381db01b6fe378c0af3 +Subproject commit 03fd242c14074713be00c371ed86971093163e4e diff --git a/tests/existing-resources/main.tf b/tests/existing-resources/main.tf index 18459d96..4723fe52 100644 --- a/tests/existing-resources/main.tf +++ b/tests/existing-resources/main.tf @@ -35,15 +35,4 @@ module "key_protect" { key_protect_instance_name = "${var.prefix}-key-protect" resource_group_id = module.resource_group.resource_group_id region = var.region - keys = [ - { - key_ring_name = "${var.prefix}-sm" - keys = [ - { - key_name = "${var.prefix}-sm-key" - force_delete = true - } - ] - } - ] } diff --git a/tests/existing-resources/outputs.tf b/tests/existing-resources/outputs.tf index c7665074..9f5ae4bc 100644 --- a/tests/existing-resources/outputs.tf +++ b/tests/existing-resources/outputs.tf @@ -8,11 +8,6 @@ output "resource_group_id" { description = "Resource group ID" } -output "secrets_manager_kms_key_crn" { - value = module.key_protect.keys["${var.prefix}-sm.${var.prefix}-sm-key"].crn - description = "CRN of created secret manager KMS key" -} - output "secrets_manager_kms_instance_crn" { value = module.key_protect.key_protect_id description = "CRN of created secret manager KMS instance" diff --git a/tests/new-resources/README.md b/tests/new-resources/README.md deleted file mode 100644 index 790e3ba3..00000000 --- a/tests/new-resources/README.md +++ /dev/null @@ -1 +0,0 @@ -# Existing Resource Group For use in tests diff --git a/tests/new-resources/main.tf b/tests/new-resources/main.tf deleted file mode 100644 index 8030de0d..00000000 --- a/tests/new-resources/main.tf +++ /dev/null @@ -1,25 +0,0 @@ -############################################################################## -# Resource Group -############################################################################## - -module "resource_group" { - source = "terraform-ibm-modules/resource-group/ibm" - version = "1.3.0" - # if an existing resource group is not set (null) create a new one using prefix - resource_group_name = var.resource_group == null ? "${var.prefix}-resource-group" : null - existing_resource_group_name = var.resource_group -} - -############################################################################## -# Secrets Manager -############################################################################## - -module "secrets_manager" { - count = var.provision_secrets_manager == true ? 1 : 0 - source = "../.." - resource_group_id = module.resource_group.resource_group_id - region = var.region - secrets_manager_name = "${var.prefix}-tsm" - sm_service_plan = "trial" - skip_iam_authorization_policy = true -} diff --git a/tests/new-resources/outputs.tf b/tests/new-resources/outputs.tf deleted file mode 100644 index 5baba608..00000000 --- a/tests/new-resources/outputs.tf +++ /dev/null @@ -1,14 +0,0 @@ -output "resource_group_name" { - value = module.resource_group.resource_group_name - description = "Resource group name" -} - -output "resource_group_id" { - value = module.resource_group.resource_group_id - description = "Resource group ID" -} - -output "secrets_manager_crn" { - value = var.provision_secrets_manager == true ? module.secrets_manager[0].secrets_manager_crn : null - description = "CRN of the secrets manager instance" -} diff --git a/tests/new-resources/provider.tf b/tests/new-resources/provider.tf deleted file mode 100644 index 4a12678d..00000000 --- a/tests/new-resources/provider.tf +++ /dev/null @@ -1,3 +0,0 @@ -provider "ibm" { - ibmcloud_api_key = var.ibmcloud_api_key -} diff --git a/tests/new-resources/variables.tf b/tests/new-resources/variables.tf deleted file mode 100644 index d041bc29..00000000 --- a/tests/new-resources/variables.tf +++ /dev/null @@ -1,27 +0,0 @@ -variable "ibmcloud_api_key" { - type = string - description = "The IBM Cloud API Key" - sensitive = true -} - -variable "prefix" { - type = string - description = "Prefix to append to all resources" -} - -variable "resource_group" { - type = string - description = "The name of an existing resource group to provision resources in to. If not set a new resource group will be created using the prefix variable" - default = null -} - -variable "region" { - type = string - description = "Region" -} - -variable "provision_secrets_manager" { - type = bool - description = "Set it to true to provision a secrets manager" - default = false -} diff --git a/tests/new-resources/version.tf b/tests/new-resources/version.tf deleted file mode 100644 index 8abdbce5..00000000 --- a/tests/new-resources/version.tf +++ /dev/null @@ -1,9 +0,0 @@ -terraform { - required_version = ">= 1.3.0" - required_providers { - ibm = { - source = "ibm-cloud/ibm" - version = ">= 1.79.0" - } - } -} diff --git a/tests/new-rg/README.md b/tests/new-rg/README.md deleted file mode 100644 index 9afda9d8..00000000 --- a/tests/new-rg/README.md +++ /dev/null @@ -1 +0,0 @@ -The terraform code in this directory is used for by catalog pipeline diff --git a/tests/new-rg/main.tf b/tests/new-rg/main.tf deleted file mode 100644 index d58e7f97..00000000 --- a/tests/new-rg/main.tf +++ /dev/null @@ -1,11 +0,0 @@ -############################################################################## -# Resource Group -############################################################################## - -module "resource_group" { - source = "terraform-ibm-modules/resource-group/ibm" - version = "1.3.0" - # if an existing resource group is not set (null) create a new one using prefix - resource_group_name = var.resource_group == null ? "${var.prefix}-resource-group" : null - existing_resource_group_name = var.resource_group -} diff --git a/tests/new-rg/outputs.tf b/tests/new-rg/outputs.tf deleted file mode 100644 index 7143446e..00000000 --- a/tests/new-rg/outputs.tf +++ /dev/null @@ -1,13 +0,0 @@ -############################################################################## -# Outputs -############################################################################## - -output "resource_group_id" { - value = module.resource_group.resource_group_id - description = "Resource group ID." -} - -output "resource_group_name" { - value = module.resource_group.resource_group_name - description = "Resource group name." -} diff --git a/tests/new-rg/provider.tf b/tests/new-rg/provider.tf deleted file mode 100644 index 4a12678d..00000000 --- a/tests/new-rg/provider.tf +++ /dev/null @@ -1,3 +0,0 @@ -provider "ibm" { - ibmcloud_api_key = var.ibmcloud_api_key -} diff --git a/tests/new-rg/variables.tf b/tests/new-rg/variables.tf deleted file mode 100644 index e8146795..00000000 --- a/tests/new-rg/variables.tf +++ /dev/null @@ -1,17 +0,0 @@ -variable "ibmcloud_api_key" { - type = string - description = "The IBM Cloud API Key." - sensitive = true -} - -variable "prefix" { - type = string - description = "Prefix to append to all resources created by this example." - default = "sm" -} - -variable "resource_group" { - type = string - description = "The name of an existing resource group to provision resources in. If not specified, a new resource group is created with the `prefix` variable." - default = null -} diff --git a/tests/new-rg/version.tf b/tests/new-rg/version.tf deleted file mode 100644 index cb783436..00000000 --- a/tests/new-rg/version.tf +++ /dev/null @@ -1,9 +0,0 @@ -terraform { - required_version = ">= 1.9.0" - required_providers { - ibm = { - source = "ibm-cloud/ibm" - version = ">= 1.79.0" - } - } -} diff --git a/tests/pr_test.go b/tests/pr_test.go index 2632b159..a521f353 100644 --- a/tests/pr_test.go +++ b/tests/pr_test.go @@ -53,7 +53,7 @@ func TestRunSecurityEnforced(t *testing.T) { t.Parallel() // ------------------------------------------------------------------------------------ - // Provision new RG + // Provision new RG, Event Notifications and Key Protect instance + root key // ------------------------------------------------------------------------------------ prefix := fmt.Sprintf("sm-se-%s", strings.ToLower(random.UniqueId())) realTerraformDir := ".." @@ -66,7 +66,7 @@ func TestRunSecurityEnforced(t *testing.T) { require.NotEqual(t, "", val, checkVariable+" environment variable is empty") logger.Log(t, "Tempdir: ", tempTerraformDir) existingTerraformOptions := terraform.WithDefaultRetryableErrors(t, &terraform.Options{ - TerraformDir: tempTerraformDir + "/tests/new-rg", + TerraformDir: tempTerraformDir + "/tests/existing-resources", Vars: map[string]interface{}{ "prefix": prefix, }, @@ -106,7 +106,8 @@ func TestRunSecurityEnforced(t *testing.T) { {Name: "region", Value: validRegions[rand.Intn(len(validRegions))], DataType: "string"}, {Name: "existing_resource_group_name", Value: terraform.Output(t, existingTerraformOptions, "resource_group_name"), DataType: "string"}, {Name: "service_plan", Value: "trial", DataType: "string"}, - {Name: "existing_kms_instance_crn", Value: permanentResources["hpcs_south_crn"], DataType: "string"}, + {Name: "existing_kms_instance_crn", Value: terraform.Output(t, existingTerraformOptions, "secrets_manager_kms_instance_crn"), DataType: "string"}, + {Name: "existing_event_notifications_instance_crn", Value: terraform.Output(t, existingTerraformOptions, "event_notifications_instance_crn"), DataType: "string"}, } err := options.RunSchematicTest() assert.NoError(t, err, "Schematic Test had unexpected error") @@ -142,7 +143,7 @@ func TestRunSecurityEnforcedUpgrade(t *testing.T) { require.NotEqual(t, "", val, checkVariable+" environment variable is empty") logger.Log(t, "Tempdir: ", tempTerraformDir) existingTerraformOptions := terraform.WithDefaultRetryableErrors(t, &terraform.Options{ - TerraformDir: tempTerraformDir + "/tests/new-rg", + TerraformDir: tempTerraformDir + "/tests/existing-resources", Vars: map[string]interface{}{ "prefix": prefix, }, @@ -181,7 +182,8 @@ func TestRunSecurityEnforcedUpgrade(t *testing.T) { {Name: "region", Value: validRegions[rand.Intn(len(validRegions))], DataType: "string"}, {Name: "existing_resource_group_name", Value: terraform.Output(t, existingTerraformOptions, "resource_group_name"), DataType: "string"}, {Name: "service_plan", Value: "trial", DataType: "string"}, - {Name: "existing_kms_instance_crn", Value: permanentResources["hpcs_south_crn"], DataType: "string"}, + {Name: "existing_kms_instance_crn", Value: terraform.Output(t, existingTerraformOptions, "secrets_manager_kms_instance_crn"), DataType: "string"}, + {Name: "existing_event_notifications_instance_crn", Value: terraform.Output(t, existingTerraformOptions, "event_notifications_instance_crn"), DataType: "string"}, } err := options.RunSchematicUpgradeTest() @@ -244,11 +246,11 @@ func TestAddonsExistingSecretsManager(t *testing.T) { "deploy-arch-ibm-secrets-manager", "fully-configurable", map[string]interface{}{ - "prefix": options.Prefix, - "region": "us-south", - "existing_secrets_manager_crn": permanentResources["privateOnlySecMgrCRN"], - "service_plan": "__NULL__", // Plan not needed if using existing instance - "skip_secrets_manager_event_notifications_iam_auth_policy": true, // Skip s2s auth policy for IAM engine - it already exists for the existing Secrets Manager instance + "prefix": options.Prefix, + "region": "us-south", + "existing_secrets_manager_crn": permanentResources["privateOnlySecMgrCRN"], + "service_plan": "__NULL__", // Plan not needed if using existing instance + "skip_secrets_manager_iam_auth_policy": true, // Skip s2s auth policy for IAM engine - it already exists for the existing Secrets Manager instance }, ) diff --git a/tests/scripts/post-validate.sh b/tests/scripts/post-validate.sh deleted file mode 100755 index f5808710..00000000 --- a/tests/scripts/post-validate.sh +++ /dev/null @@ -1,19 +0,0 @@ -#! /bin/bash - -######################################################################################################################## -## This script is used by the catalog pipeline to destroy prerequisite resource required for catalog validation ## -######################################################################################################################## - -set -e - -TERRAFORM_SOURCE_DIR="tests/new-rg" -TF_VARS_FILE="terraform.tfvars" - -( - cd ${TERRAFORM_SOURCE_DIR} - echo "Destroying resource group .." - terraform destroy -input=false -auto-approve -var-file=${TF_VARS_FILE} || exit 1 - rm -f "${TF_VARS_FILE}" - - echo "Post-validation completed successfully" -) diff --git a/tests/scripts/pre-validate.sh b/tests/scripts/pre-validate.sh deleted file mode 100755 index 709a2785..00000000 --- a/tests/scripts/pre-validate.sh +++ /dev/null @@ -1,38 +0,0 @@ -#! /bin/bash - -############################################################################################################ -## This script is used by the catalog pipeline to provision a new resource group -## (required to ensure auth policies don't clash in account) -############################################################################################################ - -set -e - -DA_DIR="${1}" -TERRAFORM_SOURCE_DIR="tests/new-rg" -JSON_FILE="${DA_DIR}/catalogValidationValues.json" -TF_VARS_FILE="terraform.tfvars" - -( - cwd=$(pwd) - cd ${TERRAFORM_SOURCE_DIR} - echo "Provisioning new resource group .." - terraform init || exit 1 - # $VALIDATION_APIKEY is available in the catalog runtime - { - echo "ibmcloud_api_key=\"${VALIDATION_APIKEY}\"" - echo "prefix=\"ocp-$(openssl rand -hex 2)\"" - } >> ${TF_VARS_FILE} - terraform apply -input=false -auto-approve -var-file=${TF_VARS_FILE} || exit 1 - - rg_var_name="existing_resource_group_name" - rg_value=$(terraform output -state=terraform.tfstate -raw resource_group_name) - - echo "Appending '${rg_var_name}', input variable value to ${JSON_FILE}.." - - cd "${cwd}" - jq -r --arg rg_var_name "${rg_var_name}" \ - --arg rg_value "${rg_value}" \ - '. + {($rg_var_name): $rg_value}' "${JSON_FILE}" > tmpfile && mv tmpfile "${JSON_FILE}" || exit 1 - - echo "Pre-validation complete successfully" -) From a4a8ee98378635093f440a698b224d7803d94215 Mon Sep 17 00:00:00 2001 From: ocofaigh Date: Tue, 23 Sep 2025 12:05:37 +0100 Subject: [PATCH 6/7] add missing region to prereq test --- tests/pr_test.