Standard changes for release 5.2.2 (#598)

* [PATCH] Patch Release v5.2.1 (#563)

* patch release for Forseti 2.25.1

* lint fixes

* fixes

* update
Standard changes for module v5.2.2 release.

* Minor change for readme.

* Update forseti gcp tests due to change in gcp backend, was resolved in this PR #538.

CHANGELOG.md

@@ -6,6 +6,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 Extending the adopted spec, each change should have a link to its corresponding pull request appended.
 
+## [v5.2.2] - 2020-07-23
+
+### Added
+
+- Support for Forseti v2.25.2 [v5.2.2]
+
 ## [v5.2.1] - 2020-04-01
 
 ### Added
@@ -410,6 +416,7 @@ Version 4.0.0 is a backwards-incompatible release. Please see the [upgrade instr
 [v5.1.3]: https://github.com/terraform-google-modules/terraform-google-forseti/compare/v5.1.2...v5.1.3
 [v5.2.0]: https://github.com/terraform-google-modules/terraform-google-forseti/compare/v5.1.3...v5.2.0
 [v5.2.1]: https://github.com/terraform-google-modules/terraform-google-forseti/compare/v5.2.0...v5.2.1
+[v5.2.2]: https://github.com/terraform-google-modules/terraform-google-forseti/compare/v5.2.1...v5.2.2
 
 [#563]: https://github.com/forseti-security/terraform-google-forseti/pull/563
 [#546]: https://github.com/forseti-security/terraform-google-forseti/pull/546

README.md

@@ -7,7 +7,7 @@ A Google Cloud Shell Walkthrough has been setup to make it easy for users who ar
 
 If you are familiar with Terraform and would like to run Terraform from a different machine, you can skip this walkthrough and move onto the [How to Deploy](#how-to-deploy) section.
 
-[![Open in Google Cloud Shell](https://gstatic.com/cloudssh/images/open-btn.svg)](https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fforseti-security%2Fterraform-google-forseti.git&cloudshell_git_branch=modulerelease521&cloudshell_working_dir=examples/install_simple&cloudshell_image=gcr.io%2Fgraphite-cloud-shell-images%2Fterraform%3Alatest&cloudshell_tutorial=.%2Ftutorial.md)
+[![Open in Google Cloud Shell](https://gstatic.com/cloudssh/images/open-btn.svg)](https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fforseti-security%2Fterraform-google-forseti.git&cloudshell_git_branch=modulerelease522&cloudshell_working_dir=examples/install_simple&cloudshell_image=gcr.io%2Fgraphite-cloud-shell-images%2Fterraform%3Alatest&cloudshell_tutorial=.%2Ftutorial.md)
 
 ## How to Deploy
 In order to run this module you will need to be authenticated as a user that has access to the project and can create/authorize service accounts at both the organization and project levels. To login to GCP from a shell:
@@ -20,7 +20,7 @@ gcloud auth login
 The repository has several helper scripts that can be used with the deployment process.
 
 ```bash
-git clone --branch modulerelease521 --depth 1 https://github.com/forseti-security/terraform-google-forseti.git
+git clone --branch modulerelease522 --depth 1 https://github.com/forseti-security/terraform-google-forseti.git
 ```
 
