Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix shared VPC IAM bindings #164

Merged
merged 3 commits into from
Mar 11, 2019
Merged

Fix shared VPC IAM bindings #164

merged 3 commits into from
Mar 11, 2019

Conversation

glarizza
Copy link
Contributor

@glarizza glarizza commented Mar 7, 2019

This commit addresses issue #97
(#97)
and updates the logic around IAM bindings with regard to shared VPC
subnets. The logic is as follows:

  1. If var.shared_vpc and var.shared_vpc_subnets are empty no
    bindings are mad
  2. If var.shared_vpc is set but no subnets are provided with
    var.shared_vpc_subnets then the IAM bindings are set at the Host
    Project
  3. If var.shared_vpc is set and var.shared_vpc_subnets contains
    subnets then the IAM bindings are granted on the subnetworks
    themselve

This commit updates the logic used to calculate the Host Project
bindings based on scenario 3 above. The tests have also been modified to
ensure that those bindings AREN'T set.

@aaron-lane
Copy link
Contributor

Closes #98.

adrienthebo
adrienthebo previously requested changes Mar 7, 2019
View reviewed changes
Copy link
Contributor

@adrienthebo adrienthebo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We regressed on this behavior because the intent of this code wasn't immediately clear - could you update the README to explain the behaviors around subnet sharing?

LGTM otherwise, soft 👍

aaron-lane
aaron-lane suggested changes Mar 7, 2019
View reviewed changes
Copy link
Contributor

@aaron-lane aaron-lane left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need at least 3 suites to ensure that all of the cases in #97 are tested. This should include additional examples and test fixtures.

The branch also needs to be rebased against master.

@morgante
Copy link
Contributor

morgante commented Mar 7, 2019
edited
Loading

We need at least 3 suites to ensure that all of the cases in #97 are tested. This should include additional examples and test fixtures.

Agreed, but it would be good if we can merge this sooner rather than later. (ie. I don't think new tests should be blocking, readme documentation should be though.)

@glarizza glarizza force-pushed the gl/fixed_shared_vpc branch from 1213fd3 to d01910a Compare March 7, 2019 23:55
@adrienthebo adrienthebo dismissed their stale review March 8, 2019 00:28

Dismissing stale review.

adrienthebo
adrienthebo reviewed Mar 8, 2019
View reviewed changes
Copy link
Contributor

@adrienthebo adrienthebo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We are getting CI failures, and I think it's because we have overlapping checks between the test suites. My current thinking is that the full project assigns access to subnets and doesn't add roles/compute.networkUser to the project, but the shared_vpc_no_subnets test does add this binding. When we converge all of the tests at once, the configuration from one test fixture causes failures in another test suite.

Since there's some urgency for getting this turned around I think we should either disable the tests in this PR by commenting out the .kitchen.yml entry and fixing that in a followup PR, or extracting the shared_vpc_no_subnets tests into a separate PR.

test/integration/shared_vpc_no_subnets/controls/gcloud.rb Outdated Show resolved Hide resolved
test/integration/shared_vpc_no_subnets/controls/gcloud.rb Outdated Show resolved Hide resolved
@glarizza glarizza force-pushed the gl/fixed_shared_vpc branch from d01910a to 5d25fe4 Compare March 8, 2019 17:43
@glarizza
Copy link
Contributor Author

glarizza commented Mar 8, 2019

Okay, I've reverted the commit back to the fix + updated existing test, and the README updates that came out of running make. We can add the test for scenario 2 in a later PR. Tests are going green now so we should be good to go - let me know if there's anything additional that's needed.

adrienthebo
adrienthebo previously approved these changes Mar 8, 2019
View reviewed changes
Copy link
Contributor

@adrienthebo adrienthebo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The updated test coverage validates this behavior; we'll add tests for rights on the entire shared VPC in a followup PR. 👍

aaron-lane
aaron-lane suggested changes Mar 8, 2019
View reviewed changes
Copy link
Contributor

@aaron-lane aaron-lane left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One readability suggestion. Also, please regenerate the documentation with terraform-docs v0.6.0 to maintain the escaping, and rebase against master.

README.md Outdated Show resolved Hide resolved
@glarizza glarizza force-pushed the gl/fixed_shared_vpc branch from 5d25fe4 to aea11d3 Compare March 8, 2019 20:21
glarizza added 2 commits March 8, 2019 12:23
@glarizza
Fix shared VPC IAM bindings
e7c8608 
This commit addresses issue terraform-google-modules#97
(terraform-google-modules#97)
and updates the logic around IAM bindings with regard to shared VPC
subnets. The logic is as follows:

1. If `var.shared_vpc` and `var.shared_vpc_subnets` are empty no
   bindings are mad
2. If `var.shared_vpc` is set but no subnets are provided with
   `var.shared_vpc_subnets` then the IAM bindings are set at the Host
   Project
3. If `var.shared_vpc` is set and `var.shared_vpc_subnets` contains
   subnets then the IAM bindings are granted on the subnetworks
   themselve

This commit updates the logic used to calculate the Host Project
bindings based on scenario 3 above. The tests have also been modified to
ensure that those bindings AREN'T set.
@glarizza
Changes coming from running make
b69927e 
This commit contains all the changes borne out of running `make` with an
empty target (i.e. terraform-docs updates)
@glarizza glarizza force-pushed the gl/fixed_shared_vpc branch from aea11d3 to b69927e Compare March 8, 2019 20:32
@glarizza
Copy link
Contributor Author

glarizza commented Mar 8, 2019
edited
Loading

@aaron-lane That makes sense why it was recommending those changes - updated terraform-docs, added your change, and force-pushed

@aaron-lane aaron-lane merged commit d20bca9 into terraform-google-modules:master Mar 11, 2019
@aaron-lane aaron-lane mentioned this pull request May 1, 2019
Closed
@aaron-lane aaron-lane mentioned this pull request Jun 10, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aaron-lane aaron-lane aaron-lane approved these changes

@adrienthebo adrienthebo adrienthebo left review comments

@morgante morgante Awaiting requested review from morgante

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@glarizza @aaron-lane @morgante @adrienthebo