Build Network Fixtures and Run Tests with Kitchen-Terraform

[Jberlinsky]

Continuation of #20, incorporating #20 (comment).

Addresses #28 and #25 along the way.

[aaron-lane]

We should try to limit the use of attributes to values which are necessary to obtain subjects. Relying on an attribute to provide the expected value of an expectations may indicate that the expectation is simply validating that the Terraform resources applied correctly rather than verifying broader intent of the configuration.

We should try to limit expectations to 1 per example in order to provide clarity if expectations fail.

Using the includes and including matchers could help to simplify the examples which rely on filtered values.

let(:taints) { nodes.first.spec.taints.map(&:to_h) }
# ...
expect(taints).to include(
  including(
    effect: "PreferNoSchedule",
    key: "all-pools-example",
    value: "true"
  ),
  # ...
)

[aaron-lane]

I have verified that the tests pass. stub_domains requires 2 converges to correctly configure module.gke.google_container_cluster.primary.

[morgante]

@Jberlinsky Here are follow-up items:

• Converge testing documentation and approach with project factory. We should be pushing people to run tests in Docker to minimize differences.
• I think the approach of manually managing fixtures by copying data into arbitrary example directories is very brittle and we need to back out of it ASAP. Principle: I should be able to nuke my local test directory and all testing artifacts will disappear.
• I'm still ambivalent about the approach of embedding network setup in the tests. In particular, I'm concerned about how we test shared VPC usage - do we have a plan for that?
• kitchen converge fails:

       Error: Error applying plan:
       
       1 error(s) occurred:
       
       * module.gke.google_container_cluster.primary: Resource 'data.google_compute_network.gke_network' not found for variable 'data.google_compute_network.gke_network.self_link'

• kitchen destroy fails if converge failed:

       Error: Error applying plan:
       
       1 error(s) occurred:
       
       * module.gke.local.cluster_master_auth_list_layer2: local.cluster_master_auth_list_layer2: At column 40, line 1: list "local.cluster_master_auth_list_layer1" does not have any elements so cannot determine type. in:
       
       ${local.cluster_master_auth_list_layer1[0]}

[Jberlinsky]

@morgante I haven't seen the kitchen converge error you mentioned before. Could you expand on how your project was set up, and possibly provide a full log of the test run?

[Jberlinsky]

@morgante I've addressed the action items you listed above, based on our conversation on Thursday:

• Documentation has been updated to better reflect that of project-factory (which resolves Make testing procedure more clear #12)
• The modules in examples/ are encapsulated by test cases in test/fixtures/<example_name>, which creates the requisite fixture network and calls the example as a module. These fixtures are can vary by test case, which will leave ample flexibility to cover shared VPC cases.
• The issue you encountered with kitchen converge in a project created by project-factory has been resolved (the solution resolves Allow cluster service account to be overridden without specifying in var.node_pools #23 and Update examples to include example of setting service account #39)

Could you take another look at this when you get a moment?

[Jberlinsky]

Worth pointing out that 7e0c063 addresses #23 in passing.

[aaron-lane]

Just some small changes and clarifications requested.

[Jberlinsky]

@aaron-lane I've addressed your comments -- would appreciate a re-review!

[morgante]

Overall this is in much better shape than before. Still a few small warts.

[morgante]

This seems very complex? Why do we need to do all this greping?

Anyways. This is not a testing change = separate PR please.

[aaron-lane]

This identifies which flag is used to "decode"; the interface of base64 differs across platforms.

[Jberlinsky]

I'd argue that this is indeed a testing change -- in moving from running these tests on the local host (the current state of master) to docker, it was necessary to change the interface of base64 as Aaron mentioned above depending on where the test is being run.

[morgante]

This is very close to being ready, here's my proposed plan of attack.

Blocking issues (cannot merge until fixed):

• Build Network Fixtures and Run Tests with Kitchen-Terraform #33 (comment)
• Build Network Fixtures and Run Tests with Kitchen-Terraform #33 (comment)
• Build Network Fixtures and Run Tests with Kitchen-Terraform #33 (comment)

We can merge but I want us to immediately back out any functional changes into their own PRs. Items to address soon after:

• Build Network Fixtures and Run Tests with Kitchen-Terraform #33 (comment)
• Build Network Fixtures and Run Tests with Kitchen-Terraform #33 (comment)
• Build Network Fixtures and Run Tests with Kitchen-Terraform #33 (comment)
• Build Network Fixtures and Run Tests with Kitchen-Terraform #33 (comment)

[morgante]

Running kitchen converge twice causes a permadiff for networking:

         network:    "projects/clf-cft-testing-dev/global/networks/cft-gke-test-cwky" => "https://www.googleapis.com/compute/v1/projects/clf-cft-testing-dev/global/networks/cft-gke-test-cwky"
         subnetwork: "projects/clf-cft-testing-dev/regions/us-east4/subnetworks/cft-gke-test-cwky" => "https://www.googleapis.com/compute/v1/projects/clf-cft-testing-dev/regions/us-east4/subnetworks/cft-gke-test-cwky"

This is possibly an upstream issue.

Obsolete

[Jberlinsky]

@morgante At a quick glance, the permadiff does indeed look to be upstream. I'm digging into it now.

[Jberlinsky]

It does indeed look like the permadiff is upstream -- all the way up to terraform core. See:

• google_container_cluster network information keeps being updated on subsequent identical terraform plan hashicorp/terraform-provider-google#1566
• Diffs are not getting suppressed when lifecycle.ignore_changes is ignoring a change to a different field hashicorp/terraform#18209

The good news is that as of 15 days ago, it's claimed to be fixed in master.