From f1b77845e7a5479f77099bbc7d8ae13cb7ad4456 Mon Sep 17 00:00:00 2001 From: Julien Poissonnier Date: Mon, 19 Aug 2024 12:27:04 +0200 Subject: [PATCH] Test GCP CLI & projects Test that the GCP CLI can connect and retrieve basic project information. Test that GCP templates work across languages. Fixes https://github.com/pulumi/pulumi-docker-containers/issues/209 --- .github/workflows/ci.yml | 69 ++++++++++++++++++++++++++++++++++++++++ tests/containers_test.go | 40 +++++++++++++++++++++-- 2 files changed, 107 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ff34cbde..0c05d039 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -35,6 +35,14 @@ env: ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }} ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }} AWS_REGION: "us-west-2" + # GCP + GCP_SERVICE_ACCOUNT_EMAIL: "pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com" + GCP_PROJECT_NAME: "pulumi-ci-gcp-provider" + GCP_PROJECT_NUMBER: "895284651812" + GCP_WORKLOAD_IDENTITY_POOL: "pulumi-ci" + GCP_WORKLOAD_IDENTITY_PROVIDER: "pulumi-ci" + GCP_REGION: "us-central1" + GCP_ZONE: "us-central1-a" jobs: comment-notification: @@ -60,6 +68,8 @@ jobs: matrix: go-version: [1.21.x] runs-on: ubuntu-latest + permissions: + id-token: write steps: # If no version of Pulumi is supplied by the incoming event (e.g. in the # case of a PR or merge to main), we use the latest production version: @@ -68,6 +78,7 @@ jobs: run: | echo "PULUMI_VERSION=$(curl https://www.pulumi.com/latest-version)" >> $GITHUB_ENV - uses: actions/checkout@master + - name: Free Disk Space (Ubuntu) uses: jlumbroso/free-disk-space@main with: @@ -108,6 +119,15 @@ jobs: role-duration-seconds: 14400 # 4 hours role-session-name: pulumi-docker-containers@githubActions role-to-assume: ${{ secrets.AWS_CI_ROLE_ARN }} + - name: Authenticate with Google Cloud + uses: google-github-actions/auth@v2 + with: + service_account: ${{ env.GCP_SERVICE_ACCOUNT_EMAIL }} + workload_identity_provider: projects/${{ env.GCP_PROJECT_NUMBER + }}/locations/global/workloadIdentityPools/${{ env.GCP_WORKLOAD_IDENTITY_POOL + }}/providers/${{ env.GCP_WORKLOAD_IDENTITY_PROVIDER }} + - name: 'Set up Cloud SDK' + uses: 'google-github-actions/setup-gcloud@v2' - name: Tests # Note we use /src/pulumi-test-containers as entrypoint and not bash to avoid bash # changing the environment in some way. @@ -125,6 +145,10 @@ jobs: -e AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} \ -e AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN} \ -e AWS_REGION=${AWS_REGION} \ + -e GCP_PROJECT_NAME=${GCP_PROJECT_NAME} \ + -e GCP_PROJECT_NUMBER=${GCP_PROJECT_NUMBER} \ + -e GOOGLE_APPLICATION_CREDENTIALS=/src/creds.json \ + --mount type=bind,source=$GOOGLE_APPLICATION_CREDENTIALS,target=/src/creds.json \ --volume /tmp:/src \ --entrypoint /src/pulumi-test-containers \ ${{ env.DOCKER_ORG }}/pulumi:${{ env.PULUMI_VERSION }} \ @@ -136,6 +160,8 @@ jobs: matrix: go-version: [1.21.x] runs-on: ubuntu-latest + permissions: + id-token: write steps: # If no version of Pulumi is supplied by the incoming