@@ -39,58 +39,37 @@ func TestSimpleFleetAppOperatorPermissions(t *testing.T) {
3939 appOperatorPrincipal := fmt .Sprintf ("serviceAccount:%s" , appOperatorEmail )
4040 scopeLevelRole := "roles/gkehub.scopeViewer"
4141 projectLevelRole := "roles/gkehub.scopeViewerProjectLevel"
42+ customAppOperatorEmail := fmt .Sprintf ("custom-app-operator-id@%s.iam.gserviceaccount.com" , projectId )
43+ customAppOperatorPrincipal := fmt .Sprintf ("serviceAccount:%s" , appOperatorEmail )
44+ customScopeLevelRole := "roles/gkehub.scopeViewer"
45+ customProjectLevelRole := "roles/gkehub.scopeEditorProjectLevel"
4246 logViewRole := "roles/logging.viewAccessor"
4347 logViewContainerBucket := fmt .Sprintf ("projects/%s/locations/global/buckets/fleet-o11y-scope-%s/views/fleet-o11y-scope-%s-k8s_container" , projectId , scopeId , scopeId )
4448 logViewPodBucket := fmt .Sprintf ("projects/%s/locations/global/buckets/fleet-o11y-scope-%s/views/fleet-o11y-scope-%s-k8s_pod" , projectId , scopeId , scopeId )
49+ filterFormat := "\" bindings.members:%s\" "
50+ flattenOpt := "bindings[].members"
4551
4652 scopeRrbList := gcloud .Runf (t , "container fleet scopes rbacrolebindings list --scope %s --project %s" , scopeId , projectId ).String ()
4753 assert .Equal (strings .Contains (scopeRrbList , appOperatorEmail ), true , "app operator email should be in the list of Scope RBAC Role Bindings" )
54+ assert .Equal (strings .Contains (scopeRrbList , customAppOperatorEmail ), true , "custom app operator email should be in the list of Scope RBAC Role Bindings" )
4855
49- scopeIam := gcloud .Runf (t , "container fleet scopes get-iam-policy %s --project %s" , scopeId , projectId ).String ()
50- assert .Equal (strings .Contains (scopeIam , appOperatorPrincipal ), true , "app operator principal should be in the Scope IAM policy" )
56+ scopeIam := gcloud .Runf (t , "container fleet scopes get-iam-policy %s --project %s --filter %s" , scopeId , projectId , fmt .Sprintf (filterFormat , appOperatorPrincipal )).String ()
5157 assert .Equal (strings .Contains (scopeIam , scopeLevelRole ), true , "app operator Scope role should be in the Scope IAM policy" )
5258
53- projectIam := gcloud .Runf (t , "projects get-iam-policy %s" , projectId ).String ()
54- assert .Equal (strings .Contains (projectIam , appOperatorPrincipal ), true , "app operator principal should be in the project IAM policy" )
55- assert .Equal (strings .Contains (projectIam , projectLevelRole ), true , "app operator Scope role should be in the project IAM policy" )
56- assert .Equal (strings .Contains (projectIam , logViewRole ), true , "app operator log view role should be in the project IAM policy" )
57- assert .Equal (strings .Contains (projectIam , logViewContainerBucket ), true , "app operator log view container bucket should be in the project IAM policy" )
58- assert .Equal (strings .Contains (projectIam , logViewPodBucket ), true , "app operator log view pod bucket should be in the project IAM policy" )
59- })
60-
61- appOppT .Test ()
62- }
63-
64- func TestCustomFleetAppOperatorPermissions (t * testing.T ) {
65- appOppT := tft .NewTFBlueprintTest (t ,
66- tft .WithRetryableTerraformErrors (testutils .RetryableTransientErrors , 3 , 2 * time .Minute ),
67- )
68- appOppT .DefineVerify (func (assert * assert.Assertions ) {
69- appOppT .DefaultVerify (assert )
59+ customScopeIam := gcloud .Runf (t , "container fleet scopes get-iam-policy %s --project %s --filter %s" , scopeId , projectId , fmt .Sprintf (filterFormat , customAppOperatorPrincipal )).String ()
