Add Azure E2E tests

Signed-off-by: Philip Laine <philip.laine@xenit.se>
2026-02-06 19:05:55 +00:00 · 2021-09-30 13:53:19 +02:00
parent 5067df179e
commit d8235ea21b
24 changed files with 3311 additions and 0 deletions
--- a/tests/azure/terraform/shared/.terraform.lock.hcl
+++ b/tests/azure/terraform/shared/.terraform.lock.hcl
@@ -0,0 +1,58 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/azuread" {
+  version     = "1.6.0"
+  constraints = "1.6.0"
+  hashes = [
+    "h1:BlO53mX+Y2W//YqlCKvoxzofegFQk636XlKtmZYH0PY=",
+    "zh:0db70045a464d325fdb3d71809f0467844c3e2fcf1349e568bc51ad5035c99d9",
+    "zh:3629f1d7b4eba48d744b24c7cf7fe878d5ef5910a36b525507bd3d588010ccec",
+    "zh:5a73a45b6d1ff353810cc9b00d7c90a2fb328ba0a9ef3d24392b1500fb98741a",
+    "zh:7a6a9c390cf1bf752321abb8d0643c9f623e8c2ad871dfb378d64c9d90fada2d",
+    "zh:7d6de55d326b046dabc16bd7b655f008ff780c36ffc884b139a7c7da37b446d5",
+    "zh:8d725c618396ccae290e411296c892e08e776c3e9e5a82b0ef1f633a917146ec",
+    "zh:a206d1d8042bf66ca12b97334bbd6fcdf12fd6131f8cb4547c82b9fa7a701612",
+    "zh:b03ab4ff07dcb5ed8be8b0619c6ec9fb0da0c83594ccb0a1bff72f346083b530",
+    "zh:b6131f9d438b340a4016c770b569139ec7ac2532358a8ab783234e8c93d141d5",
+    "zh:ce9372d38e9e62accfd54f4669753000d3dcbae4b45686d74630eb63eb879f37",
+    "zh:df9a607c333d464d8bdeb248b1ff41e493c1d0661453a1e1ce396b89952a74ee",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/azurerm" {
+  version     = "2.76.0"
+  constraints = "2.76.0"
+  hashes = [
+    "h1:kF+u0s0DPnE5gMKhzQACWRUIdwZG1Ax4atXt9hk1J8M=",
+    "zh:137eb7c07d3d3c9fe123e74381c108c4442efba9fc051faa2ca603503ff2840f",
+    "zh:142a354dffd59a1d6b7f1614ab66a468ace3636d95933589a8d704ee8dbc4ea6",
+    "zh:4c343b4da8b86e4213c1b11f73337cec73a55b1fa95a0e0e0c79f34597d37cc3",
+    "zh:75d3109d48726fdbaad840d2fa294ec3362b32a3628c261af00f5c5608427521",
+    "zh:7b1e78c144c6ad2beebc798abb9e76c725bf34ced41df36dc0120a0f2426e801",
+    "zh:981235b01c3d4acf94c78cdd96624fd01d0a3622bc06b5c62aef3e788f1481c3",
+    "zh:bad819efae7293ce371409e1ed34197c3e879f61d3e44893af0ce68e6aaffde7",
+    "zh:c8008967722929deccfec9695754ae55028ce12311c321ae7a7c753dde162a44",
+    "zh:d38513d1138864269b2ff333b08a64a7949630d489f18e660630bbaff3b7ebb8",
+    "zh:e1f64d2d91b5f5cba6a9c5d35278a4918d332d7385a87f8e3466aaadb782a90f",
+    "zh:e93a377a1e823df69718686703b07f1712046eeb742006022e982f2e8a594161",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/random" {
+  version = "3.1.0"
+  hashes = [
+    "h1:BZMEPucF+pbu9gsPk0G0BHx7YP04+tKdq2MrRDF1EDM=",
+    "zh:2bbb3339f0643b5daa07480ef4397bd23a79963cc364cdfbb4e86354cb7725bc",
+    "zh:3cd456047805bf639fbf2c761b1848880ea703a054f76db51852008b11008626",
+    "zh:4f251b0eda5bb5e3dc26ea4400dba200018213654b69b4a5f96abee815b4f5ff",
+    "zh:7011332745ea061e517fe1319bd6c75054a314155cb2c1199a5b01fe1889a7e2",
+    "zh:738ed82858317ccc246691c8b85995bc125ac3b4143043219bd0437adc56c992",
+    "zh:7dbe52fac7bb21227acd7529b487511c91f4107db9cc4414f50d04ffc3cab427",
+    "zh:a3a9251fb15f93e4cfc1789800fc2d7414bbc18944ad4c5c98f466e6477c42bc",
+    "zh:a543ec1a3a8c20635cf374110bd2f87c07374cf2c50617eee2c669b3ceeeaa9f",
+    "zh:d9ab41d556a48bd7059f0810cf020500635bfc696c9fc3adab5ea8915c1d886b",
