Merge pull request GoogleCloudPlatform#1699 from maqiuyujoyce/202405-…

…test-sis-merge-in-iam Add 'state-into-spec: merge' test cases for the handwritten IAM resources
199201shubhamsahu · May 7, 2024 · c14f507 · c14f507
2 parents a9d1d36 + 79f193f
commit c14f507
Show file tree

Hide file tree

Showing 4 changed files with 139 additions and 0 deletions.
diff --git a/pkg/controller/iam/auditconfig/iamauditconfig_controller_integration_test.go b/pkg/controller/iam/auditconfig/iamauditconfig_controller_integration_test.go
@@ -71,6 +71,28 @@ func TestReconcileIAMAuditConfigResourceLevelCreate(t *testing.T) {
 	testiam.RunResourceLevelTest(ctx, t, mgr, testFunc, testiam.ShouldRunWithAuditConfigs)
 }
 
+func TestReconcileIAMAuditConfigResourceLevelCreateWithSISMerge(t *testing.T) {
+	ctx := context.TODO()
+
+	testFunc := func(ctx context.Context, t *testing.T, _ string, mgr manager.Manager, rc testiam.IAMResourceContext, refResource *unstructured.Unstructured, resourceRef v1beta1.ResourceReference) {
+		auditLogConfigs := []iamv1beta1.AuditLogConfig{
+			{
+				LogType: "DATA_WRITE",
+			},
+			{
+				LogType:         "DATA_READ",
+				ExemptedMembers: []v1beta1.Member{v1beta1.Member(testgcp.GetIAMPolicyBindingMember(t))},
+			},
+		}
+		k8sAuditConfig := newIAMAuditConfigFixture(t, refResource, resourceRef, "allServices", auditLogConfigs)
+		k8sAuditConfig.ObjectMeta.Annotations = map[string]string{
+			"cnrm.cloud.google.com/state-into-spec": "merge",
+		}
+		testReconcileResourceLevelCreate(ctx, t, mgr, k8sAuditConfig)
+	}
+	testiam.RunResourceLevelTest(ctx, t, mgr, testFunc, testiam.ShouldRunWithAuditConfigs)
+}
+
 func TestReconcileIAMAuditConfigResourceLevelCreateWithExternalRef(t *testing.T) {
 	ctx := context.TODO()
 

diff --git a/pkg/controller/iam/partialpolicy/iampartialpolicy_controller_integration_test.go b/pkg/controller/iam/partialpolicy/iampartialpolicy_controller_integration_test.go
@@ -42,6 +42,7 @@ import (
 	testiam "github.com/GoogleCloudPlatform/k8s-config-connector/pkg/test/iam"
 	testk8s "github.com/GoogleCloudPlatform/k8s-config-connector/pkg/test/k8s"
 	testmain "github.com/GoogleCloudPlatform/k8s-config-connector/pkg/test/main"
+	"github.com/GoogleCloudPlatform/k8s-config-connector/pkg/test/resourcefixture"
 	testservicemappingloader "github.com/GoogleCloudPlatform/k8s-config-connector/pkg/test/servicemappingloader"
 	tfprovider "github.com/GoogleCloudPlatform/k8s-config-connector/pkg/tf/provider"
 
@@ -251,6 +252,58 @@ func TestReconcileIAMPartialPolicyResourceLevelCreateNoChangesUpdateDelete(t *te
 	testiam.RunResourceLevelTest(ctx, t, mgr, resourceLevelIAMPartialPolicyTestFunc, nil)
 }
 