 ### Install Terraform
@@ -62,7 +62,7 @@ Create a file named `main.tf` in an empty directory and copy the contents below
 ```hcl
     module "forseti" {
       source  = "terraform-google-modules/forseti/google"
-      version = "~> 5.2.1"
+      version = "~> 5.2.0"
 
       gsuite_admin_email = "[email protected]"
       domain             = "yourdomain.com"
@@ -244,7 +244,7 @@ For this module to work, you need the following APIs enabled on the Forseti proj
 | forseti\_home | Forseti installation directory | string | `"$USER_HOME/forseti-security"` | no |
 | forseti\_repo\_url | Git repo for the Forseti installation | string | `"https://github.com/forseti-security/forseti-security"` | no |
 | forseti\_run\_frequency | Schedule of running the Forseti scans | string | `"null"` | no |
-| forseti\_version | The version of Forseti to install | string | `"v2.25.1"` | no |
+| forseti\_version | The version of Forseti to install | string | `"v2.25.2"` | no |
 | forwarding\_rule\_enabled | Forwarding rule scanner enabled. | bool | `"false"` | no |
 | forwarding\_rule\_violations\_should\_notify | Notify for forwarding rule violations | bool | `"true"` | no |
 | group\_enabled | Group scanner enabled. | bool | `"true"` | no |

build/int-release.cloudbuild.yaml

@@ -41,4 +41,4 @@ tags:
 substitutions:
   _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools'
   _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '0.4.6'
-  _FORSETI_VERSION: 'v2.25.1'
+  _FORSETI_VERSION: 'v2.25.2'

examples/install_simple/README.md

@@ -2,7 +2,7 @@
 
 This configuration is used to simply install Forseti. It includes a full Cloud Shell [tutorial](./tutorial.md).
 
-[![Open in Cloud Shell](https://gstatic.com/cloudssh/images/open-btn.svg)](https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fforseti-security%2Fterraform-google-forseti.git&cloudshell_git_branch=modulerelease521&cloudshell_working_dir=examples/install_simple&cloudshell_image=gcr.io%2Fgraphite-cloud-shell-images%2Fterraform%3Alatest&cloudshell_tutorial=.%2Ftutorial.md)
+[![Open in Cloud Shell](https://gstatic.com/cloudssh/images/open-btn.svg)](https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fforseti-security%2Fterraform-google-forseti.git&cloudshell_git_branch=modulerelease522&cloudshell_working_dir=examples/install_simple&cloudshell_image=gcr.io%2Fgraphite-cloud-shell-images%2Fterraform%3Alatest&cloudshell_tutorial=.%2Ftutorial.md)
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Inputs
@@ -12,7 +12,7 @@ This configuration is used to simply install Forseti. It includes a full Cloud S
 | domain | The domain associated with the GCP Organization ID | string | n/a | yes |
 | forseti\_email\_recipient | Forseti email recipient. | string | `""` | no |
 | forseti\_email\_sender | Forseti email sender. | string | `""` | no |
-| forseti\_version | The version of Forseti to install | string | `"v2.25.1"` | no |
+| forseti\_version | The version of Forseti to install | string | `"v2.25.2"` | no |
 | gsuite\_admin\_email | The email of a GSuite super admin, used for pulling user directory information *and* sending notifications. | string | n/a | yes |
 | instance\_metadata | Metadata key/value pairs to make available from within the client and server instances. | map(string) | `<map>` | no |
 | instance\_tags | Tags to assign the client and server instances. | list(string) | `<list>` | no |

examples/install_simple/variables.tf

@@ -65,7 +65,7 @@ variable "forseti_email_recipient" {
 
 variable "forseti_version" {
   description = "The version of Forseti to install"
-  default     = "v2.25.1"
+  default     = "v2.25.2"
 }
 
 variable "region" {

examples/migrate_forseti/tutorial.md

@@ -160,7 +160,7 @@ to match the region where the CAI GCS bucket is deployed.
 Starting with Forseti Security 2.23, Terraform will manage your server
  configuration file for you.  Configuration options will now be input
  variables that are defined in the Terraform module. Available variables
- and their default values can be found [here](https://github.com/forseti-security/terraform-google-forseti/blob/modulerelease521/variables.tf).
+ and their default values can be found [here](https://github.com/forseti-security/terraform-google-forseti/blob/modulerelease522/variables.tf).
  Default values will be used if values are not explicitly added.
  This will ensure upgrading Forseti will be as easy as possible going forward.
 
@@ -202,10 +202,10 @@ to your <walkthrough-editor-select-regex
   regex="Add any Forseti Server Configuration Variables Here">main.tf</walkthrough-editor-select-regex>.
 
 ## Obtain and Run the Import Script
-This [import script](https://github.com/forseti-security/terraform-google-forseti/blob/modulerelease521/helpers/import.sh) will import the Forseti GCP resources into a local state file.
+This [import script](https://github.com/forseti-security/terraform-google-forseti/blob/modulerelease522/helpers/import.sh) will import the Forseti GCP resources into a local state file.
 