event (e.g. in the # case of a PR or merge to main), we use the latest production version: @@ -184,6 +210,15 @@ jobs: role-duration-seconds: 14400 # 4 hours role-session-name: pulumi-docker-containers@githubActions role-to-assume: ${{ secrets.AWS_CI_ROLE_ARN }} + - name: Authenticate with Google Cloud + uses: google-github-actions/auth@v2 + with: + service_account: ${{ env.GCP_SERVICE_ACCOUNT_EMAIL }} + workload_identity_provider: projects/${{ env.GCP_PROJECT_NUMBER + }}/locations/global/workloadIdentityPools/${{ env.GCP_WORKLOAD_IDENTITY_POOL + }}/providers/${{ env.GCP_WORKLOAD_IDENTITY_PROVIDER }} + - name: 'Set up Cloud SDK' + uses: 'google-github-actions/setup-gcloud@v2' - name: Tests run: | docker run \ @@ -199,6 +234,10 @@ jobs: -e AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} \ -e AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN} \ -e AWS_REGION=${AWS_REGION} \ + -e GCP_PROJECT_NAME=${GCP_PROJECT_NAME} \ + -e GCP_PROJECT_NUMBER=${GCP_PROJECT_NUMBER} \ + -e GOOGLE_APPLICATION_CREDENTIALS=/src/creds.json \ + --mount type=bind,source=$GOOGLE_APPLICATION_CREDENTIALS,target=/src/creds.json \ --volume /tmp:/src \ --entrypoint /src/pulumi-test-containers \ ${{ env.DOCKER_ORG }}/pulumi-provider-build-environment:${{ env.PULUMI_VERSION }} \ @@ -247,6 +286,8 @@ jobs: debian-sdk: name: Debian SDK images runs-on: ubuntu-latest + permissions: + id-token: write needs: define-matrix strategy: fail-fast: false @@ -305,6 +346,15 @@ jobs: role-duration-seconds: 14400 # 4 hours role-session-name: pulumi-docker-containers@githubActions role-to-assume: ${{ secrets.AWS_CI_ROLE_ARN }} + - name: Authenticate with Google Cloud + uses: google-github-actions/auth@v2 + with: + service_account: ${{ env.GCP_SERVICE_ACCOUNT_EMAIL }} + workload_identity_provider: projects/${{ env.GCP_PROJECT_NUMBER + }}/locations/global/workloadIdentityPools/${{ env.GCP_WORKLOAD_IDENTITY_POOL + }}/providers/${{ env.GCP_WORKLOAD_IDENTITY_PROVIDER }} + - name: 'Set up Cloud SDK' + uses: 'google-github-actions/setup-gcloud@v2' - name: Tests run: | docker run \ @@ -321,6 +371,10 @@ jobs: -e AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} \ -e AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN} \ -e AWS_REGION=${AWS_REGION} \ + -e GCP_PROJECT_NAME=${GCP_PROJECT_NAME} \ + -e GCP_PROJECT_NUMBER=${GCP_PROJECT_NUMBER} \ + -e GOOGLE_APPLICATION_CREDENTIALS=/src/creds.json \ + --mount type=bind,source=$GOOGLE_APPLICATION_CREDENTIALS,target=/src/creds.json \ --volume /tmp:/src \ --entrypoint /src/pulumi-test-containers \ --platform ${{ matrix.arch }} \ @@ -330,6 +384,8 @@ jobs: ubi-sdk: name: UBI SDK images runs-on: ubuntu-latest + permissions: + id-token: write strategy: fail-fast: false matrix: @@ -390,6 +446,15 @@ jobs: role-duration-seconds: 14400 # 4 hours role-session-name: pulumi-docker-containers@githubActions role-to-assume: ${{ secrets.AWS_CI_ROLE_ARN }} + - name: Authenticate with Google Cloud + uses: google-github-actions/auth@v2 + with: + service_account: ${{ env.GCP_SERVICE_ACCOUNT_EMAIL }} + workload_identity_provider: projects/${{ env.GCP_PROJECT_NUMBER + }}/locations/global/workloadIdentityPools/${{ env.GCP_WORKLOAD_IDENTITY_POOL + }}/providers/${{ env.GCP_WORKLOAD_IDENTITY_PROVIDER }} + - name: 'Set up Cloud SDK' + uses: 'google-github-actions/setup-gcloud@v2' - name: Tests run: | docker run \ @@ -406,6 +471,10 @@ jobs: -e AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} \ -e AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN} \ -e AWS_REGION=${AWS_REGION} \ + -e GCP_PROJECT_NAME=${GCP_PROJECT_NAME} \ + -e GCP_PROJECT_NUMBER=${GCP_PROJECT_NUMBER} \ + -e GOOGLE_APPLICATION_CREDENTIALS=/src/creds.json \ + --mount type=bind,source=$GOOGLE_APPLICATION_CREDENTIALS,target=/src/creds.json \ --volume /tmp:/src \ --entrypoint /src/pulumi-test-containers \ ${{ env.DOCKER_ORG }}/pulumi-${{ matrix.sdk }}:${{ env.PULUMI_VERSION }}-ubi \ diff --git a/tests/containers_test.go b/tests/containers_test.go index 058b5896..ec370b53 100644 --- a/tests/containers_test.go +++ b/tests/containers_test.go @@ -57,19 +57,25 @@ func TestPulumiTemplateTests(t *testing.T) { mustEnv(t, "AWS_ACCESS_KEY_ID") mustEnv(t, "AWS_SECRET_ACCESS_KEY") mustEnv(t, "AWS_SESSION_TOKEN") + // GCP + project := mustEnv(t, "GCP_PROJECT_NAME") + mustEnv(t, "GOOGLE_APPLICATION_CREDENTIALS") stackOwner := mustEnv(t, "PULUMI_ORG") - sdksToTest := []string{"csharp", "python", "typescript", "go", "java"} + sdksToTest := []string{ /*"csharp", "python",*/ "typescript" /* , "go", "java"*/} if os.Getenv("SDKS_TO_TEST") != "" { sdksToTest = strings.Split(os.Getenv("SDKS_TO_TEST"), ",") } - clouds := []string{"azure", "aws" /* , "gcp"*/} + clouds := []string{"gcp" /* , "azure", "aws"*/} configs := map[string]map[string]string{ "azure": { "azure-native:location": "EastUS", }, "aws": {}, + "gcp": { + "gcp:project": project, + }, } testCases := []testCase{} @@ -193,6 +199,36 @@ func TestCLIToolTests(t *testing.T) { require.True(t, ok) require.Contains(t, arn, "pulumi-docker-containers@githubActions") }) + + t.Run("GCP CLI", func(t *testing.T) { + t.Parallel() + + project := mustEnv(t, "GCP_PROJECT_NAME") + projectNumber := mustEnv(t, "GCP_PROJECT_NUMBER") + credsFile := mustEnv(t, "GOOGLE_APPLICATION_CREDENTIALS") + + cmd := exec.Command("gcloud", "--quiet", "auth", "login", "--force", "--cred-file", credsFile) + out, err := cmd.CombinedOutput() + fmt.Println("OUT 1:", string(out)) + require.NoError(t, err) + + cmd = exec.Command("gcloud", "--quiet", "config", "set", "project", project) + out, err = cmd.CombinedOutput() + fmt.Println("OUT 2", string(out)) + require.NoError(t, err) + + cmd = exec.Command("gcloud", "--quiet", "projects", "describe", project, "--format", "json") + out, err = cmd.CombinedOutput() + fmt.Println(`OUT 3:`, string(out)) + require.NoError(t, err) + var projectInfo map[string]interface{} + require.NoError(t, json.Unmarshal(out, &projectInfo)) + projectNumber, ok := projectInfo["projectId"].(string) + if !ok { + require.Failf(t, "projectId not found in %s", string(out)) + } + require.Equal(t, project, projectNumber) + }) } func TestEnvironment(t *testing.T) {