+func TestReconcileIAMPartialPolicyResourceLevelCreateNoChangesUpdateDeleteWithSISMerge(t *testing.T) {
+	ctx := context.TODO()
+	shouldRun := func(fixture resourcefixture.ResourceFixture) bool {
+		return fixture.GVK.Kind == "PubSubTopic"
+	}
+	var resourceLevelIAMPartialPolicyTestFunc = func(ctx context.Context, t *testing.T, _ string, mgr manager.Manager, rc testiam.IAMResourceContext, refResource *unstructured.Unstructured, resourceRef iamv1beta1.ResourceReference) {
+		provider := tfprovider.NewOrLogFatal(tfprovider.DefaultConfig)
+		kubeClient := mgr.GetClient()
+		smLoader := testservicemappingloader.New(t)
+		dclSchemaLoader, err := dclschemaloader.New()
+		dclConfig := clientconfig.NewForIntegrationTest()
+		if err != nil {
+			t.Fatalf("error creating a new DCL schema loader: %v", err)
+		}
+		serviceMetaLoader := dclmetadata.New()
+		converter := conversion.New(dclSchemaLoader, serviceMetaLoader)
+		iamClient := kcciamclient.New(provider, smLoader, kubeClient, converter, dclConfig)
+		reconciler := testreconciler.NewForDCLAndTFTestReconciler(t, mgr, provider, dclConfig)
+		testMembers := []iamv1beta1.IAMPartialPolicyMember{
+			{
+				Member: iamv1beta1.Member("group:[email protected]"),
+			},
+		}
+		bindings := make([]iamv1beta1.IAMPartialPolicyBinding, 0)
+
+		updateTestCases := []updateTestCase{
+			{
+				name: "new bindings with one more role",
+				newBindings: []iamv1beta1.IAMPartialPolicyBinding{
+					{
+						Role:    rc.CreateBindingRole,
+						Members: testMembers,
+					},
+					{
+						Role:    rc.UpdateBindingRole,
+						Members: testMembers,
+					},
+				},
+			},
+		}
+
+		k8sPartialPolicy := newIAMPartialPolicyFixture(t, refResource, resourceRef, bindings)
+		k8sPartialPolicy.SetAnnotations(map[string]string{
+			"cnrm.cloud.google.com/state-into-spec": "merge",
+		})
+		// Preset some bindings to the IAM policy.
+		existingPolicy := presetPolicy(ctx, t, iamClient, rc, k8sPartialPolicy)
+		testReconcileResourceLevelCreateNoChangesUpdateDelete(ctx, t, kubeClient, k8sPartialPolicy, updateTestCases, existingPolicy, iamClient, reconciler)
+	}
+	testiam.RunResourceLevelTest(ctx, t, mgr, resourceLevelIAMPartialPolicyTestFunc, shouldRun)
+}
+
 func TestReconcileIAMPartialPolicyResourceLevelCreateNoChangesUpdateDeleteWithExternalRef(t *testing.T) {
 	ctx := context.TODO()
 

diff --git a/pkg/controller/iam/policy/iampolicy_controller_integration_test.go b/pkg/controller/iam/policy/iampolicy_controller_integration_test.go
@@ -38,6 +38,7 @@ import (
 	testiam "github.com/GoogleCloudPlatform/k8s-config-connector/pkg/test/iam"
 	testk8s "github.com/GoogleCloudPlatform/k8s-config-connector/pkg/test/k8s"
 	testmain "github.com/GoogleCloudPlatform/k8s-config-connector/pkg/test/main"
+	"github.com/GoogleCloudPlatform/k8s-config-connector/pkg/test/resourcefixture"
 	testservicemappingloader "github.com/GoogleCloudPlatform/k8s-config-connector/pkg/test/servicemappingloader"
 	tfprovider "github.com/GoogleCloudPlatform/k8s-config-connector/pkg/tf/provider"
 
@@ -96,6 +97,52 @@ func TestReconcileIAMPolicyResourceLevelCreateNoChangesUpdateDelete(t *testing.T
 	testiam.RunResourceLevelTest(ctx, t, mgr, resourceLevelIAMPolicyTestFunc, nil)
 }
 
