Untitled
plain_text
a month ago
3.2 kB
1
Indexable
Never
# RSpec - testing framework project_id = attribute('project_id') location = attribute('location') topic_id = "#{attribute('cluster_name')}-notifs" control "gcloud" do title "Checking deployed resources on GCP." # Service Accounts describe command("gcloud iam service-accounts list --format json --project #{project_id}") do let(:service_accounts) do if subject.exit_status == 0 JSON.parse(subject.stdout) else {} end end # kitchen-standard Service Account let(:kitchen_standard) do service_accounts.find { |i| i['email'].match("kitchen-standard@#{project_id}.iam.gserviceaccount.com") } end it "Service Account kitchen-standard was created" do expect(kitchen_standard).not_to be_nil end it "Service Account kitchen-standard has correct display name" do expect(kitchen_standard['displayName']).to match("Kitchen Standard") end # kitchen-standard1 Service Account let(:kitchen_standard2) do service_accounts.find { |i| i['email'].match("kitchen-standard2@#{project_id}.iam.gserviceaccount.com") } end it "Service Account kitchen-standard2 was created" do expect(kitchen_standard2).not_to be_nil end it "Service Account kitchen-standard2 has correct display name" do expect(kitchen_standard2['displayName']).to match("Kitchen Standard 2") end end # Roles for Service Accounts describe command("gcloud projects get-iam-policy #{project_id} --flatten='bindings[].members' --format='table(bindings.role)' --filter='bindings.members:kitchen-standard@#{project_id}.iam.gserviceaccount.com'") do it "Service Account has ClusterViewer role" do expect(subject.stdout).to include('clusterViewer') end end describe command("gcloud pubsub topics get-iam-policy #{topic_id} --flatten='bindings[].members' --format='table(bindings.role)' --filter='bindings.members:kitchen-standard@#{project_id}.iam.gserviceaccount.com'") do it "Service Account has Subscriber role" do expect(subject.stdout).to include('pubsub.subscriber') end end describe command("gcloud pubsub topics get-iam-policy #{topic_id} --flatten='bindings[].members' --format='table(bindings.role)' --filter='bindings.members:test-access@cs.corpnet.pl'") do it "Test Group has Subscriber role" do expect(subject.stdout).to include('pubsub.subscriber') end end describe command("gcloud pubsub topics get-iam-policy #{topic_id} --flatten='bindings[].members' --format='table(bindings.role)' --filter='bindings.members:opl-readme-owners@cs.corpnet.pl'") do it "Readme Group has Subscriber role" do expect(subject.stdout).to include('pubsub.subscriber') end end # Check admin group permissions - opl-org-gke-admins@cs.corpnet.pl describe command("gcloud pubsub topics get-iam-policy #{topic_id} --flatten='bindings[].members' --format='table(bindings.role)' --filter='bindings.members:opl-org-gke-admins@cs.corpnet.pl'") do it "Admin Group has Subscriber role" do expect(subject.stdout).to include('pubsub.subscriber') end end end