Untitled

avatar
unknown
plain_text
2 years ago
3.2 kB
4
Indexable
# RSpec - testing framework
project_id = attribute('project_id')
location = attribute('location')
topic_id = "#{attribute('cluster_name')}-notifs"

control "gcloud" do
  title "Checking deployed resources on GCP."
    
  # Service Accounts
  describe command("gcloud iam service-accounts list --format json --project #{project_id}") do
    let(:service_accounts) do
      if subject.exit_status == 0
        JSON.parse(subject.stdout)
      else
      {}
      end
    end
        
    # kitchen-standard Service Account 
    let(:kitchen_standard) do
      service_accounts.find { |i| i['email'].match("kitchen-standard@#{project_id}.iam.gserviceaccount.com") }
    end

    it "Service Account kitchen-standard was created" do
      expect(kitchen_standard).not_to be_nil
    end

    it "Service Account kitchen-standard has correct display name" do
      expect(kitchen_standard['displayName']).to match("Kitchen Standard")
    end

    # kitchen-standard1 Service Account 
    let(:kitchen_standard2) do
      service_accounts.find { |i| i['email'].match("kitchen-standard2@#{project_id}.iam.gserviceaccount.com") }
    end
        
    it "Service Account kitchen-standard2 was created" do
      expect(kitchen_standard2).not_to be_nil
    end
    
    it "Service Account kitchen-standard2 has correct display name" do
      expect(kitchen_standard2['displayName']).to match("Kitchen Standard 2")
    end
  end

    # Roles for Service Accounts 
  describe command("gcloud projects get-iam-policy #{project_id} --flatten='bindings[].members' --format='table(bindings.role)' --filter='bindings.members:kitchen-standard@#{project_id}.iam.gserviceaccount.com'") do

    it "Service Account has ClusterViewer role" do
      expect(subject.stdout).to include('clusterViewer')
    end
  end

  describe command("gcloud pubsub topics get-iam-policy #{topic_id} --flatten='bindings[].members' --format='table(bindings.role)' --filter='bindings.members:kitchen-standard@#{project_id}.iam.gserviceaccount.com'") do

    it "Service Account has Subscriber role" do
      expect(subject.stdout).to include('pubsub.subscriber')
    end
  end

  describe command("gcloud pubsub topics get-iam-policy #{topic_id} --flatten='bindings[].members' --format='table(bindings.role)' --filter='bindings.members:test-access@cs.corpnet.pl'") do

    it "Test Group has Subscriber role" do
      expect(subject.stdout).to include('pubsub.subscriber')
    end
  end

  describe command("gcloud pubsub topics get-iam-policy #{topic_id} --flatten='bindings[].members' --format='table(bindings.role)' --filter='bindings.members:opl-readme-owners@cs.corpnet.pl'") do

    it "Readme Group has Subscriber role" do
      expect(subject.stdout).to include('pubsub.subscriber')
    end
  end

  # Check admin group permissions - opl-org-gke-admins@cs.corpnet.pl
  describe command("gcloud pubsub topics get-iam-policy #{topic_id} --flatten='bindings[].members' --format='table(bindings.role)' --filter='bindings.members:opl-org-gke-admins@cs.corpnet.pl'") do

    it "Admin Group has Subscriber role" do
      expect(subject.stdout).to include('pubsub.subscriber')
    end
  end
    
end
Editor is loading...