Fix: Issue with empty subnet defaults and Shared VPC (#382)

* fix: Change shared VPC subnets default to empty list

* chore: Add test case for secondary service project with full access

* Fix formatting

* Regen docs

.kitchen.yml

@@ -52,6 +52,19 @@ suites:
       name: terraform
       command_timeout: 1800
       root_module_directory: test/fixtures/dynamic_shared_vpc
+    verifier:
+      name: terraform
+      color: true
+      systems:
+        - name: inspec-gcp
+          backend: gcp
+          controls:
+          - secondary
+        - name: local
+          backend: local
+          controls:
+          - svpc
+
 # Disabled due to issue #275
 # (https://github.com/terraform-google-modules/terraform-google-project-factory/issues/275)
 #  - name: full

Makefile

@@ -27,6 +27,11 @@ REGISTRY_URL := gcr.io/cloud-foundation-cicd
 docker_run:
 	docker run --rm -it \
 		-e SERVICE_ACCOUNT_JSON \
+		-e TF_VAR_org_id \
+		-e TF_VAR_folder_id \
+		-e TF_VAR_billing_account \
+		-e TF_VAR_gsuite_admin_email \
+		-e TF_VAR_gsuite_domain \
 		-v "${CURDIR}":/workspace \
 		$(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \
 		/bin/bash
@@ -40,7 +45,7 @@ docker_test_prepare:
 		-e TF_VAR_folder_id \
 		-e TF_VAR_billing_account \
 		-e TF_VAR_gsuite_admin_email \
-	        -e TF_VAR_gsuite_domain \
+		-e TF_VAR_gsuite_domain \
 		-v "${CURDIR}":/workspace \
 		$(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \
 		/usr/local/bin/execute_with_credentials.sh prepare_environment

examples/shared_vpc/README.md

@@ -4,6 +4,8 @@ This example illustrates how to create a [Shared VPC](https://cloud.google.com/v
 
 It includes creating the host project and using the [network module](https://github.com/terraform-google-modules/terraform-google-network) to create network.
 
+It then attaches two new service projects to the host project.
+
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Inputs
 
@@ -25,6 +27,8 @@ It includes creating the host project and using the [network module](https://git
 | network\_name | The name of the VPC being created |
 | network\_self\_link | The URI of the VPC being created |
 | service\_project | The service project info |
+| service\_project\_b | The second service project |
+| subnets | The shared VPC subets |
 | vpc | The network info |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

examples/shared_vpc/main.tf

@@ -123,3 +123,27 @@ module "service-project" {
 
   disable_services_on_destroy = "false"
 }
+
+/******************************************
+  Second Service Project Creation
+ *****************************************/
+module "service-project-b" {
+  source = "../../modules/shared_vpc"
+
+  name              = "b-${var.service_project_name}"
+  random_project_id = "false"
+
+  org_id             = var.organization_id
+  folder_id          = var.folder_id
+  billing_account    = var.billing_account
+  shared_vpc_enabled = true
+
+  shared_vpc = module.vpc.project_id
+
+  activate_apis = [
+    "compute.googleapis.com",
+    "container.googleapis.com",
+  ]
+
+  disable_services_on_destroy = "false"
+}

examples/shared_vpc/outputs.tf

@@ -29,6 +29,11 @@ output "service_project" {
   description = "The service project info"
 }
 
+output "service_project_b" {
+  value       = module.service-project-b
+  description = "The second service project"
+}
+
 output "vpc" {
   value       = module.vpc
   description = "The network info"
@@ -44,3 +49,7 @@ output "network_self_link" {
   description = "The URI of the VPC being created"
 }
 