+    "zh:d9e13427a7d011dbd654e591b0337e6074eef8c3b9bb11b2e39eaaf257044fd7",
+    "zh:f7605bd1437752114baf601bdf6931debe6dc6bfe3006eb7e9bb9080931dca8a",
+  ]
+}
--- a/tests/azure/terraform/shared/acr.tf
+++ b/tests/azure/terraform/shared/acr.tf
@@ -0,0 +1,6 @@
+resource "azurerm_container_registry" "this" {
+  name                = "acrapps${random_pet.suffix.id}"
+  resource_group_name = azurerm_resource_group.this.name
+  location            = azurerm_resource_group.this.location
+  sku                 = "standard"
+}
--- a/tests/azure/terraform/shared/keyvault.tf
+++ b/tests/azure/terraform/shared/keyvault.tf
@@ -0,0 +1,43 @@
+resource "azurerm_key_vault" "this" {
+  name                = "kv-credentials-${random_pet.suffix.id}"
+  resource_group_name = azurerm_resource_group.this.name
+  location            = azurerm_resource_group.this.location
+  tenant_id           = data.azurerm_client_config.current.tenant_id
+  sku_name            = "standard"
+}
+
+resource "azurerm_key_vault_access_policy" "admin" {
+  key_vault_id = azurerm_key_vault.this.id
+  tenant_id = data.azurerm_client_config.current.tenant_id
+  object_id = data.azurerm_client_config.current.object_id
+
+  key_permissions = [
+    "Backup",
+    "Create",
+    "Decrypt",
+    "Delete",
+    "Encrypt",
+    "Get",
+    "Import",
+    "List",
+    "Purge",
+    "Recover",
+    "Restore",
+    "Sign",
+    "UnwrapKey",
+    "Update",
+    "Verify",
+    "WrapKey",
+  ]
+
+  secret_permissions = [
+    "Backup",
+    "Delete",
+    "Get",
+    "List",
+    "Purge",
+    "Recover",
+    "Restore",
+    "Set",
+  ]
+}
--- a/tests/azure/terraform/shared/main.tf
+++ b/tests/azure/terraform/shared/main.tf
@@ -0,0 +1,39 @@
+terraform {
+  backend "azurerm" {
+    resource_group_name  = "terraform-state"
+    storage_account_name = "terraformstate0419"
+    container_name       = "shared-tfstate"
+    key                  = "prod.terraform.tfstate"
+  }
+
+  required_version = "1.0.7"
+
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "2.76.0"
+    }
+    azuread = {
+      source = "hashicorp/azuread"
+      version = "1.6.0"
+    }
+  }
+}
+
+provider "azurerm" {
+  features {}
+}
+
+resource "random_pet" "suffix" {
+  length    = 1
+  separator = ""
+}
+
+data "azurerm_client_config" "current" {}
+
+data "azurerm_subscription" "current" {}
+
+resource "azurerm_resource_group" "this" {
+  name     = "e2e-shared"
+  location = "West Europe"
+}
--- a/tests/azure/terraform/shared/outputs.tf
+++ b/tests/azure/terraform/shared/outputs.tf
@@ -0,0 +1,18 @@
+output "azure_devops_sp" {
+  value = {
+    client_id = azuread_service_principal.azure_devops.application_id
+    client_secret = azuread_application_password.azure_devops.value
+  }
+  sensitive = true
+}
+
+output "github_sp" {
+  value = {
+    tenant_id = data.azurerm_client_config.current.tenant_id
+    subscription_id = data.azurerm_client_config.current.subscription_id
+    client_id = azuread_service_principal.github.application_id
+    client_secret = azuread_application_password.github.value
+  }
+  sensitive = true
+}
+
--- a/tests/azure/terraform/shared/service-principal.tf
+++ b/tests/azure/terraform/shared/service-principal.tf