+func TestReconcileIAMPolicyResourceLevelCreateNoChangesUpdateDeleteWithSISMerge(t *testing.T) {
+	ctx := context.TODO()
+	shouldRun := func(fixture resourcefixture.ResourceFixture) bool {
+		return fixture.GVK.Kind == "PubSubTopic"
+	}
+	var resourceLevelIAMPolicyTestFunc = func(ctx context.Context, t *testing.T, _ string, mgr manager.Manager, rc testiam.IAMResourceContext, refResource *unstructured.Unstructured, resourceRef v1beta1.ResourceReference) {
+		bindings := []iamv1beta1.IAMPolicyBinding{
+			{
+				Role:    rc.CreateBindingRole,
+				Members: []v1beta1.Member{v1beta1.Member(testgcp.GetIAMPolicyBindingMember(t))},
+			},
+		}
+		newBindings := []iamv1beta1.IAMPolicyBinding{
+			{
+				Role:    rc.CreateBindingRole,
+				Members: []v1beta1.Member{v1beta1.Member(testgcp.GetIAMPolicyBindingMember(t))},
+			},
+			{
+				Role:    rc.UpdateBindingRole,
+				Members: []v1beta1.Member{v1beta1.Member(testgcp.GetIAMPolicyBindingMember(t))},
+			},
+		}
+		k8sPolicy := newIAMPolicyFixture(t, refResource, resourceRef, bindings, nil)
+		k8sPolicy.SetAnnotations(map[string]string{
+			"cnrm.cloud.google.com/state-into-spec": "merge",
+		})
+		newK8sPolicy := k8sPolicy.DeepCopy()
+		newK8sPolicy.Spec.Bindings = newBindings
+		provider := tfprovider.NewOrLogFatal(tfprovider.DefaultConfig)
+		smLoader := testservicemappingloader.New(t)
+		kubeClient := mgr.GetClient()
+		dclConfig := clientconfig.NewForIntegrationTest()
+		dclSchemaLoader, err := dclschemaloader.New()
+		if err != nil {
+			t.Fatalf("error creating a new DCL schema loader: %v", err)
+		}
+		serviceMetaLoader := dclmetadata.New()
+		converter := conversion.New(dclSchemaLoader, serviceMetaLoader)
+		iamClient := kcciamclient.New(provider, smLoader, kubeClient, converter, dclConfig)
+		reconciler := testreconciler.NewForDCLAndTFTestReconciler(t, mgr, provider, dclConfig)
+
+		testReconcileResourceLevelCreateNoChangesUpdateDelete(ctx, t, kubeClient, k8sPolicy, newK8sPolicy, iamClient, reconciler)
+	}
+	testiam.RunResourceLevelTest(ctx, t, mgr, resourceLevelIAMPolicyTestFunc, shouldRun)
+}
+
 func TestReconcileIAMPolicyResourceLevelCreateNoChangesUpdateDeleteWithExternalRef(t *testing.T) {
 	ctx := context.TODO()
 

diff --git a/pkg/controller/iam/policymember/iampolicymember_controller_integration_test.go b/pkg/controller/iam/policymember/iampolicymember_controller_integration_test.go
@@ -65,6 +65,23 @@ func TestReconcileIAMPolicyMemberResourceLevelCreateDelete(t *testing.T) {
 	testiam.RunResourceLevelTest(ctx, t, mgr, testFunc, testiam.ShouldRunWithTFResourcesOnly)
 }
 
+func TestReconcileIAMPolicyMemberResourceLevelCreateDeleteWithSISMerge(t *testing.T) {
+	ctx := context.TODO()
+
+	shouldRun := func(fixture resourcefixture.ResourceFixture) bool {
+		return fixture.GVK.Kind == "PubSubTopic"
+	}
+
+	testFunc := func(ctx context.Context, t *testing.T, testID string, mgr manager.Manager, rc testiam.IAMResourceContext, refResource *unstructured.Unstructured, resourceRef v1beta1.ResourceReference) {
+		k8sPolicyMember := newIAMPolicyMemberFixture(t, refResource, resourceRef, rc.CreateBindingRole, testgcp.GetIAMPolicyBindingMember(t))
+		k8sPolicyMember.SetAnnotations(map[string]string{
+			"cnrm.cloud.google.com/state-into-spec": "merge",
+		})
+		testPolicyMemberCreateDelete(ctx, t, mgr, k8sPolicyMember)
+	}
+	testiam.RunResourceLevelTest(ctx, t, mgr, testFunc, shouldRun)
+}
+
 func TestReconcileIAMPolicyMemberResourceLevelCreateDeleteWithReconcileInterval(t *testing.T) {
 	ctx := context.TODO()