diff --git a/azure-pipelines.yaml b/azure-pipelines.yaml new file mode 100644 index 0000000..8f034f6 --- /dev/null +++ b/azure-pipelines.yaml @@ -0,0 +1,57 @@ +trigger: + batch: true + branches: + include: + - master + +pr: + - master + +resources: + repositories: + - repository: cnp-azuredevops-libraries + type: github + ref: refs/heads/master + name: hmcts/cnp-azuredevops-libraries + endpoint: 'hmcts' + +variables: + - name: timeoutInMinutes + value: 60 + - name: agentImage + value: ubuntu-20.04 + - template: vars/input-variables.yaml@cnp-azuredevops-libraries + +stages: + - stage: Precheck + jobs: + - job: + pool: + vmImage: ${{ variables.agentImage }} + steps: + - template: steps/terraform-precheck.yaml@cnp-azuredevops-libraries + parameters: + keyvaultName: 'infra-vault-nonprod' + keyvaultSecret: 'azure-devops-sp-token' + serviceConnection: 'azurerm-sandbox' + overrideAction: 'plan' + forcePreventParallelJobRun: true + + - stage: Test + dependsOn: Precheck + jobs: + - job: TerraformTest + pool: + vmImage: ${{ variables.agentImage }} + timeoutInMinutes: ${{ variables.timeoutInMinutes }} + workspace: + clean: all + steps: + - task: AzureCLI@2 + inputs: + azureSubscription: 'DTS-SHAREDSERVICESPTL-SBOX' + scriptType: 'bash' + scriptLocation: 'inlineScript' + inlineScript: | + terraform init + terraform test \ No newline at end of file diff --git a/keyvault.tf b/keyvault.tf index 63f4a6d..23447e2 100644 --- a/keyvault.tf +++ b/keyvault.tf @@ -44,6 +44,6 @@ data "azurerm_key_vault_secret" "splunk_pass4symmkey" { data "azurerm_key_vault_secret" "nessus_agent_key" { count = var.install_nessus_agent ? 1 : 0 provider = azurerm.soc - name = contains(["prod", "sbox"], var.env) ? "nessus-agent-key-${var.env}" : "nessus-agent-key-nonprod" + name = contains(["prod", "sbox"], var.env) ? "nessus-agent-key-${var.env}" : "nessus-agent-key-nonprod" key_vault_id = data.azurerm_key_vault.soc_vault[0].id } diff --git a/ms_endpoint_protection.tf b/ms_endpoint_protection.tf index 1b1a8f1..8f647b8 100644 --- a/ms_endpoint_protection.tf +++ b/ms_endpoint_protection.tf @@ -1,5 +1,5 @@ resource "azurerm_virtual_machine_scale_set_extension" "endpoint_protection" { - count = var.install_endpoint_protection == true && var.os_type == "Windows" && var.virtual_machine_type == "vmss" ? 1 : 0 + count = var.install_endpoint_protection == true && lower(var.os_type) == "windows" && var.virtual_machine_type == "vmss" ? 1 : 0 depends_on = [azurerm_virtual_machine_scale_set_extension.dynatrace_oneagent] @@ -19,7 +19,7 @@ resource "azurerm_virtual_machine_scale_set_extension" "endpoint_protection" { } resource "azurerm_virtual_machine_extension" "endpoint_protection" { - count = var.install_endpoint_protection == true && var.os_type == "Windows" && var.virtual_machine_type == "vm" ? 1 : 0 + count = var.install_endpoint_protection == true && lower(var.os_type) == "windows" && var.virtual_machine_type == "vm" ? 1 : 0 depends_on = [azurerm_virtual_machine_extension.dynatrace_oneagent] diff --git a/tests/linux_vm_extensions.tftest.hcl b/tests/linux_vm_extensions.tftest.hcl new file mode 100644 index 0000000..ebf8a20 --- /dev/null +++ b/tests/linux_vm_extensions.tftest.hcl @@ -0,0 +1,212 @@ +provider "azurerm" { + features {} +} + +provider "azurerm" { + alias = "soc" + features {} + subscription_id = "8ae5b3b6-0b12-4888-b894-4cec33c92292" + skip_provider_registration = true +} + +provider "azurerm" { + alias = "cnp" + features {} + subscription_id = "1c4f0704-a29e-403d-b719-b90c34ef14c9" + skip_provider_registration = true +} + +# Default variables for this test +variables { + env = "nonprod" + os_type = "Linux" +} + +run "setup_vm" { + module { + source = "./tests/modules/setup_vm_linux" + } +} + +# Tests the default settings for extensions for a linux VM +# - Should install azure monitor by default +# - Should install a custom script extension by default (for nessus and splunk) +# - Should install dynatrace by default +# - Should not install endpoint protection for a linux VM +# - Should not install any scaleset extensions +run "virtual_machine_no_extensions" { + + command = plan + + variables { + virtual_machine_type = "vm" + virtual_machine_id = run.setup_vm.vm_id + } + + assert { + condition = length(azurerm_virtual_machine_extension.azure_monitor) == 1 + error_message = "Azure monitor installed by default" + } + + assert { + condition = azurerm_virtual_machine_extension.azure_monitor[0].name == "AMALinux" + error_message = "Incorrect name for azure monitor extension" + } + + assert { + condition = azurerm_virtual_machine_extension.azure_monitor[0].type == "AzureMonitorLinuxAgent" + error_message = "Incorrect type for azure monitor extension" + } + + assert { + condition = length(azurerm_virtual_machine_extension.custom_script) == 1 + error_message = "Custom