refactor: decouple terraform with integration test (#73)

* decouple terraform with integration test * added comments * fixed service account * add project id and keyring in the caller * added validation * hardcode project id * changed to env variable * added testjvs back * fixed nits * hardcode service account * use env variable for service account * fixed integration test
abcxyz · Jun 28, 2022 · f518123 · f518123
1 parent 2994a51
commit f518123
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 28 deletions.
diff --git a/.github/workflows/test-integration.yaml b/.github/workflows/test-integration.yaml
@@ -16,8 +16,10 @@ concurrency:
 jobs:
   integration:
     env:
-      # project: jvs-ci
-      PROJECT_NUMBER: '1039479707997'
+      # project: jvs-ci-test
+      PROJECT_NUMBER: '1096923323432'
+      PROJECT_ID: 'jvs-ci-test'
+      KEYRING_ID: 'ci-keyring'
 
     permissions:
       contents: 'read'
@@ -49,15 +51,7 @@ jobs:
         uses: 'google-github-actions/auth@ceee102ec2387dd9e844e01b530ccd4ec87ce955' # ratchet:google-github-actions/auth@v0
         with:
           workload_identity_provider: 'projects/${{ env.PROJECT_NUMBER }}/locations/global/workloadIdentityPools/github-pool/providers/github-provider'
-          service_account: 'gh-access-sa@jvs-ci.iam.gserviceaccount.com'
-          token_format: 'access_token' # Needed for Terraform workaround
-
-      # TODO: Workload Identity doesn't work with GCS Provider.
-      # https://github.com/google-github-actions/auth/issues/89
-      - name: 'Workaround Terraform issue'
-        shell: 'bash'
-        run: |-
-          echo "GOOGLE_OAUTH_ACCESS_TOKEN=${{ steps.auth.outputs.access_token }}" >> $GITHUB_ENV
+          service_account: 'gh-access-sa@${{ env.PROJECT_ID }}.iam.gserviceaccount.com'
 
       - name: 'Install and configure gcloud'
         uses: 'google-github-actions/setup-gcloud@877d4953d2c70a0ba7ef3290ae968eb24af233bb' # ratchet:google-github-actions/setup-gcloud@v0

diff --git a/scripts/integration_build.sh b/scripts/integration_build.sh
@@ -12,25 +12,13 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-
+set -u # -u makes bash error on undefined variables
 ROOT="$(cd "$(dirname "$0")/.." &>/dev/null; pwd -P)"
 
-JVS_SERVICE_ACCOUNT="jvs-service-sa@jvs-ci.iam.gserviceaccount.com"
-ROTATOR_SERVICE_ACCOUNT="rotator-sa@jvs-ci.iam.gserviceaccount.com"
-PUB_KEY_SERVICE_ACCOUNT="pubkey-sa@jvs-ci.iam.gserviceaccount.com"
-PROJECT_ID="jvs-ci"
-
-CI_DIR=${ROOT}/terraform/modules/ci-run
-
-cd $CI_DIR
-terraform init
-terraform apply -auto-approve \
-  -var="project_id=${PROJECT_ID}" \
-  -var="jvs_service_account=${JVS_SERVICE_ACCOUNT}" \
-  -var="rotator_service_account=${ROTATOR_SERVICE_ACCOUNT}" \
-  -var="public_key_service_account=${PUB_KEY_SERVICE_ACCOUNT}"
+printf "Argument project_id is %s\n" "${PROJECT_ID}"
+printf "Argument keyring_id is %s\n" "${KEYRING_ID}"
 
-export TEST_JVS_KMS_KEY_RING=$(terraform output key_ring)
+export TEST_JVS_KMS_KEY_RING="projects/${PROJECT_ID}/locations/global/keyRings/${KEYRING_ID}"
 export TEST_JVS_INTEGRATION=true
 
 cd ${ROOT}

diff --git a/test/integ/main_test.go b/test/integ/main_test.go
@@ -17,6 +17,9 @@ package integ
 
 import (
 	"context"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
 	"crypto/x509"
 	"encoding/pem"
 	"errors"
@@ -43,6 +46,7 @@ import (
 	"github.com/sethvargo/go-retry"
 	"google.golang.org/api/iterator"
 	kmspb "google.golang.org/genproto/googleapis/cloud/kms/v1"
+	"google.golang.org/grpc/metadata"
 	"google.golang.org/protobuf/types/known/durationpb"
 	"google.golang.org/protobuf/types/known/fieldmaskpb"
 )
@@ -88,6 +92,26 @@ func TestJVS(t *testing.T) {
 		t.Fatalf("failed to setup grpc auth handler: %v", err)
 	}
 
+	authKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		t.Fatal(err)
+	}
+	ecdsaKey, err := jwk.FromRaw(authKey.PublicKey)
+	if err != nil {
+		t.Fatal(err)
+	}
+	key := "projects/[PROJECT]/locations/[LOCATION]/keyRings/[KEY_RING]/cryptoKeys/[CRYPTO_KEY]"
+	keyID := key + "/cryptoKeyVersions/[VERSION]-0"
+	if err := ecdsaKey.Set(jwk.KeyIDKey, keyID); err != nil {
+		t.Fatal(err)
+	}
+
+	tok := testutil.CreateJWT(t, "test_id", "user@example.com")
+	validJWT := testutil.SignToken(t, tok, authKey, keyID)
+	ctx = metadata.NewIncomingContext(ctx, metadata.New(map[string]string{
+		"authorization": "Bearer " + validJWT,
+	}))
+
 	p := justification.NewProcessor(kmsClient, cfg, authHandler)
 	jvsAgent := justification.NewJVSAgent(p)
 
@@ -116,7 +140,7 @@ func TestJVS(t *testing.T) {
 				"justs": []any{
 					map[string]any{"category": "explanation", "value": "This is a test."},
 				},
-				"sub": "TODO #22",
+				"sub": "user@example.com",
 			},
 		},
 		{