60+ assert .Equal (strings .Contains (customScopeIam , customScopeLevelRole ), true , "custom app operator Scope role should be in the Scope IAM policy" )
7061
71- projectId := appOppT .GetStringOutput ("project_id" )
72- scopeId := "app-operator-team"
73- appOperatorEmail := fmt .Sprintf ("custom-app-operator-id@%s.iam.gserviceaccount.com" , projectId )
74- appOperatorPrincipal := fmt .Sprintf ("serviceAccount:%s" , appOperatorEmail )
75- scopeLevelRole := "roles/gkehub.scopeViewer"
76- projectLevelRole := "roles/gkehub.scopeEditorProjectLevel"
77- logViewRole := "roles/logging.viewAccessor"
78- logViewContainerBucket := fmt .Sprintf ("projects/%s/locations/global/buckets/fleet-o11y-scope-%s/views/fleet-o11y-scope-%s-k8s_container" , projectId , scopeId , scopeId )
79- logViewPodBucket := fmt .Sprintf ("projects/%s/locations/global/buckets/fleet-o11y-scope-%s/views/fleet-o11y-scope-%s-k8s_pod" , projectId , scopeId , scopeId )
80-
81- scopeRrbList := gcloud .Runf (t , "container fleet scopes rbacrolebindings list --scope %s --project %s" , scopeId , projectId ).String ()
82- assert .Equal (strings .Contains (scopeRrbList , appOperatorEmail ), true , "app operator email should be in the list of Scope RBAC Role Bindings" )
83-
84- scopeIam := gcloud .Runf (t , "container fleet scopes get-iam-policy %s --project %s" , scopeId , projectId ).String ()
85- assert .Equal (strings .Contains (scopeIam , appOperatorPrincipal ), true , "app operator principal should be in the Scope IAM policy" )
86- assert .Equal (strings .Contains (scopeIam , scopeLevelRole ), true , "app operator Scope role should be in the Scope IAM policy" )
87-
88- projectIam := gcloud .Runf (t , "projects get-iam-policy %s" , projectId ).String ()
89- assert .Equal (strings .Contains (projectIam , appOperatorPrincipal ), true , "app operator principal should be in the project IAM policy" )
62+ projectIam := gcloud .Runf (t , "projects get-iam-policy %s --filter %s --flatten %s" , projectId , fmt .Sprintf (filterFormat , appOperatorPrincipal ), flattenOpt ).String ()
9063 assert .Equal (strings .Contains (projectIam , projectLevelRole ), true , "app operator Scope role should be in the project IAM policy" )
9164 assert .Equal (strings .Contains (projectIam , logViewRole ), true , "app operator log view role should be in the project IAM policy" )
9265 assert .Equal (strings .Contains (projectIam , logViewContainerBucket ), true , "app operator log view container bucket should be in the project IAM policy" )
9366 assert .Equal (strings .Contains (projectIam , logViewPodBucket ), true , "app operator log view pod bucket should be in the project IAM policy" )
67+
68+ customProjectIam := gcloud .Runf (t , "projects get-iam-policy %s --filter %s --flatten %s" , projectId , fmt .Sprintf (filterFormat , customAppOperatorPrincipal ), flattenOpt ).String ()
69+ assert .Equal (strings .Contains (projectIam , customProjectLevelRole ), true , "custom app operator Scope role should be in the project IAM policy" )
70+ assert .Equal (strings .Contains (projectIam , logViewRole ), true , "custom app operator log view role should be in the project IAM policy" )
71+ assert .Equal (strings .Contains (projectIam , logViewContainerBucket ), true , "custom app operator log view container bucket should be in the project IAM policy" )
72+ assert .Equal (strings .Contains (projectIam , logViewPodBucket ), true , "custom app operator log view pod bucket should be in the project IAM policy" )
9473 })
9574
9675 appOppT .Test ()
0 commit comments