script not installed by default" + } + + assert { + condition = azurerm_virtual_machine_extension.custom_script[0].publisher == "Microsoft.Azure.Extensions" + error_message = "Wrong publisher for a linux custom script" + } + + assert { + condition = azurerm_virtual_machine_extension.custom_script[0].type == "CustomScript" + error_message = "Wrong type for a linux custom script" + } + + assert { + condition = azurerm_virtual_machine_extension.custom_script[0].type_handler_version == "2.1" + error_message = "Wrong type handler version for a linux custom script" + } + + assert { + condition = length(azurerm_virtual_machine_extension.dynatrace_oneagent) == 1 + error_message = "Dynatrace not installed by default" + } + + assert { + condition = azurerm_virtual_machine_extension.dynatrace_oneagent[0].type == "oneAgentLinux" + error_message = "Wrong type for linux dynatrace extension" + } + + assert { + condition = length(azurerm_virtual_machine_extension.endpoint_protection) == 0 + error_message = "Endpoint protection installed on a linux VM" + } + + assert { + condition = length(azurerm_virtual_machine_extension.azure_vm_run_command) == 0 + error_message = "Run command installed when not specified" + } + + assert { + condition = length(azurerm_virtual_machine_scale_set_extension.azure_monitor) == 0 + error_message = "Scale set extension stood up for VM" + } + + assert { + condition = length(azurerm_virtual_machine_scale_set_extension.custom_script) == 0 + error_message = "Scale set extension stood up for VM" + } + + assert { + condition = length(azurerm_virtual_machine_scale_set_extension.dynatrace_oneagent) == 0 + error_message = "Scale set extension stood up for VM" + } + + assert { + condition = length(azurerm_virtual_machine_scale_set_extension.endpoint_protection) == 0 + error_message = "Scale set extension stood up for VM" + } + + assert { + condition = length(azurerm_virtual_machine_scale_set_extension.azure_vmss_run_command) == 0 + error_message = "Scale set extension stood up for VM" + } +} + +# Should not stand up an azure monitor extension when disabled +run "virtual_machine_no_azure_monitor_extension" { + + command = plan + + variables { + virtual_machine_type = "vm" + virtual_machine_id = run.setup_vm.vm_id + install_azure_monitor = false + } + + assert { + condition = length(azurerm_virtual_machine_extension.azure_monitor) == 0 + error_message = "Azure monitor installed when turned off" + } +} + +# Custom scipt should still install when nessus is disabled but splunk is still enabled +run "virtual_machine_no_nessus" { + + command = plan + + variables { + virtual_machine_type = "vm" + virtual_machine_id = run.setup_vm.vm_id + install_nessus_agent = false + } + + assert { + condition = length(azurerm_virtual_machine_extension.custom_script) == 1 + error_message = "Custom script not installed when only nessus is disabled" + } +} + +# Custom scipt should still install when splunk is disabled but nessus is still enabled +run "virtual_machine_no_splunk" { + + command = plan + + variables { + virtual_machine_type = "vm" + virtual_machine_id = run.setup_vm.vm_id + install_splunk_uf = false + } + + assert { + condition = length(azurerm_virtual_machine_extension.custom_script) == 1 + error_message = "Custom script not installed when only nessus is disabled" + } +} + +# Custom scipt should not be installed when both nessus and splunk are disabled +# TODO: add a test for additional script as that is installed here as well +run "virtual_machine_no_nessus_or_splunk" { + + command = plan + + variables { + virtual_machine_type = "vm" + virtual_machine_id = run.setup_vm.vm_id + install_splunk_uf = false + install_nessus_agent = false + } + + assert { + condition = length(azurerm_virtual_machine_extension.custom_script) == 0 + error_message = "Custom script installed when nessus and splunk are disabled" + } +} + +# Custom scipt should still install when splunk is disabled but nessus is still enabled +run "virtual_machine_no_dynatrace" { + + command = plan + + variables { + virtual_machine_type = "vm" + virtual_machine_id = run.setup_vm.vm_id + install_dynatrace_oneagent = false + } + + assert { + condition = length(azurerm_virtual_machine_extension.dynatrace_oneagent) == 0 + error_message = "Dynatrace installed when disabled" + } +} \ No newline at end of file diff --git a/tests/linux_vmss_extensions.tftest.hcl b/tests/linux_vmss_extensions.tftest.hcl new file mode 100644 index 0000000..ed1b938 --- /dev/null +++ b/tests/linux_vmss_extensions.tftest.hcl @@ -0,0 +1,212 @@ +provider "azurerm" { + features {} +} + +provider "azurerm" { + alias = "soc" + features {} + subscription_id = "8ae5b3b6-0b12-4888-b894-4cec33c92292" + skip_provider_registration = true +} + +provider "azurerm" { + alias = "cnp" + features {} + subscription_id = "1c4f0704-a29e-403d-b719-b90c34ef14c9" + skip_provider_registration = true +} + +# Default variables for this test +variables { + env = "nonprod" + os_type = "Linux" +} + +run "setup_vm" { + module { + source = "./tests/modules/setup_vmss_linux" + } +} + +# Tests the default settings for extensions for a linux VM +# - Should install azure monitor by default +# - Should install a custom script extension by default (for nessus and splunk) +# - Should install dynatrace by default +# - Should not install endpoint protection for a linux VM +# - Should not install any scaleset extensions +run "virtual_machine_scale_set_no_extensions" { + + command = plan + + variables { + virtual_machine_type = "vmss" + virtual_machine_scale_set_id = run.setup_vm.vmss_id + } + + assert { + condition = length(azurerm_virtual_machine_scale_set_extension.azure_monitor) == 1 + error_message = "Azure monitor installed by default" + } + + assert { + condition = azurerm_virtual_machine_scale_set_extension.azure_monitor[0].name == "AMALinux" + error_message = "Incorrect name for azure monitor extension" + } + + assert { + condition = azurerm_virtual_machine_scale_set_extension.azure_monitor[0].type == "AzureMonitorLinuxAgent" + error_message = "Incorrect type for azure monitor extension" + } + + assert { + condition = length(azurerm_virtual_machine_scale_set_extension.custom_script) == 1 + error_message = "Custom script not installed by default" + } + + assert { + condition = azurerm_virtual_machine_scale_set_extension.custom_script[0].publisher == "Microsoft.Azure.Extensions" + error_message = "Wrong publisher for a linux custom script" + } + + assert { + condition = azurerm_virtual_machine_scale_set_extension.custom_script[0].type == "CustomScript" + error_message = "Wrong type for a linux custom script" + } + + assert { + condition = azurerm_virtual_machine_scale_set_extension.custom_script[0].type_handler_version == "2.1" + error_message = "Wrong type handler version for a linux custom script" + } + + assert { + condition = length(azurerm_virtual_machine_scale_set_extension.dynatrace_oneagent) == 1 + error_message = "Dynatrace not installed by default" + } + + assert { + condition = azurerm_virtual_machine_scale_set_extension.dynatrace_oneagent[0].type == "oneAgentLinux" + error_message = "Wrong type for linux dynatrace extension" + } + + assert { + condition = length(azurerm_virtual_machine_scale_set_extension.endpoint_protection) == 0 + error_message = "Endpoint protection installed on a linux VM" + } + + assert { + condition = length(azurerm_virtual_machine_scale_set_extension.azure_vmss_run_command) == 0 + error_message = "Run command installed when not specified" + } + + assert { + condition = length(azurerm_virtual_machine_extension.azure_monitor) == 0 + error_message = "Scale set extension stood up for VM" + } + + assert { + condition = length(azurerm_virtual_machine_extension.custom_script) == 0 + error_message = "Scale set extension stood up for VM" + } + + assert { + condition = length(azurerm_virtual_machine_extension.dynatrace_oneagent) == 0 + error_message = "Scale set extension stood up for VM" + } + + assert { + condition = length(azurerm_virtual_machine_extension.endpoint_protection) == 0 + error_message = "Scale set extension stood up for VM" + } + + assert { + condition = length(azurerm_virtual_machine_extension.azure_vm_run_command) == 0 + error_message = "Scale set extension stood up for VM" + } +} + +# Should not stand up an azure monitor extension when disabled +run "virtual_machine_scale_set_no_azure_monitor_extension" { + + command = plan + + variables { + virtual_machine_type = "vmss" + virtual_machine_scale_set_id = run.setup_vm.vmss_id + install_azure_monitor = false + } + + assert { + condition = length(azurerm_virtual_machine_scale_set_extension.azure_monitor) == 0 + error_message = "Azure monitor installed when turned off" + } +} + +# Custom scipt should still install when nessus is disabled but splunk is still enabled +run "virtual_machine_scale_set_no_nessus" { + + command = plan + + variables { + virtual_machine_type = "vmss" + virtual_machine_scale_set_id = run.setup_vm.vmss_id + install_nessus_agent = false + } + + assert { + condition = length(azurerm_virtual_machine_scale_set_extension.custom_script) == 1 + error_message = "Custom script not installed when only nessus is disabled" + } +} + +# Custom scipt should still install when splunk is disabled but nessus is still enabled +run "virtual_machine_scale_set_no_splunk" { + + command = plan + + variables { + virtual_machine_type = "vmss" + virtual_machine_scale_set_id = run.setup_vm.vmss_id + install_splunk_uf = false + } + + assert { + condition = length(azurerm_virtual_machine_scale_set_extension.custom_script) == 1 + error_message = "Custom script not