diff --git a/mmv1/third_party/terraform/acctest/bootstrap_test_utils.go b/mmv1/third_party/terraform/acctest/bootstrap_test_utils.go index 911e0888633c..330f4bf2b5eb 100644 --- a/mmv1/third_party/terraform/acctest/bootstrap_test_utils.go +++ b/mmv1/third_party/terraform/acctest/bootstrap_test_utils.go @@ -143,13 +143,13 @@ func BootstrapKMSKeyWithPurposeInLocationAndName(t *testing.T, purpose, location } } -var serviceAccountEmail = "tf-bootstrap-service-account" +var serviceAccountPrefix = "tf-bootstrap-sa-" var serviceAccountDisplay = "Bootstrapped Service Account for Terraform tests" // Some tests need a second service account, other than the test runner, to assert functionality on. // This provides a well-known service account that can be used when dynamically creating a service // account isn't an option. -func getOrCreateServiceAccount(config *transport_tpg.Config, project string) (*iam.ServiceAccount, error) { +func getOrCreateServiceAccount(config *transport_tpg.Config, project, serviceAccountEmail string) (*iam.ServiceAccount, error) { name := fmt.Sprintf("projects/%s/serviceAccounts/%s@%s.iam.gserviceaccount.com", project, serviceAccountEmail, project) log.Printf("[DEBUG] Verifying %s as bootstrapped service account.\n", name) @@ -206,13 +206,19 @@ func impersonationServiceAccountPermissions(config *transport_tpg.Config, sa *ia return nil } -func BootstrapServiceAccount(t *testing.T, project, testRunner string) string { +// A separate testId should be used for each test, to create separate service accounts for each, +// and avoid race conditions where the policy of the same service account is being modified by 2 +// tests at once. This is needed as long as the function overwrites the policy on every run. +func BootstrapServiceAccount(t *testing.T, testId, testRunner string) string { + project := envvar.GetTestProjectFromEnv() + serviceAccountEmail := serviceAccountPrefix + testId + config := BootstrapConfig(t) if config == nil { return "" } - sa, err := getOrCreateServiceAccount(config, project) + sa, err := getOrCreateServiceAccount(config, project, serviceAccountEmail) if err != nil { t.Fatalf("Bootstrapping failed. Cannot retrieve service account, %s", err) } @@ -1228,7 +1234,8 @@ func SetupProjectsAndGetAccessToken(org, billing, pid, service string, config *t } // Create a service account for project-1 - sa1, err := getOrCreateServiceAccount(config, pid) + serviceAccountEmail := serviceAccountPrefix + service + sa1, err := getOrCreateServiceAccount(config, pid, serviceAccountEmail) if err != nil { return "", err } diff --git a/mmv1/third_party/terraform/services/resourcemanager/data_source_google_service_account_access_token_test.go b/mmv1/third_party/terraform/services/resourcemanager/data_source_google_service_account_access_token_test.go index 79f0d10fd26a..5dedc15acd90 100644 --- a/mmv1/third_party/terraform/services/resourcemanager/data_source_google_service_account_access_token_test.go +++ b/mmv1/third_party/terraform/services/resourcemanager/data_source_google_service_account_access_token_test.go @@ -34,7 +34,7 @@ func TestAccDataSourceGoogleServiceAccountAccessToken_basic(t *testing.T) { resourceName := "data.google_service_account_access_token.default" serviceAccount := envvar.GetTestServiceAccountFromEnv(t) - targetServiceAccountEmail := acctest.BootstrapServiceAccount(t, envvar.GetTestProjectFromEnv(), serviceAccount) + targetServiceAccountEmail := acctest.BootstrapServiceAccount(t, "acctoken", serviceAccount) acctest.VcrTest(t, resource.TestCase{ PreCheck: func() { acctest.AccTestPreCheck(t) }, diff --git a/mmv1/third_party/terraform/services/resourcemanager/data_source_google_service_account_id_token_test.go b/mmv1/third_party/terraform/services/resourcemanager/data_source_google_service_account_id_token_test.go index 674e6d47fac1..6777cf3e66f4 100644 --- a/mmv1/third_party/terraform/services/resourcemanager/data_source_google_service_account_id_token_test.go +++ b/mmv1/third_party/terraform/services/resourcemanager/data_source_google_service_account_id_token_test.go @@ -73,7 +73,7 @@ func TestAccDataSourceGoogleServiceAccountIdToken_impersonation(t *testing.T) { resourceName := "data.google_service_account_id_token.default" serviceAccount := envvar.GetTestServiceAccountFromEnv(t) - targetServiceAccountEmail := acctest.BootstrapServiceAccount(t, envvar.GetTestProjectFromEnv(), serviceAccount) + targetServiceAccountEmail := acctest.BootstrapServiceAccount(t, "idtoken-imp", serviceAccount) resource.Test(t, resource.TestCase{ PreCheck: func() { acctest.AccTestPreCheck(t) }, diff --git a/mmv1/third_party/terraform/services/resourcemanager/data_source_google_service_account_jwt_test.go b/mmv1/third_party/terraform/services/resourcemanager/data_source_google_service_account_jwt_test.go index fff70ac5789b..c343f1c1532b 100644 --- a/mmv1/third_party/terraform/services/resourcemanager/data_source_google_service_account_jwt_test.go +++ b/mmv1/third_party/terraform/services/resourcemanager/data_source_google_service_account_jwt_test.go @@ -100,7 +100,7 @@ func TestAccDataSourceGoogleServiceAccountJwt(t *testing.T) { resourceName := "data.google_service_account_jwt.default" serviceAccount := envvar.GetTestServiceAccountFromEnv(t) - targetServiceAccountEmail := acctest.BootstrapServiceAccount(t, envvar.GetTestProjectFromEnv(), serviceAccount) + targetServiceAccountEmail := acctest.BootstrapServiceAccount(t, "jwt", serviceAccount) staticTime := time.Now()