 ```sh
-curl --location --remote-name https://raw.githubusercontent.com/forseti-security/terraform-google-forseti/modulerelease521/helpers/import.sh
+curl --location --remote-name https://raw.githubusercontent.com/forseti-security/terraform-google-forseti/modulerelease522/helpers/import.sh
 chmod +x import.sh
 ./import.sh -h
 ```

examples/on_gke_end_to_end/README.md

@@ -76,8 +76,8 @@ This script will also activate necessary APIs required for Terraform to deploy F
 | gsuite\_admin\_email | G-Suite administrator email address to manage your Forseti installation | string | n/a | yes |
 | helm\_repository\_url | The Helm repository containing the 'forseti-security' Helm charts | string | `"https://forseti-security-charts.storage.googleapis.com/release/"` | no |
 | k8s\_forseti\_namespace | The Kubernetes namespace in which to deploy Forseti. | string | `"forseti"` | no |
-| k8s\_forseti\_orchestrator\_image\_tag | The tag for the container image for the Forseti orchestrator | string | `"v2.25.1"` | no |
-| k8s\_forseti\_server\_image\_tag | The tag for the container image for the Forseti server | string | `"v2.25.1"` | no |
+| k8s\_forseti\_orchestrator\_image\_tag | The tag for the container image for the Forseti orchestrator | string | `"v2.25.2"` | no |
+| k8s\_forseti\_server\_image\_tag | The tag for the container image for the Forseti server | string | `"v2.25.2"` | no |
 | k8s\_tiller\_sa\_name | The Kubernetes Service Account used by Tiller | string | `"tiller"` | no |
 | kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | string | `"1.14.10-gke.17"` | no |
 | network | The name of the VPC being created | string | `"forseti-gke-network"` | no |

examples/on_gke_end_to_end/variables.tf

@@ -126,12 +126,12 @@ variable "k8s_tiller_sa_name" {
 
 variable "k8s_forseti_orchestrator_image_tag" {
   description = "The tag for the container image for the Forseti orchestrator"
-  default     = "v2.25.1"
+  default     = "v2.25.2"
 }
 
 variable "k8s_forseti_server_image_tag" {
   description = "The tag for the container image for the Forseti server"
-  default     = "v2.25.1"
+  default     = "v2.25.2"
 }
 
 variable "kubernetes_version" {

examples/shared_vpc/README.md

@@ -8,7 +8,7 @@ This example illustrates how to set up a Forseti installation with shared VPC.
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
 | domain | Organization domain | string | n/a | yes |
-| forseti\_version | The version of Forseti to install | string | `"v2.25.1"` | no |
+| forseti\_version | The version of Forseti to install | string | `"v2.25.2"` | no |
 | gsuite\_admin\_email | G Suite admin email | string | n/a | yes |
 | instance\_metadata | Metadata key/value pairs to make available from within the client and server instances. | map(string) | `<map>` | no |
 | network | Name of the shared VPC | string | n/a | yes |

examples/shared_vpc/variables.tf

@@ -16,7 +16,7 @@
 
 variable "forseti_version" {
   description = "The version of Forseti to install"
-  default     = "v2.25.1"
+  default     = "v2.25.2"
 }
 
 variable "network_project" {

modules/client/variables.tf

@@ -23,7 +23,7 @@ variable "project_id" {
 
 variable "forseti_version" {
   description = "The version of Forseti to install"
-  default     = "v2.25.1"
+  default     = "v2.25.2"
 }
 
 variable "forseti_repo_url" {

modules/on_gke/README.md

@@ -83,7 +83,7 @@ This sub-module deploys Forseti on GKE.  In short, this deploys a server contain
 | forseti\_home | Forseti installation directory | string | `"$USER_HOME/forseti-security"` | no |