@@ -0,0 +1,105 @@
+# Service Principal used by Azure DevOps to push OCI and Helm Charts
+resource "azuread_application" "azure_devops" {
+  display_name = "azure-devops-${random_pet.suffix.id}"
+
+  required_resource_access {
+    resource_app_id = "00000003-0000-0000-c000-000000000000"
+
+    resource_access {
+      id   = "df021288-bdef-4463-88db-98f22de89214"
+      type = "Role"
+    }
+  }
+
+  required_resource_access {
+    resource_app_id = "00000002-0000-0000-c000-000000000000"
+
+    resource_access {
+      id   = "1cda74f2-2616-4834-b122-5cb1b07f8a59"
+      type = "Role"
+    }
+    resource_access {
+      id   = "78c8a3c8-a07e-4b9e-af1b-b5ccab50a175"
+      type = "Role"
+    }
+  }
+}
+
+resource "azuread_application_password" "azure_devops" {
+  display_name = "password"
+  application_object_id = azuread_application.azure_devops.object_id
+}
+
+resource "azuread_service_principal" "azure_devops" {
+  application_id = azuread_application.azure_devops.application_id
+}
+
+resource "azurerm_role_assignment" "azure_devops_acr" {
+  scope                = azurerm_container_registry.this.id
+  role_definition_name = "Contributor"
+  principal_id         = azuread_service_principal.azure_devops.object_id
+}
+
+# Service Principal that is used to run the tests in GitHub Actions
+resource "azuread_application" "github" {
+  display_name = "github-${random_pet.suffix.id}"
+
+  required_resource_access {
+    resource_app_id = "00000003-0000-0000-c000-000000000000"
+
+    resource_access {
+      id   = "df021288-bdef-4463-88db-98f22de89214"
+      type = "Role"
+    }
+  }
+
+  required_resource_access {
+    resource_app_id = "00000002-0000-0000-c000-000000000000"
+
+    resource_access {
+      id   = "1cda74f2-2616-4834-b122-5cb1b07f8a59"
+      type = "Role"
+    }
+    resource_access {
+      id   = "78c8a3c8-a07e-4b9e-af1b-b5ccab50a175"
+      type = "Role"
+    }
+  }
+}
+
+resource "azuread_application_password" "github" {
+  display_name = "password"
+  application_object_id = azuread_application.github.object_id
+}
+
+resource "azuread_service_principal" "github" {
+  application_id = azuread_application.github.application_id
+}
+
+data "azurerm_storage_account" "terraform_state" {
+  resource_group_name = "terraform-state"
+  name                = "terraformstate0419"
+}
+
+resource "azurerm_role_assignment" "github_resource_group" {
+  scope              = data.azurerm_subscription.current.id
+  role_definition_name = "Contributor"
+  principal_id       = azuread_service_principal.github.object_id
+}
+
+resource "azurerm_role_assignment" "github_acr" {
+  scope                = azurerm_container_registry.this.id
+  role_definition_name = "Owner"
+  principal_id         = azuread_service_principal.github.object_id
+}
+
+resource "azurerm_key_vault_access_policy" "github_keyvault_secret_read" {
+  key_vault_id = azurerm_key_vault.this.id
+  tenant_id = data.azurerm_client_config.current.tenant_id
+  object_id = azuread_service_principal.github.object_id
+
+  secret_permissions = [
+    "Get",
+    "List",
+  ]
+}
--- a/tests/azure/terraform/shared/variables.tf
+++ b/tests/azure/terraform/shared/variables.tf