From 1fc5cac314e1a24a9b63c7b88f59e2c40cf59765 Mon Sep 17 00:00:00 2001 From: Aayush-Abhyarthi Date: Thu, 28 Nov 2024 11:12:48 +0530 Subject: [PATCH 1/4] set default for kpk in storage delegation --- README.md | 2 +- storage_delegation/variables.tf | 2 +- variables.tf | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 8077423..b379a29 100644 --- a/README.md +++ b/README.md @@ -149,7 +149,7 @@ statement instead the previous block. |------|-------------|------|---------|:--------:| | [cos\_kms\_crn](#input\_cos\_kms\_crn) | Key Protect service instance CRN used to encrypt the COS buckets used by the watsonx projects. Required if `enable_cos_kms_encryption` is true. | `string` | `null` | no | | [cos\_kms\_key\_crn](#input\_cos\_kms\_key\_crn) | Key Protect key CRN used to encrypt the COS buckets used by the watsonx projects. If not set, then the cos\_kms\_new\_key\_name must be specified. | `string` | `null` | no | -| [cos\_kms\_new\_key\_name](#input\_cos\_kms\_new\_key\_name) | Name of the Key Protect key to create for encrypting the COS buckets used by the watsonx projects. | `string` | `""` | no | +| [cos\_kms\_new\_key\_name](#input\_cos\_kms\_new\_key\_name) | Name of the Key Protect key to create for encrypting the COS buckets used by the watsonx projects. | `string` | `"storage-delegation-key"` | no | | [cos\_kms\_ring\_id](#input\_cos\_kms\_ring\_id) | The identifier of the Key Protect ring to create the cos\_kms\_new\_key\_name into. If it is not set, then the new key will be created in the default ring. | `string` | `null` | no | | [cos\_plan](#input\_cos\_plan) | The plan that's used to provision the Cloud Object Storage instance. | `string` | `"standard"` | no | | [enable\_cos\_kms\_encryption](#input\_enable\_cos\_kms\_encryption) | Flag to enable COS KMS encryption. If set to true, a value must be passed for `cos_kms_crn`. | `bool` | `true` | no | diff --git a/storage_delegation/variables.tf b/storage_delegation/variables.tf index 4ef33b1..903ba1a 100644 --- a/storage_delegation/variables.tf +++ b/storage_delegation/variables.tf @@ -32,7 +32,7 @@ variable "cos_kms_key_crn" { variable "cos_kms_new_key_name" { description = "Name of the Key Protect key to create for encrypting the COS buckets used by the watsonx projects." type = string - default = "" + default = "storage-delegation-key" } variable "cos_kms_ring_id" { diff --git a/variables.tf b/variables.tf index 8869a85..9776a30 100644 --- a/variables.tf +++ b/variables.tf @@ -272,7 +272,7 @@ variable "cos_kms_key_crn" { variable "cos_kms_new_key_name" { description = "Name of the Key Protect key to create for encrypting the COS buckets used by the watsonx projects." type = string - default = "" + default = "storage-delegation-key" } variable "cos_kms_ring_id" { From 362e2d5af7637bbcc36ab50cbffd4d65bc6e36f5 Mon Sep 17 00:00:00 2001 From: Aayush-Abhyarthi Date: Wed, 11 Dec 2024 00:53:53 +0530 Subject: [PATCH 2/4] add: upgrade test with kms encryption enabled --- README.md | 2 +- common-dev-assets | 2 +- storage_delegation/variables.tf | 2 +- tests/pr_test.go | 83 +++++++++++++++++++++++++++++++++ variables.tf | 2 +- 5 files changed, 87 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index c3dbc3f..55e9f3d 100644 --- a/README.md +++ b/README.md @@ -146,7 +146,7 @@ statement instead the previous block. |------|-------------|------|---------|:--------:| | [cos\_kms\_crn](#input\_cos\_kms\_crn) | Key Protect service instance CRN used to encrypt the COS buckets used by the watsonx projects. Required if `enable_cos_kms_encryption` is true. | `string` | `null` | no | | [cos\_kms\_key\_crn](#input\_cos\_kms\_key\_crn) | Key Protect key CRN used to encrypt the COS buckets used by the watsonx projects. If not set, then the cos\_kms\_new\_key\_name must be specified. | `string` | `null` | no | -| [cos\_kms\_new\_key\_name](#input\_cos\_kms\_new\_key\_name) | Name of the Key Protect key to create for encrypting the COS buckets used by the watsonx projects. | `string` | `""` | no | +| [cos\_kms\_new\_key\_name](#input\_cos\_kms\_new\_key\_name) | Name of the Key Protect key to create for encrypting the COS buckets used by the watsonx projects. | `string` | `"storage-delegation-key"` | no | | [cos\_kms\_ring\_id](#input\_cos\_kms\_ring\_id) | The identifier of the