 | forseti\_repo\_url | Git repo for the Forseti installation | string | `"https://github.com/forseti-security/forseti-security"` | no |
 | forseti\_run\_frequency | Schedule of running the Forseti scans | string | `"null"` | no |
-| forseti\_version | The version of Forseti to install | string | `"v2.25.1"` | no |
+| forseti\_version | The version of Forseti to install | string | `"v2.25.2"` | no |
 | forwarding\_rule\_enabled | Forwarding rule scanner enabled. | bool | `"false"` | no |
 | forwarding\_rule\_violations\_should\_notify | Notify for forwarding rule violations | bool | `"true"` | no |
 | git\_sync\_image | The container image used by the config-validator git-sync side-car | string | `"gcr.io/google-containers/git-sync"` | no |
@@ -117,9 +117,9 @@ This sub-module deploys Forseti on GKE.  In short, this deploys a server contain
 | k8s\_config\_validator\_image\_tag | The tag for the config-validator image. | string | `"572e207"` | no |
 | k8s\_forseti\_namespace | The Kubernetes namespace in which to deploy Forseti. | string | `"forseti"` | no |
 | k8s\_forseti\_orchestrator\_image | The container image for the Forseti orchestrator | string | `"gcr.io/forseti-containers/forseti"` | no |
-| k8s\_forseti\_orchestrator\_image\_tag | The tag for the container image for the Forseti orchestrator | string | `"v2.25.1"` | no |
+| k8s\_forseti\_orchestrator\_image\_tag | The tag for the container image for the Forseti orchestrator | string | `"v2.25.2"` | no |
 | k8s\_forseti\_server\_image | The container image for the Forseti server | string | `"gcr.io/forseti-containers/forseti"` | no |
-| k8s\_forseti\_server\_image\_tag | The tag for the container image for the Forseti server | string | `"v2.25.1"` | no |
+| k8s\_forseti\_server\_image\_tag | The tag for the container image for the Forseti server | string | `"v2.25.2"` | no |
 | k8s\_forseti\_server\_ingress\_cidr | If network_policy is true, k8s_forseti_server_ingress_cidr will restrict connections to the Forseti Server service from the CIDR's specified | string | `""` | no |
 | k8s\_tiller\_sa\_name | The Kubernetes Service Account used by Tiller | string | `"tiller"` | no |
 | ke\_scanner\_enabled | KE scanner enabled. | bool | `"false"` | no |

modules/on_gke/variables.tf

@@ -79,7 +79,7 @@ variable "gsuite_admin_email" {
 
 variable "forseti_version" {
   description = "The version of Forseti to install"
-  default     = "v2.25.1"
+  default     = "v2.25.2"
 }
 
 variable "forseti_repo_url" {
@@ -938,7 +938,7 @@ variable "k8s_forseti_orchestrator_image" {
 
 variable "k8s_forseti_orchestrator_image_tag" {
   description = "The tag for the container image for the Forseti orchestrator"
-  default     = "v2.25.1"
+  default     = "v2.25.2"
 }
 
 variable "k8s_forseti_server_image" {
@@ -948,7 +948,7 @@ variable "k8s_forseti_server_image" {
 
 variable "k8s_forseti_server_image_tag" {
   description = "The tag for the container image for the Forseti server"
-  default     = "v2.25.1"
+  default     = "v2.25.2"
 }
 
 variable "k8s_forseti_server_ingress_cidr" {

modules/server/variables.tf

@@ -23,7 +23,7 @@ variable "project_id" {
 
 variable "forseti_version" {
   description = "The version of Forseti to install"
-  default     = "v2.25.1"
+  default     = "v2.25.2"
 }
 
 variable "forseti_repo_url" {

test/integration/install_simple/controls/client.rb

@@ -15,7 +15,7 @@
 require "yaml"
 
 forseti_server_vm_internal_dns = attribute("forseti-server-vm-internal-dns")
