Fix tests to use dedicated bootstrapped service accounts instead of o…

…ne shared account
GoogleCloudPlatform · Apr 11, 2024 · 04780b4 · 04780b4
1 parent 01ead35
commit 04780b4
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 8 deletions.
diff --git a/mmv1/third_party/terraform/acctest/bootstrap_test_utils.go b/mmv1/third_party/terraform/acctest/bootstrap_test_utils.go
@@ -143,13 +143,13 @@ func BootstrapKMSKeyWithPurposeInLocationAndName(t *testing.T, purpose, location
 	}
 }
 
-var serviceAccountEmail = "tf-bootstrap-service-account"
+var serviceAccountPrefix = "tf-bootstrap-sa-"
 var serviceAccountDisplay = "Bootstrapped Service Account for Terraform tests"
 
 // Some tests need a second service account, other than the test runner, to assert functionality on.
 // This provides a well-known service account that can be used when dynamically creating a service
 // account isn't an option.
-func getOrCreateServiceAccount(config *transport_tpg.Config, project string) (*iam.ServiceAccount, error) {
+func getOrCreateServiceAccount(config *transport_tpg.Config, project, serviceAccountEmail string) (*iam.ServiceAccount, error) {
 	name := fmt.Sprintf("projects/%s/serviceAccounts/%s@%s.iam.gserviceaccount.com", project, serviceAccountEmail, project)
 	log.Printf("[DEBUG] Verifying %s as bootstrapped service account.\n", name)
 
@@ -206,13 +206,19 @@ func impersonationServiceAccountPermissions(config *transport_tpg.Config, sa *ia
 	return nil
 }
 
-func BootstrapServiceAccount(t *testing.T, project, testRunner string) string {
+// A separate testId should be used for each test, to create separate service accounts for each,
+// and avoid race conditions where the policy of the same service account is being modified by 2
+// tests at once. This is needed as long as the function overwrites the policy on every run.
+func BootstrapServiceAccount(t *testing.T, testId, testRunner string) string {
+	project := envvar.GetTestProjectFromEnv()
+	serviceAccountEmail := serviceAccountPrefix + testId
+
 	config := BootstrapConfig(t)
 	if config == nil {
 		return ""
 	}
 
-	sa, err := getOrCreateServiceAccount(config, project)
+	sa, err := getOrCreateServiceAccount(config, project, serviceAccountEmail)
 	if err != nil {
 		t.Fatalf("Bootstrapping failed. Cannot retrieve service account, %s", err)
 	}
@@ -1228,7 +1234,8 @@ func SetupProjectsAndGetAccessToken(org, billing, pid, service string, config *t
 	}
 
 	// Create a service account for project-1
-	sa1, err := getOrCreateServiceAccount(config, pid)
+	serviceAccountEmail := serviceAccountPrefix + service
+	sa1, err := getOrCreateServiceAccount(config, pid, serviceAccountEmail)
 	if err != nil {
 		return "", err
 	}

diff --git a/...erraform/services/resourcemanager/data_source_google_service_account_access_token_test.go b/...erraform/services/resourcemanager/data_source_google_service_account_access_token_test.go
@@ -34,7 +34,7 @@ func TestAccDataSourceGoogleServiceAccountAccessToken_basic(t *testing.T) {
 
 	resourceName := "data.google_service_account_access_token.default"
 	serviceAccount := envvar.GetTestServiceAccountFromEnv(t)
-	targetServiceAccountEmail := acctest.BootstrapServiceAccount(t, envvar.GetTestProjectFromEnv(), serviceAccount)
+	targetServiceAccountEmail := acctest.BootstrapServiceAccount(t, "access-token-basic", serviceAccount)
 
 	acctest.VcrTest(t, resource.TestCase{
 		PreCheck:                 func() { acctest.AccTestPreCheck(t) },

diff --git a/...ty/terraform/services/resourcemanager/data_source_google_service_account_id_token_test.go b/...ty/terraform/services/resourcemanager/data_source_google_service_account_id_token_test.go
@@ -73,7 +73,7 @@ func TestAccDataSourceGoogleServiceAccountIdToken_impersonation(t *testing.T) {
 
 	resourceName := "data.google_service_account_id_token.default"
 	serviceAccount := envvar.GetTestServiceAccountFromEnv(t)
-	targetServiceAccountEmail := acctest.BootstrapServiceAccount(t, envvar.GetTestProjectFromEnv(), serviceAccount)
+	targetServiceAccountEmail := acctest.BootstrapServiceAccount(t, "id-token-impersonate", serviceAccount)
 
 	resource.Test(t, resource.TestCase{
 		PreCheck:                 func() { acctest.AccTestPreCheck(t) },

diff --git a/...d_party/terraform/services/resourcemanager/data_source_google_service_account_jwt_test.go b/...d_party/terraform/services/resourcemanager/data_source_google_service_account_jwt_test.go
@@ -100,7 +100,7 @@ func TestAccDataSourceGoogleServiceAccountJwt(t *testing.T) {
 
 	resourceName := "data.google_service_account_jwt.default"
 	serviceAccount := envvar.GetTestServiceAccountFromEnv(t)
-	targetServiceAccountEmail := acctest.BootstrapServiceAccount(t, envvar.GetTestProjectFromEnv(), serviceAccount)
+	targetServiceAccountEmail := acctest.BootstrapServiceAccount(t, "jwt", serviceAccount)
 
 	staticTime := time.Now()