installed when only nessus is disabled" + } +} + +# Custom scipt should not be installed when both nessus and splunk are disabled +# TODO: add a test for additional script as that is installed here as well +run "virtual_machine_scale_set_no_nessus_or_splunk" { + + command = plan + + variables { + virtual_machine_type = "vmss" + virtual_machine_scale_set_id = run.setup_vm.vmss_id + install_splunk_uf = false + install_nessus_agent = false + } + + assert { + condition = length(azurerm_virtual_machine_scale_set_extension.custom_script) == 0 + error_message = "Custom script installed when nessus and splunk are disabled" + } +} + +# Custom scipt should still install when splunk is disabled but nessus is still enabled +run "virtual_machine_scale_set_no_dynatrace" { + + command = plan + + variables { + virtual_machine_type = "vmss" + virtual_machine_scale_set_id = run.setup_vm.vmss_id + install_dynatrace_oneagent = false + } + + assert { + condition = length(azurerm_virtual_machine_scale_set_extension.dynatrace_oneagent) == 0 + error_message = "Dynatrace installed when disabled" + } +} \ No newline at end of file diff --git a/tests/modules/setup_vm_linux/main.tf b/tests/modules/setup_vm_linux/main.tf new file mode 100644 index 0000000..3054839 --- /dev/null +++ b/tests/modules/setup_vm_linux/main.tf @@ -0,0 +1,66 @@ +module "common_tags" { + source = "github.com/hmcts/terraform-module-common-tags?ref=master" + + builtFrom = "hmcts/terraform-module-vm-bootstrap" + environment = "ptlsbox" + product = "sds-platform" +} + +resource "azurerm_resource_group" "test" { + name = "vm-bootstrap-test-rg" + location = "UK South" +} + +resource "azurerm_virtual_network" "test" { + name = "vm-bootstrap-test-vnet" + address_space = ["10.0.0.0/16"] + location = azurerm_resource_group.test.location + resource_group_name = azurerm_resource_group.test.name + tags = module.common_tags.common_tags +} + +resource "azurerm_subnet" "test" { + name = "internal" + resource_group_name = azurerm_resource_group.test.name + virtual_network_name = azurerm_virtual_network.test.name + address_prefixes = ["10.0.2.0/24"] +} + +resource "azurerm_network_interface" "test" { + name = "test-nic" + location = azurerm_resource_group.test.location + resource_group_name = azurerm_resource_group.test.name + tags = module.common_tags.common_tags + + ip_configuration { + name = "internal" + subnet_id = azurerm_subnet.test.id + private_ip_address_allocation = "Dynamic" + } +} + +resource "azurerm_linux_virtual_machine" "test" { + name = "test-machine" + resource_group_name = azurerm_resource_group.test.name + location = azurerm_resource_group.test.location + size = "Standard_D2ds_v5" + admin_username = "adminuser" + admin_password = "example-$uper-$EcUrE-password" + disable_password_authentication = false + tags = module.common_tags.common_tags + network_interface_ids = [ + azurerm_network_interface.test.id, + ] + + os_disk { + caching = "ReadWrite" + storage_account_type = "Standard_LRS" + } + + source_image_reference { + publisher = "Canonical" + offer = "0001-com-ubuntu-server-jammy" + sku = "22_04-lts" + version = "latest" + } +} \ No newline at end of file diff --git a/tests/modules/setup_vm_linux/outputs.tf b/tests/modules/setup_vm_linux/outputs.tf new file mode 100644 index 0000000..a6c3dce --- /dev/null +++ b/tests/modules/setup_vm_linux/outputs.tf @@ -0,0 +1,3 @@ +output "vm_id" { + value = azurerm_linux_virtual_machine.test.id +} \ No newline at end of file diff --git a/tests/modules/setup_vm_windows/main.tf b/tests/modules/setup_vm_windows/main.tf new file mode 100644 index 0000000..0baf5f0 --- /dev/null +++ b/tests/modules/setup_vm_windows/main.tf @@ -0,0 +1,65 @@ +module "common_tags" { + source = "github.com/hmcts/terraform-module-common-tags?ref=master" + + builtFrom = "hmcts/terraform-module-vm-bootstrap" + environment = "ptlsbox" + product = "sds-platform" +} + +resource "azurerm_resource_group" "test" { + name = "vm-bootstrap-test-rg" + location = "UK South" +} + +resource "azurerm_virtual_network" "test" { + name = "vm-bootstrap-test-vnet" + address_space = ["10.0.0.0/16"] + location = azurerm_resource_group.test.location + resource_group_name = azurerm_resource_group.test.name + tags = module.common_tags.common_tags +} + +resource "azurerm_subnet" "test" { + name = "internal" + resource_group_name = azurerm_resource_group.test.name + virtual_network_name = azurerm_virtual_network.test.name + address_prefixes = ["10.0.2.0/24"] +} + +resource "azurerm_network_interface" "test" { + name = "test-nic" + location = azurerm_resource_group.test.location + resource_group_name = azurerm_resource_group.test.name + tags = module.common_tags.common_tags + + ip_configuration { + name = "internal" + subnet_id = azurerm_subnet.test.id + private_ip_address_allocation = "Dynamic" + } +} + +resource "azurerm_windows_virtual_machine" "test" { + name = "test-machine" + resource_group_name = azurerm_resource_group.test.name + location = azurerm_resource_group.test.location + size = "Standard_D2ds_v5" + admin_username = "adminuser" + admin_password = "example-$uper-$EcUrE-password" + tags = module.common_tags.common_tags + network_interface_ids = [ + azurerm_network_interface.test.id, + ] + + os_disk { + caching = "ReadWrite" + storage_account_type = "Standard_LRS" + } + + source_image_reference { + publisher = "MicrosoftWindowsServer" + offer = "WindowsServer" + sku = "2022-Datacenter" + version = "latest" + } +} \ No newline at end of file diff --git a/tests/modules/setup_vm_windows/outputs.tf b/tests/modules/setup_vm_windows/outputs.tf new file mode 100644 index 0000000..09ee840 --- /dev/null +++ b/tests/modules/setup_vm_windows/outputs.tf @@ -0,0 +1,3 @@ +output "vm_id" { + value = azurerm_windows_virtual_machine.test.id +} \ No newline at end of file diff --git a/tests/modules/setup_vmss_linux/main.tf b/tests/modules/setup_vmss_linux/main.tf new file mode 100644 index 0000000..3baa45a --- /dev/null +++ b/tests/modules/setup_vmss_linux/main.tf @@ -0,0 +1,62 @@ +module "common_tags" { + source = "github.com/hmcts/terraform-module-common-tags?ref=master" + + builtFrom = "hmcts/terraform-module-vm-bootstrap" + environment = "ptlsbox" + product = "sds-platform" +} + +resource "azurerm_resource_group" "test" { + name = "vm-bootstrap-test-rg" + location = "UK South" +} + +resource "azurerm_virtual_network" "test" { + name = "vm-bootstrap-test-vnet" + resource_group_name = azurerm_resource_group.test.name + location = azurerm_resource_group.test.location + address_space = ["10.0.0.0/16"] + tags = module.common_tags.common_tags +} + +resource "azurerm_subnet" "internal" { + name = "internal" + resource_group_name = azurerm_resource_group.test.name + virtual_network_name = azurerm_virtual_network.test.name + address_prefixes = ["10.0.2.0/24"] +} + +resource "azurerm_linux_virtual_machine_scale_set" "test" { + name = "test-vmss" + resource_group_name = azurerm_resource_group.test.name + location = azurerm_resource_group.test.location + sku = "Standard_D2ds_v5" + instances = 1 + admin_username = "adminuser" + admin_password = "example-$uper-$EcUrE-password" + disable_password_authentication = false + tags = module.common_tags.common_tags + + source_image_reference { + publisher = "Canonical" + offer = "0001-com-ubuntu-server-jammy" + sku = "22_04-lts" + version = "latest" + } + + os_disk { + storage_account_type = "Standard_LRS" + caching = "ReadWrite" + } + + network_interface { + name = "test" + primary = true + + ip_configuration { + name = "internal" + primary = true + subnet_id = azurerm_subnet.internal.id + } + } +} \ No newline at end of file diff --git a/tests/modules/setup_vmss_linux/outputs.tf b/tests/modules/setup_vmss_linux/outputs.tf new file mode 100644 index 0000000..fb49e8d --- /dev/null +++ b/tests/modules/setup_vmss_linux/outputs.tf @@ -0,0 +1,3 @@ +output "vmss_id" { + value = azurerm_linux_virtual_machine_scale_set.test.id +} \ No newline at end of file diff --git a/tests/modules/setup_vmss_windows/main.tf b/tests/modules/setup_vmss_windows/main.tf new file mode 100644 index 0000000..b46e00f --- /dev/null +++ b/tests/modules/setup_vmss_windows/main.tf @@ -0,0 +1,61 @@ +module "common_tags" { + source = "github.com/hmcts/terraform-module-common-tags?ref=master" + + builtFrom = "hmcts/terraform-module-vm-bootstrap" + environment = "ptlsbox" + product = "sds-platform" +} + +resource "azurerm_resource_group" "test" { + name = "vm-bootstrap-test-rg" + location = "UK South" +} + +resource "azurerm_virtual_network" "test" { + name = "vm-bootstrap-test-vnet" + resource_group_name = azurerm_resource_group.test.name + location = azurerm_resource_group.test.location + address_space = ["10.0.0.0/16"] + tags = module.common_tags.common_tags +} + +resource "azurerm_subnet" "internal" { + name = "internal" + resource_group_name = azurerm_resource_group.test.name + virtual_network_name = azurerm_virtual_network.test.name + address_prefixes = ["10.0.2.0/24"] +} + +resource "azurerm_windows_virtual_machine_scale_set" "test" { + name = "test-vmss" + resource_group_name = azurerm_resource_group.test.name + location = azurerm_resource_group.test.location + sku = "Standard_D2ds_v5" + instances = 1 + admin_username = "adminuser" + admin_password = "example-$uper-$EcUrE-password" + tags = module.common_tags.common_tags + + source_image_reference { + publisher = "MicrosoftWindowsServer" + offer = "WindowsServer" + sku = "2022-Datacenter" + version = "latest" + } + + os_disk { + storage_account_type = "Standard_LRS" + caching = "ReadWrite" + } + + network_interface { + name = "test" + primary = true + + ip_configuration { + name = "internal" + primary = true + subnet_id = azurerm_subnet.internal.id + } + } +} \ No newline at end of file diff --git a/tests/modules/setup_vmss_windows/outputs.tf b/tests/modules/setup_vmss_windows/outputs.tf new file mode 100644 index 0000000..9855c83 --- /dev/null +++ b/tests/modules/setup_vmss_windows/outputs.tf @@ -0,0 +1,3 @@ +output "vmss_id" { + value = azurerm_windows_virtual_machine_scale_set.test.id +} \ No newline at end of file diff --git a/tests/windows_vm_extensions.tftest.hcl b/tests/windows_vm_extensions.tftest.hcl new file mode 100644 index 0000000..f4321a9 --- /dev/null +++ b/tests/windows_vm_extensions.tftest.hcl @@ -0,0 +1,230 @@ +provider "azurerm" { + features {} +} + +provider "azurerm" { + alias = "soc" + features {} + subscription_id = "8ae5b3b6-0b12-4888-b894-4cec33c92292" + skip_provider_registration = true +} + +provider "azurerm" { + alias = "cnp" + features {} + subscription_id = "1c4f0704-a29e-403d-b719-b90c34ef14c9" + skip_provider_registration = true +} + +# Default variables for this test +variables { + env = "nonprod" + os_type = "Windows" +} + +run "setup_vm" { + module { + source = "./tests/modules/setup_vm_windows" + } +} + +# Tests the default settings for extensions for a windows VM +# - Should install azure monitor by default +# - Should install a custom script extension by default (for nessus and splunk) +# - Should install dynatrace by default +# - Should install endpoint protection by default +# - Should not install any scaleset extensions +run "virtual_machine_no_extensions" { + + command = plan + + variables { + virtual_machine_type = "vm" + virtual_machine_id = run.setup_vm.vm_id + } + + assert { + condition = length(azurerm_virtual_machine_extension.azure_monitor) == 1 + error_message = "Azure monitor installed by default" + } + + assert { + condition = azurerm_virtual_machine_extension.azure_monitor[0].name == "AMAWindows" + error_message = "Incorrect name for azure monitor extension" + } + + assert { + condition = azurerm_virtual_machine_extension.azure_monitor[0].type == "AzureMonitorWindowsAgent" + error_message = "Incorrect type for azure monitor extension" + } + + assert { + condition = length(azurerm_virtual_machine_extension.custom_script) == 1 + error_message = "Custom script not installed by default" + } + + assert { + condition = azurerm_virtual_machine_extension.custom_script[0].publisher == "Microsoft.Compute" + error_message = "Wrong publisher for a windows custom script" + } + + assert { + condition = azurerm_virtual_machine_extension.custom_script[0].type == "CustomScriptExtension" + error_message = "Wrong type for a windows custom script" + } + + assert { + condition = azurerm_virtual_machine_extension.custom_script[0].type_handler_version == "1.9" + error_message = "Wrong type handler version for a windows custom script" + } + + assert { + condition = length(azurerm_virtual_machine_extension.dynatrace_oneagent) == 1 + error_message = "Dynatrace not installed by default" + } + + assert { + condition = azurerm_virtual_machine_extension.dynatrace_oneagent[0].type == "oneAgentWindows" + error_message = "Wrong type for windows dynatrace extension" + } + + assert { + condition = length(azurerm_virtual_machine_extension.endpoint_protection) == 1 + error_message = "Endpoint protection not installed by default" + } + + assert { + condition = length(azurerm_virtual_machine_extension.azure_vm_run_command) == 0 + error_message = "Run command installed when not specified" + } + + assert { + condition = length(azurerm_virtual_machine_scale_set_extension.azure_monitor) == 0 + error_message = "Scale set extension stood up for VM" + } + + assert { + condition = length(azurerm_virtual_machine_scale_set_extension.custom_script) == 0 + error_message = "Scale set extension stood up for VM" + } + + assert { + condition = length(azurerm_virtual_machine_scale_set_extension.dynatrace_oneagent) == 0 + error_message = "Scale set extension stood up for VM" + } + + assert { + condition = length(azurerm_virtual_machine_scale_set_extension.endpoint_protection) == 0 + error_message = "Scale set extension stood up for VM" + } + + assert { + condition = length(azurerm_virtual_machine_scale_set_extension.azure_vmss_run_command) == 0 + error_message = "Scale set extension stood up for VM" + } +} + +# Should not stand up an azure monitor extension when disabled +run "virtual_machine_no_azure_monitor_extension" { + + command = plan + + variables { + virtual_machine_type = "vm" + virtual_machine_id = run.setup_vm.vm_id + install_azure_monitor = false + } + + assert { + condition = length(azurerm_virtual_machine_extension.azure_monitor) == 0 + error_message = "Azure monitor installed when turned off" + } +} + +# Custom scipt should still install when nessus is