Skip to content

Chore: Use default credentials for tests instead of SA key #1406

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Chore: Use default credentials for tests instead of SA key #1406

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions CONTRIBUTING.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,10 +49,10 @@ To use this setup, you need a service account with:
- Folder Creator and Project Creator within a folder/organization.
- Billing Account Administrator on a billing account

Export the Service Account credentials to your environment like so:
Export the Service Account email to your environment like so:

```bash
export SERVICE_ACCOUNT_JSON=$(< credentials.json)
export GOOGLE_IMPERSONATE_SERVICE_ACCOUNT=account-id@my-project-id.iam.gserviceaccount.com
```

You will also need to set a few environment variables:
Expand Down
30 changes: 19 additions & 11 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,10 +18,23 @@
# Make will use bash instead of sh
SHELL := /usr/bin/env bash

# Checks the Google Cloud SDK config envvar and if not set uses the default value.
CLOUDSDK_CONFIG ?= $(HOME)/.config/gcloud

DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.23
DOCKER_IMAGE_DEVELOPER_TOOLS := cft/developer-tools
REGISTRY_URL := gcr.io/cloud-foundation-cicd

DEVELOPER_TOOLS_IMAGE_REFERENCE := $(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS}

# Mount the user's gcloud SDK inside the docker container.
AUTHENTICATED_DEVELOPER_TOOLS_IMAGE_REFERENCE := -v "$(CLOUDSDK_CONFIG):/gcp/config" \
-e "CLOUDSDK_CONFIG=/gcp/config" \
-e "CFT_DISABLE_INIT_CREDENTIALS=yes" \
-e "GOOGLE_IMPERSONATE_SERVICE_ACCOUNT=$(GOOGLE_IMPERSONATE_SERVICE_ACCOUNT)" \
-e "GOOGLE_APPLICATION_CREDENTIALS=/gcp/config/application_default_credentials.json" \
$(DEVELOPER_TOOLS_IMAGE_REFERENCE)

# Execute lint tests within the docker container
.PHONY: docker_test_lint
docker_test_lint:
Expand All @@ -30,15 +43,15 @@ docker_test_lint:
-e DISABLE_TFLINT=1 \
-e EXCLUDE_LINT_DIRS \
-v $(CURDIR):/workspace \
$(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \
$(DEVELOPER_TOOLS_IMAGE_REFERENCE) \
/usr/local/bin/test_lint.sh

# Generate documentation
.PHONY: docker_generate_docs
docker_generate_docs:
docker run --rm -it \
-v $(CURDIR):/workspace \
$(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \
$(DEVELOPER_TOOLS_IMAGE_REFERENCE) \
/bin/bash -c 'source /usr/local/bin/task_helper_functions.sh && generate_docs'

# Alias for backwards compatibility
Expand All @@ -49,52 +62,47 @@ generate_docs: docker_generate_docs
.PHONY: docker_run
docker_run:
docker run --rm -it \
-e SERVICE_ACCOUNT_JSON \
-e TF_VAR_org_id \
-e TF_VAR_folder_id \
-e TF_VAR_billing_account \
-e TF_VAR_group_email \
-e TF_VAR_domain_to_allow \
-e TF_VAR_example_foundations_mode \
-v "$(CURDIR)":/workspace \
$(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \
/bin/bash
$(AUTHENTICATED_DEVELOPER_TOOLS_IMAGE_REFERENCE)

# Execute prepare tests within the docker container
.PHONY: docker_test_prepare
docker_test_prepare:
docker run --rm -it \
-e SERVICE_ACCOUNT_JSON \
-e TF_VAR_org_id \
-e TF_VAR_folder_id \
-e TF_VAR_billing_account \
-e TF_VAR_group_email \
-e TF_VAR_domain_to_allow \
-e TF_VAR_example_foundations_mode \
-v "$(CURDIR)":/workspace \
$(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \
$(AUTHENTICATED_DEVELOPER_TOOLS_IMAGE_REFERENCE) \
/usr/local/bin/execute_with_credentials.sh prepare_environment

# Clean up test environment within the docker container
.PHONY: docker_test_cleanup
docker_test_cleanup:
docker run --rm -it \
-e SERVICE_ACCOUNT_JSON \
-e TF_VAR_org_id \
-e TF_VAR_folder_id \
-e TF_VAR_billing_account \
-e TF_VAR_group_email \
-e TF_VAR_domain_to_allow \
-e TF_VAR_example_foundations_mode \
-v "$(CURDIR)":/workspace \
$(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \
$(AUTHENTICATED_DEVELOPER_TOOLS_IMAGE_REFERENCE) \
/usr/local/bin/execute_with_credentials.sh cleanup_environment

# Execute integration tests within the docker container
.PHONY: docker_test_integration
docker_test_integration:
docker run --rm -it \
-e SERVICE_ACCOUNT_JSON \
-v "$(CURDIR)":/workspace \
$(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \
$(AUTHENTICATED_DEVELOPER_TOOLS_IMAGE_REFERENCE) \
/usr/local/bin/test_integration.sh