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tests/pr_test.go b/tests/pr_test.go index a521f353..7e01076f 100644 --- a/tests/pr_test.go +++ b/tests/pr_test.go @@ -69,6 +69,7 @@ func TestRunSecurityEnforced(t *testing.T) { TerraformDir: tempTerraformDir + "/tests/existing-resources", Vars: map[string]interface{}{ "prefix": prefix, + "region": validRegions[rand.Intn(len(validRegions))], }, // Set Upgrade to true to ensure latest version of providers and modules are used by terratest. // This is the same as setting the -upgrade=true flag with terraform. @@ -146,6 +147,7 @@ func TestRunSecurityEnforcedUpgrade(t *testing.T) { TerraformDir: tempTerraformDir + "/tests/existing-resources", Vars: map[string]interface{}{ "prefix": prefix, + "region": validRegions[rand.Intn(len(validRegions))], }, // Set Upgrade to true to ensure latest version of providers and modules are used by terratest. // This is the same as setting the -upgrade=true flag with terraform. From cf674ff8088ae5d09dc17c0df14e23081f2fa111 Mon Sep 17 00:00:00 2001 From: ocofaigh Date: Tue, 23 Sep 2025 18:02:46 +0100 Subject: [PATCH 7/7] test updates --- tests/pr_test.go | 46 +++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 45 insertions(+), 1 deletion(-) diff --git a/tests/pr_test.go b/tests/pr_test.go index 7e01076f..661ac829 100644 --- a/tests/pr_test.go +++ b/tests/pr_test.go @@ -12,6 +12,7 @@ import ( "github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/cloudinfo" "github.com/terraform-ibm-modules/ibmcloud-terratest-wrapper/testaddons" + "github.com/IBM/go-sdk-core/v5/core" "github.com/gruntwork-io/terratest/modules/files" "github.com/gruntwork-io/terratest/modules/logger" "github.com/gruntwork-io/terratest/modules/random" @@ -229,6 +230,27 @@ func TestAddonsDefaultConfiguration(t *testing.T) { }, ) + // Disable target / route creation to prevent hitting quota in account + options.AddonConfig.Dependencies = []cloudinfo.AddonConfig{ + { + OfferingName: "deploy-arch-ibm-cloud-monitoring", + OfferingFlavor: "fully-configurable", + Inputs: map[string]interface{}{ + "enable_metrics_routing_to_cloud_monitoring": false, + }, + Enabled: core.BoolPtr(true), + }, + { + OfferingName: "deploy-arch-ibm-activity-tracker", + OfferingFlavor: "fully-configurable", + Inputs: map[string]interface{}{ + "enable_activity_tracker_event_routing_to_cos_bucket": false, + "enable_activity_tracker_event_routing_to_cloud_logs": false, + }, + Enabled: core.BoolPtr(true), + }, + } + err := options.RunAddonTest() require.NoError(t, err) } @@ -249,13 +271,35 @@ func TestAddonsExistingSecretsManager(t *testing.T) { "fully-configurable", map[string]interface{}{ "prefix": options.Prefix, - "region": "us-south", + "region": permanentResources["privateOnlySecMgrRegion"], "existing_secrets_manager_crn": permanentResources["privateOnlySecMgrCRN"], "service_plan": "__NULL__", // Plan not needed if using existing instance "skip_secrets_manager_iam_auth_policy": true, // Skip s2s auth policy for IAM engine - it already exists for the existing Secrets Manager instance + "secret_groups": []string{}, // Don't create any secret groups in existing instance (The default 'General' group already exists) }, ) + // Disable target / route creation to prevent hitting quota in account + options.AddonConfig.Dependencies = []cloudinfo.AddonConfig{ + { + OfferingName: "deploy-arch-ibm-cloud-monitoring", + OfferingFlavor: "fully-configurable", + Inputs: map[string]interface{}{ + "enable_metrics_routing_to_cloud_monitoring": false, + }, + Enabled: core.BoolPtr(true), + }, + { + OfferingName: "deploy-arch-ibm-activity-tracker", + OfferingFlavor: "fully-configurable", + Inputs: map[string]interface{}{ + "enable_activity_tracker_event_routing_to_cos_bucket": false, + "enable_activity_tracker_event_routing_to_cloud_logs": false, + }, + Enabled: core.BoolPtr(true), + }, + } + err := options.RunAddonTest() require.NoError(t, err) }