disabled but splunk is still enabled +run "virtual_machine_no_nessus" { + + command = plan + + variables { + virtual_machine_type = "vm" + virtual_machine_id = run.setup_vm.vm_id + install_nessus_agent = false + } + + assert { + condition = length(azurerm_virtual_machine_extension.custom_script) == 1 + error_message = "Custom script not installed when only nessus is disabled" + } +} + +# Custom scipt should still install when splunk is disabled but nessus is still enabled +run "virtual_machine_no_splunk" { + + command = plan + + variables { + virtual_machine_type = "vm" + virtual_machine_id = run.setup_vm.vm_id + install_splunk_uf = false + } + + assert { + condition = length(azurerm_virtual_machine_extension.custom_script) == 1 + error_message = "Custom script not installed when only nessus is disabled" + } +} + +# Custom scipt should not install endpoint protection when disabled +run "virtual_machine_no_endpoint_protection" { + + command = plan + + variables { + virtual_machine_type = "vm" + virtual_machine_id = run.setup_vm.vm_id + install_endpoint_protection = false + } + + assert { + condition = length(azurerm_virtual_machine_extension.endpoint_protection) == 0 + error_message = "Endpoint protection installed when disabled" + } +} + +# Custom scipt should not be installed when both nessus and splunk are disabled +# TODO: add a test for additional script as that is installed here as well +# TODO: add tests for run command +run "virtual_machine_no_nessus_or_splunk" { + + command = plan + + variables { + virtual_machine_type = "vm" + virtual_machine_id = run.setup_vm.vm_id + install_splunk_uf = false + install_nessus_agent = false + } + + assert { + condition = length(azurerm_virtual_machine_extension.custom_script) == 0 + error_message = "Custom script installed when nessus and splunk are disabled" + } +} + +# Custom scipt should still install when splunk is disabled but nessus is still enabled +run "virtual_machine_no_dynatrace" { + + command = plan + + variables { + virtual_machine_type = "vm" + virtual_machine_id = run.setup_vm.vm_id + install_dynatrace_oneagent = false + } + + assert { + condition = length(azurerm_virtual_machine_extension.dynatrace_oneagent) == 0 + error_message = "Dynatrace installed when disabled" + } +} \ No newline at end of file diff --git a/tests/windows_vmss_extensions.tftest.hcl b/tests/windows_vmss_extensions.tftest.hcl new file mode 100644 index 0000000..efdf365 --- /dev/null +++ b/tests/windows_vmss_extensions.tftest.hcl @@ -0,0 +1,230 @@ +provider "azurerm" { + features {} +} + +provider "azurerm" { + alias = "soc" + features {} + subscription_id = "8ae5b3b6-0b12-4888-b894-4cec33c92292" + skip_provider_registration = true +} + +provider "azurerm" { + alias = "cnp" + features {} + subscription_id = "1c4f0704-a29e-403d-b719-b90c34ef14c9" + skip_provider_registration = true +} + +# Default variables for this test +variables { + env = "nonprod" + os_type = "Windows" +} + +run "setup_vm" { + module { + source = "./tests/modules/setup_vmss_windows" + } +} + +# Tests the default settings for extensions for a windows VM +# - Should install azure monitor by default +# - Should install a custom script extension by default (for nessus and splunk) +# - Should install dynatrace by default +# - Should install endpoint protection by default +# - Should not install any scaleset extensions +run "virtual_machine_scale_set_no_extensions" { + + command = plan + + variables { + virtual_machine_type = "vmss" + virtual_machine_scale_set_id = run.setup_vm.vmss_id + } + + assert { + condition = length(azurerm_virtual_machine_scale_set_extension.azure_monitor) == 1 + error_message = "Azure monitor installed by default" + } + + assert { + condition = azurerm_virtual_machine_scale_set_extension.azure_monitor[0].name == "AMAWindows" + error_message = "Incorrect name for azure monitor extension" + } + + assert { + condition = azurerm_virtual_machine_scale_set_extension.azure_monitor[0].type == "AzureMonitorWindowsAgent" + error_message = "Incorrect type for azure monitor extension" + } + + assert { + condition = length(azurerm_virtual_machine_scale_set_extension.custom_script) == 1 + error_message = "Custom script not installed by default" + } + + assert { + condition = azurerm_virtual_machine_scale_set_extension.custom_script[0].publisher == "Microsoft.Compute" + error_message = "Wrong publisher for a windows custom script" + } + + assert { + condition = azurerm_virtual_machine_scale_set_extension.custom_script[0].type == "CustomScriptExtension" + error_message = "Wrong type for a windows custom script" + } + + assert { + condition = azurerm_virtual_machine_scale_set_extension.custom_script[0].type_handler_version == "1.9" + error_message = "Wrong type handler version for a windows custom script" + } + + assert { + condition = length(azurerm_virtual_machine_scale_set_extension.dynatrace_oneagent) == 1 + error_message = "Dynatrace not installed by default" + } + + assert { + condition = azurerm_virtual_machine_scale_set_extension.dynatrace_oneagent[0].type == "oneAgentWindows" + error_message = "Wrong type for windows dynatrace extension" + } + + assert { + condition = length(azurerm_virtual_machine_scale_set_extension.endpoint_protection) == 1 + error_message = "Endpoint protection not installed by default" + } + + assert { + condition = length(azurerm_virtual_machine_scale_set_extension.azure_vmss_run_command) == 0 + error_message = "Run command installed when not specified" + } + + assert { + condition = length(azurerm_virtual_machine_extension.azure_monitor) == 0 + error_message = "Scale set extension stood up for VM" + } + + assert { + condition = length(azurerm_virtual_machine_extension.custom_script) == 0 + error_message = "Scale set extension stood up for VM" + } + + assert { + condition = length(azurerm_virtual_machine_extension.dynatrace_oneagent) == 0 + error_message = "Scale set extension stood up for VM" + } + + assert { + condition = length(azurerm_virtual_machine_extension.endpoint_protection) == 0 + error_message = "Scale set extension stood up for VM" + } + + assert { + condition = length(azurerm_virtual_machine_extension.azure_vm_run_command) == 0 + error_message = "Scale set extension stood up for VM" + } +} + +# Should not stand up an azure monitor extension when disabled +run "virtual_machine_scale_set_no_azure_monitor_extension" { + + command = plan + + variables { + virtual_machine_type = "vmss" + virtual_machine_scale_set_id = run.setup_vm.vmss_id + install_azure_monitor = false + } + + assert { + condition = length(azurerm_virtual_machine_scale_set_extension.azure_monitor) == 0 + error_message = "Azure monitor installed when turned off" + } +} + +# Custom scipt should still install when nessus is disabled but splunk is still enabled +run "virtual_machine_scale_set_no_nessus" { + + command = plan + + variables { + virtual_machine_type = "vmss" + virtual_machine_scale_set_id = run.setup_vm.vmss_id + install_nessus_agent = false + } + + assert { + condition = length(azurerm_virtual_machine_scale_set_extension.custom_script) == 1 + error_message = "Custom script not installed when only nessus is disabled" + } +} + +# Custom scipt should still install when splunk is disabled but nessus is still enabled +run "virtual_machine_scale_set_no_splunk" { + + command = plan + + variables { + virtual_machine_type = "vmss" + virtual_machine_scale_set_id = run.setup_vm.vmss_id + install_splunk_uf = false + } + + assert { + condition = length(azurerm_virtual_machine_scale_set_extension.custom_script) == 1 + error_message = "Custom script not installed when only nessus is disabled" + } +} + +# Custom scipt should not install endpoint protection when disabled +run "virtual_machine_scale_set_no_endpoint_protection" { + + command = plan + + variables { + virtual_machine_type = "vmss" + virtual_machine_scale_set_id = run.setup_vm.vmss_id + install_endpoint_protection = false + } + + assert { + condition = length(azurerm_virtual_machine_scale_set_extension.endpoint_protection) == 0 + error_message = "Endpoint protection installed when disabled" + } +} + +# Custom scipt should not be installed when both nessus and splunk are disabled +# TODO: add a test for additional script as that is installed here as well +# TODO: add tests for run command +run "virtual_machine_scale_set_no_nessus_or_splunk" { + + command = plan + + variables { + virtual_machine_type = "vmss" + virtual_machine_scale_set_id = run.setup_vm.vmss_id + install_splunk_uf = false + install_nessus_agent = false + } + + assert { + condition = length(azurerm_virtual_machine_scale_set_extension.custom_script) == 0 + error_message = "Custom script installed when nessus and splunk are disabled" + } +} + +# Custom scipt should still install when splunk is disabled but nessus is still enabled +run "virtual_machine_scale_set_no_dynatrace" { + + command = plan + + variables { + virtual_machine_type = "vmss" + virtual_machine_scale_set_id = run.setup_vm.vmss_id + install_dynatrace_oneagent = false + } + + assert { + condition = length(azurerm_virtual_machine_scale_set_extension.dynatrace_oneagent) == 0 + error_message = "Dynatrace installed when disabled" + } +} \ No newline at end of file diff --git a/variables.tf b/variables.tf index 3465bd7..443a90a 100644 --- a/variables.tf +++ b/variables.tf @@ -10,6 +10,11 @@ variable "os_type" { description = "Windows or Linux." type = string default = "Linux" + + validation { + condition = contains(["windows", "linux"], lower(var.os_type)) + error_message = "Unknown OS type. Must be either 'Windows' or 'Linux'" + } } variable "env" {