-forseti_version = "2.25.1"
+forseti_version = "2.25.2"
 
 control "client" do
   title "Forseti client instance resources"

test/integration/install_simple/controls/forseti.rb

@@ -123,56 +123,50 @@
     its('object_names') { should include(*files) }
   end
 
-  describe google_service_account(name: "projects/#{project_id}/serviceAccounts/#{forseti_client_service_account}") do
+  describe google_service_account(project: project_id, name: forseti_client_service_account) do
     its(:email) { should eq forseti_client_service_account }
     its(:display_name) { should eq "Forseti Client Service Account" }
   end
 
-  describe google_service_account(name: "projects/#{project_id}/serviceAccounts/#{forseti_server_service_account}") do
+  describe google_service_account(project: project_id, name: forseti_server_service_account) do
     its(:email) { should eq forseti_server_service_account }
     its(:display_name) { should eq "Forseti Server Service Account" }
   end
 
   describe google_compute_firewall(project: network_project, name: "forseti-server-allow-grpc-#{suffix}") do
-    let(:allowed) { subject.allowed.map(&:item) }
-
     its('source_ranges') { should eq ["10.128.0.0/9"] }
     its('direction') { should eq 'INGRESS' }
     its('priority') { should eq 100 }
 
-    it "allows gRPC traffic" do
-      expect(allowed).to contain_exactly({ip_protocol: "tcp", ports: ["50051", "50052"]})
-    end
+    its('allowed.size') { should eq 1 }
+    it { should allow_port_protocol("50051", "tcp") }
+    it { should allow_port_protocol("50052", "tcp") }
   end
 
   describe google_compute_firewall(project: network_project, name: "forseti-server-deny-all-#{suffix}") do
-    let(:denied) { subject.denied.map(&:item) }
-
     its('source_ranges') { should eq ["0.0.0.0/0"] }
     its('direction') { should eq 'INGRESS' }
     its('priority') { should eq 200 }
 
     it "denies TCP, UDP, and ICMP" do
-      expect(denied).to contain_exactly(
-        {ip_protocol: "icmp"},
-        {ip_protocol: "tcp"},
-        {ip_protocol: "udp"}
+      expect(subject.denied).to contain_exactly(
+        an_object_having_attributes(ip_protocol: 'icmp'),
+        an_object_having_attributes(ip_protocol: 'tcp', ports: nil),
+        an_object_having_attributes(ip_protocol: 'udp', ports: nil)
       )
     end
   end
 
   describe google_compute_firewall(project: network_project, name: "forseti-client-deny-all-#{suffix}") do
-    let(:denied) { subject.denied.map(&:item) }
-
     its('source_ranges') { should eq ["0.0.0.0/0"] }
     its('direction') { should eq 'INGRESS' }
     its('priority') { should eq 200 }
 
     it "denies TCP, UDP, and ICMP" do
-      expect(denied).to contain_exactly(
-        {ip_protocol: "icmp"},
-        {ip_protocol: "tcp"},
-        {ip_protocol: "udp"}
+      expect(subject.denied).to contain_exactly(
+        an_object_having_attributes(ip_protocol: 'icmp'),
+        an_object_having_attributes(ip_protocol: 'tcp', ports: nil),
+        an_object_having_attributes(ip_protocol: 'udp', ports: nil)
       )
     end
   end

test/integration/install_simple/controls/server.rb

@@ -14,7 +14,7 @@
 
 require "yaml"
 
-forseti_version = "2.25.1"
+forseti_version = "2.25.2"
 suffix = attribute("suffix")
 
 control "server" do

variables.tf

@@ -28,7 +28,7 @@ variable "gsuite_admin_email" {
 
 variable "forseti_version" {
   description = "The version of Forseti to install"
-  default     = "v2.25.1"
+  default     = "v2.25.2"
 }
 
 variable "forseti_repo_url" {