Key Protect ring to create the cos\_kms\_new\_key\_name into. If it is not set, then the new key will be created in the default ring. | `string` | `null` | no | | [cos\_plan](#input\_cos\_plan) | The plan that's used to provision the Cloud Object Storage instance. | `string` | `"standard"` | no | | [enable\_cos\_kms\_encryption](#input\_enable\_cos\_kms\_encryption) | Flag to enable COS KMS encryption. If set to true, a value must be passed for `cos_kms_crn`. | `bool` | `true` | no | diff --git a/common-dev-assets b/common-dev-assets index 0f1f11e..97bdd73 160000 --- a/common-dev-assets +++ b/common-dev-assets @@ -1 +1 @@ -Subproject commit 0f1f11eb807b936a39b2a41106b5c26afd4b2b03 +Subproject commit 97bdd73a486309b2d03c68e4836d2c5bbc9b3591 diff --git a/storage_delegation/variables.tf b/storage_delegation/variables.tf index 4ef33b1..903ba1a 100644 --- a/storage_delegation/variables.tf +++ b/storage_delegation/variables.tf @@ -32,7 +32,7 @@ variable "cos_kms_key_crn" { variable "cos_kms_new_key_name" { description = "Name of the Key Protect key to create for encrypting the COS buckets used by the watsonx projects." type = string - default = "" + default = "storage-delegation-key" } variable "cos_kms_ring_id" { diff --git a/tests/pr_test.go b/tests/pr_test.go index 06bd58e..3b028f4 100644 --- a/tests/pr_test.go +++ b/tests/pr_test.go @@ -176,3 +176,86 @@ func TestWithExistingKP(t *testing.T) { } } + +func TestRunUpgradeExistingKP(t *testing.T) { + t.Parallel() + + // ------------------------------------------------------------------------------------ + // Provision KP first + // ------------------------------------------------------------------------------------ + + prefix := fmt.Sprintf("kp-ut-%s", strings.ToLower(random.UniqueId())) + realTerraformDir := "./resources/kp-instance" + tempTerraformDir, _ := files.CopyTerraformFolderToTemp(realTerraformDir, fmt.Sprintf(prefix+"-%s", strings.ToLower(random.UniqueId()))) + region := "us-south" + + // Verify ibmcloud_api_key variable is set + checkVariable := "TF_VAR_ibmcloud_api_key" + val, present := os.LookupEnv(checkVariable) + require.True(t, present, checkVariable+" environment variable not set") + require.NotEqual(t, "", val, checkVariable+" environment variable is empty") + + logger.Log(t, "Tempdir: ", tempTerraformDir) + existingTerraformOptions := terraform.WithDefaultRetryableErrors(t, &terraform.Options{ + TerraformDir: tempTerraformDir, + Vars: map[string]interface{}{ + "prefix": prefix, + "region": region, + }, + // Set Upgrade to true to ensure latest version of providers and modules are used by terratest. + // This is the same as setting the -upgrade=true flag with terraform. + Upgrade: true, + }) + + terraform.WorkspaceSelectOrNew(t, existingTerraformOptions, prefix) + _, existErr := terraform.InitAndApplyE(t, existingTerraformOptions) + if existErr != nil { + assert.True(t, existErr == nil, "Init and Apply of temp existing resource failed") + } else { + + // ------------------------------------------------------------------------------------ + // Upgrade test for watsonx DA passing in existing KP details + // ------------------------------------------------------------------------------------ + + options := testhelper.TestOptionsDefault(&testhelper.TestOptions{ + Testing: t, + TerraformDir: rootDaDir, + Prefix: "existing-kp-upg", + IgnoreDestroys: testhelper.Exemptions{ // Ignore for consistency check + List: []string{ + "module.configure_user.null_resource.configure_user", + "module.configure_user.null_resource.restrict_access", + }, + }, + IgnoreUpdates: testhelper.Exemptions{ // Ignore for consistency check + List: []string{ + "module.configure_user.null_resource.configure_user", + "module.configure_user.null_resource.restrict_access", + }, + }, + TerraformVars: map[string]interface{}{ + "location": validRegions[rand.Intn(len(validRegions))], + "resource_group_name": prefix, + "cos_kms_crn": terraform.Output(t, existingTerraformOptions, "key_protect_crn"), + "cos_kms_key_crn": terraform.Output(t, existingTerraformOptions, "kms_key_crn"), + }, + }) + + output, err := options.RunTestUpgrade() + assert.Nil(t, err, "This should not have errored") + assert.NotNil(t, output, "Expected some output") + } + + // Check if "DO_NOT_DESTROY_ON_FAILURE" is set + envVal, _ := os.LookupEnv("DO_NOT_DESTROY_ON_FAILURE") + // Destroy the temporary existing resources if required + if t.Failed() && strings.ToLower(envVal) == "true" { + fmt.Println("Terratest failed. Debug the test and delete resources manually.") + } else { + logger.Log(t, "START: Destroy (existing resources)") + terraform.Destroy(t, existingTerraformOptions) + terraform.WorkspaceDelete(t, existingTerraformOptions, prefix) + logger.Log(t, "END: Destroy (existing resources)") + } + +} diff --git a/variables.tf b/variables.tf index 8869a85..9776a30 100644 --- a/variables.tf +++ b/variables.tf @@ -272,7 +272,7 @@ variable "cos_kms_key_crn" { variable "cos_kms_new_key_name" { description = "Name of the Key Protect key to create for encrypting the COS buckets used by the watsonx projects." type = string - default = "" + default = "storage-delegation-key" } variable "cos_kms_ring_id" { From 4f14d5315d17549a76ab5fca37fa3628bbacf8c1 Mon Sep 17 00:00:00 2001 From: Aayush-Abhyarthi Date: Wed, 11 Dec 2024 11:21:17 +0530 Subject: [PATCH 3/4] fix: provider visibility --- tests/pr_test.go | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/pr_test.go b/tests/pr_test.go index 803b56c..4f41dfc 100644 --- a/tests/pr_test.go +++ b/tests/pr_test.go @@ -238,6 +238,7 @@ func TestRunUpgradeExistingKP(t *testing.T) { TerraformVars: map[string]interface{}{ "location": validRegions[rand.Intn(len(validRegions))], "resource_group_name": prefix, + "provider_visibility": "public", "cos_kms_crn": terraform.Output(t, existingTerraformOptions, "key_protect_crn"), "cos_kms_key_crn": terraform.Output(t, existingTerraformOptions, "kms_key_crn"), }, From a67cefc196d2ef956740dc0ec175d4218c68d233 Mon Sep 17 00:00:00 2001 From: Aayush-Abhyarthi Date: Thu, 12 Dec 2024 10:59:18 +0530 Subject: [PATCH 4/4] add: validation and enable encrytion in tests --- main.tf | 2 ++ tests/pr_test.go | 22 ++++++++++++---------- 2 files changed, 14 insertions(+), 10 deletions(-) diff --git a/main.tf b/main.tf index 1d0719b..21120bb 100644 --- a/main.tf +++ b/main.tf @@ -62,6 +62,8 @@ locals { # tflint-ignore: terraform_unused_declarations validate_encryption_inputs = var.enable_cos_kms_encryption && (var.cos_kms_crn == null || var.cos_kms_crn == "") ? tobool("A value must be passed for 'cos_kms_crn' when 'enable_cos_kms_encryption' is set to true") : true + # tflint-ignore: terraform_unused_declarations + validate_enable_cos_kms_encryption = (var.cos_kms_crn != null || var.cos_kms_key_crn != null) && var.enable_cos_kms_encryption == false ? tobool("If a value for 'cos_kms_crn' or 'cos_kms_key_crn' is passed then 'enable_cos_kms_encryption' must be set to true") : true } data "ibm_iam_auth_token" "restapi" { diff --git a/tests/pr_test.go b/tests/pr_test.go index 4f41dfc..d7ee255 100644 --- a/tests/pr_test.go +++ b/tests/pr_test.go @@ -152,11 +152,12 @@ func TestWithExistingKP(t *testing.T) { }, }, TerraformVars: map[string]interface{}{ - "location": validRegions[rand.Intn(len(validRegions))], - "resource_group_name": prefix, - "provider_visibility": "public", - "cos_kms_crn": terraform.Output(t, existingTerraformOptions, "key_protect_crn"), - "cos_kms_key_crn": terraform.Output(t, existingTerraformOptions, "kms_key_crn"), + "location": validRegions[rand.Intn(len(validRegions))], + "resource_group_name": prefix, + "provider_visibility": "public", + "enable_cos_kms_encryption": true, + "cos_kms_crn": terraform.Output(t, existingTerraformOptions, "key_protect_crn"), + "cos_kms_key_crn": terraform.Output(t, existingTerraformOptions, "kms_key_crn"), }, }) @@ -236,11 +237,12 @@ func TestRunUpgradeExistingKP(t *testing.T) { }, }, TerraformVars: map[string]interface{}{ - "location": validRegions[rand.Intn(len(validRegions))], - "resource_group_name": prefix, - "provider_visibility": "public", - "cos_kms_crn": terraform.Output(t, existingTerraformOptions, "key_protect_crn"), - "cos_kms_key_crn": terraform.Output(t, existingTerraformOptions, "kms_key_crn"), + "location": validRegions[rand.Intn(len(validRegions))], + "resource_group_name": prefix, + "provider_visibility": "public", + "enable_cos_kms_encryption": true, + "cos_kms_crn": terraform.Output(t, existingTerraformOptions, "key_protect_crn"), + "cos_kms_key_crn": terraform.Output(t, existingTerraformOptions, "kms_key_crn"), }, })