+output "subnets" {
+  value       = module.vpc.subnets_self_links
+  description = "The shared VPC subets"
+}

modules/core_project_factory/variables.tf

@@ -116,7 +116,7 @@ variable "impersonate_service_account" {
 variable "shared_vpc_subnets" {
   description = "List of subnets fully qualified subnet IDs (ie. projects/$project_id/regions/$region/subnetworks/$subnet_id)"
   type        = list(string)
-  default     = [""]
+  default     = []
 }
 
 variable "labels" {

modules/gsuite_enabled/variables.tf

@@ -113,7 +113,7 @@ variable "impersonate_service_account" {
 variable "shared_vpc_subnets" {
   description = "List of subnets fully qualified subnet IDs (ie. projects/$project_id/regions/$region/subnetworks/$subnet_id)"
   type        = list(string)
-  default     = [""]
+  default     = []
 }
 
 variable "labels" {

modules/shared_vpc/variables.tf

@@ -102,7 +102,7 @@ variable "credentials_path" {
 variable "shared_vpc_subnets" {
   description = "List of subnets fully qualified subnet IDs (ie. projects/$project_id/regions/$region/subnetworks/$subnet_id)"
   type        = list(string)
-  default     = [""]
+  default     = []
 }
 
 variable "labels" {

test/fixtures/dynamic_shared_vpc/outputs.tf

@@ -24,6 +24,14 @@ output "service_project_id" {
   description = "The service project ID"
 }
 
+output "service_project_ids" {
+  value = [
+    module.example.service_project.project_id,
+    module.example.service_project_b.project_id
+  ]
+  description = "The service project IDs"
+}
+
 output "service_project_number" {
   value       = module.example.service_project.project_number
   description = "The service project number"
@@ -34,6 +42,11 @@ output "service_account_email" {
   description = "The service account email"
 }
 
+output "secondary_service_account_email" {
+  value       = module.example.service_project_b.service_account_email
+  description = "The secondary service account email"
+}
+
 output "shared_vpc" {
   value       = module.example.host_project.project_id
   description = "The host project ID"

test/integration/dynamic_shared_vpc/controls/svpc.rb

@@ -13,6 +13,7 @@
 # limitations under the License.
 
 service_project_id          = attribute('service_project_id')
+service_project_ids         = attribute('service_project_ids')
 service_project_number      = attribute('service_project_number')
 service_account_email       = attribute('service_account_email')
 shared_vpc                  = attribute('shared_vpc')
@@ -21,13 +22,15 @@
 shared_vpc_subnet_name_02   = attribute('shared_vpc_subnet_name_02')
 shared_vpc_subnet_region_02 = attribute('shared_vpc_subnet_region_02')
 
-control 'project-factory-shared-vpc' do
+control 'svpc' do
   title "Project Factory shared VPC"
 
-  describe command("gcloud compute shared-vpc get-host-project #{service_project_id} --format='get(name)'") do
-    its('exit_status') { should eq 0 }
-    its('stderr') { should eq '' }
-    its('stdout.strip') { should eq shared_vpc }
+  service_project_ids.each do |project_id|
+    describe command("gcloud compute shared-vpc get-host-project #{project_id} --format='get(name)'") do
+      its('exit_status') { should eq 0 }
+      its('stderr') { should eq '' }
+      its('stdout.strip') { should eq shared_vpc }
+    end
   end
 
   describe command("gcloud projects get-iam-policy #{shared_vpc} --format=json") do

test/integration/dynamic_shared_vpc/inspec.yml

@@ -1,17 +1,27 @@
 name: dynamic_shared_vpc
+depends:
+  - name: inspec-gcp
+    git: https://github.com/inspec/inspec-gcp.git
+    tag: v0.10.0
 attributes:
   - name: service_project_name
     required: true
     type: string
   - name: service_project_id
     required: true
     type: string
+  - name: service_project_ids
+    required: true
+    type: array
   - name: service_project_number
     required: true
     type: string
   - name: service_account_email
     required: true
     type: string
+  - name: secondary_service_account_email
+    required: true
+    type: string
   - name: shared_vpc
     required: false
     default: null

variables.tf

@@ -110,7 +110,7 @@ variable "impersonate_service_account" {
 variable "shared_vpc_subnets" {
   description = "List of subnets fully qualified subnet IDs (ie. projects/$project_id/regions/$region/subnetworks/$subnet_id)"
   type        = list(string)
-  default     = [""]
+  default     = []
 }
 
 variable "labels" {