Skip to content

Commit

Permalink
Remove use of google_kms_crypto_key_iam_binding resources in accept…
Browse files Browse the repository at this point in the history 
…ance tests to reduce test failures related to missing permissions (#9590) (#6737)

* Replace use of `google_kms_crypto_key_iam_binding` with `_member` equivalent

* Replace use of `google_kms_crypto_key_iam_binding` with `_member` equivalent in examples files

* Split `google_kms_crypto_key_iam_binding` with 2 members into two `_member` IAM resources in example file

* Replace `google_kms_crypto_key_iam_binding` with 5 members into `_member` IAM resources created via for_each loop

When this example is used to generate a test the crypto key used is a bootstrapped resource. By using an authoritative `_binding` IAM resource we allow conflict between tests using the same bootstrapped cypto key

* Fix mistyped argument name

* Remove use of for_each in acceptance test, create separate example files for test vs docs

* SKip `TestAccCloudfunctions2function_cloudfunctions2CmekExample` in VCR

* Skip `TestAccDataprocMetastoreService_dataprocMetastoreServiceCmekTestExample` in VCR
[upstream:9e772a85d6c113ae38b6e5439d7ae72380481bec]

Signed-off-by: Modular Magician <[email protected]>
  • Loading branch information
@modular-magician
modular-magician authored Dec 11, 2023
1 parent 8d690f3 commit 6d65f34
Show file tree
Hide file tree
Showing 19 changed files with 159 additions and 167 deletions.
3 changes: 3 additions & 0 deletions .changelog/9590.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:none

```
6 changes: 2 additions & 4 deletions google-beta/services/alloydb/resource_alloydb_backup_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -232,12 +232,10 @@ resource "google_kms_crypto_key" "key" {
key_ring = google_kms_key_ring.keyring.id
}
resource "google_kms_crypto_key_iam_binding" "crypto_key" {
resource "google_kms_crypto_key_iam_member" "crypto_key" {
crypto_key_id = google_kms_crypto_key.key.id
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
members = [
"serviceAccount:service-${data.google_project.project.number}@gcp-sa-alloydb.iam.gserviceaccount.com",
]
member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-alloydb.iam.gserviceaccount.com"
}
`, context)
}
74 changes: 29 additions & 45 deletions google-beta/services/alloydb/resource_alloydb_cluster_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -493,7 +493,7 @@ resource "google_alloydb_cluster" "default" {
encryption_config {
kms_key_name = google_kms_crypto_key.key.id
}
depends_on = [google_kms_crypto_key_iam_binding.crypto_key]
depends_on = [google_kms_crypto_key_iam_member.crypto_key]
}
resource "google_compute_network" "default" {
name = "tf-test-alloydb-cluster%{random_suffix}"
Expand All @@ -507,12 +507,10 @@ resource "google_kms_crypto_key" "key" {
name = "%{key_name}"
key_ring = google_kms_key_ring.keyring.id
}
resource "google_kms_crypto_key_iam_binding" "crypto_key" {
resource "google_kms_crypto_key_iam_member" "crypto_key" {
crypto_key_id = google_kms_crypto_key.key.id
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
members = [
"serviceAccount:service-${data.google_project.project.number}@gcp-sa-alloydb.iam.gserviceaccount.com",
]
member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-alloydb.iam.gserviceaccount.com"
}
`, context)
}
Expand Down Expand Up @@ -584,7 +582,7 @@ resource "google_alloydb_cluster" "default" {
lifecycle {
prevent_destroy = true
}
depends_on = [google_kms_crypto_key_iam_binding.crypto_key]
depends_on = [google_kms_crypto_key_iam_member.crypto_key]
}
resource "google_compute_network" "default" {
Expand All @@ -603,12 +601,10 @@ resource "google_kms_crypto_key" "key" {
key_ring = google_kms_key_ring.keyring.id
}
resource "google_kms_crypto_key_iam_binding" "crypto_key" {
resource "google_kms_crypto_key_iam_member" "crypto_key" {
crypto_key_id = google_kms_crypto_key.key.id
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
members = [
"serviceAccount:service-${data.google_project.project.number}@gcp-sa-alloydb.iam.gserviceaccount.com",
]
member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-alloydb.iam.gserviceaccount.com"
}
`, context)
}
Expand All @@ -634,9 +630,9 @@ resource "google_alloydb_cluster" "default" {
}
}
lifecycle {
prevent_destroy = true
prevent_destroy = true
}
depends_on = [google_kms_crypto_key_iam_binding.crypto_key]
depends_on = [google_kms_crypto_key_iam_member.crypto_key]
}
resource "google_compute_network" "default" {
Expand All @@ -656,24 +652,20 @@ resource "google_kms_crypto_key" "key" {
}
resource "google_kms_crypto_key" "key2" {
name = "%{key_name}-2"
key_ring = google_kms_key_ring.keyring.id
name = "%{key_name}-2"
key_ring = google_kms_key_ring.keyring.id
}
resource "google_kms_crypto_key_iam_binding" "crypto_key" {
resource "google_kms_crypto_key_iam_member" "crypto_key" {
crypto_key_id = google_kms_crypto_key.key.id
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
members = [
"serviceAccount:service-${data.google_project.project.number}@gcp-sa-alloydb.iam.gserviceaccount.com",
]
member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-alloydb.iam.gserviceaccount.com"
}
resource "google_kms_crypto_key_iam_binding" "crypto_key2" {
crypto_key_id = google_kms_crypto_key.key2.id
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
members = [
"serviceAccount:service-${data.google_project.project.number}@gcp-sa-alloydb.iam.gserviceaccount.com",
]
resource "google_kms_crypto_key_iam_member" "crypto_key2" {
crypto_key_id = google_kms_crypto_key.key2.id
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-alloydb.iam.gserviceaccount.com"
}
`, context)
}
Expand All @@ -698,7 +690,7 @@ resource "google_alloydb_cluster" "default" {
retention_period = "510s"
}
}
depends_on = [google_kms_crypto_key_iam_binding.crypto_key]
depends_on = [google_kms_crypto_key_iam_member.crypto_key]
}
resource "google_compute_network" "default" {
Expand All @@ -722,20 +714,16 @@ resource "google_kms_crypto_key" "key2" {
key_ring = google_kms_key_ring.keyring.id
}
resource "google_kms_crypto_key_iam_binding" "crypto_key" {
resource "google_kms_crypto_key_iam_member" "crypto_key" {
crypto_key_id = google_kms_crypto_key.key.id
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
members = [
"serviceAccount:service-${data.google_project.project.number}@gcp-sa-alloydb.iam.gserviceaccount.com",
]
member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-alloydb.iam.gserviceaccount.com"
}
resource "google_kms_crypto_key_iam_binding" "crypto_key2" {
crypto_key_id = google_kms_crypto_key.key2.id
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
members = [
"serviceAccount:service-${data.google_project.project.number}@gcp-sa-alloydb.iam.gserviceaccount.com",
]
resource "google_kms_crypto_key_iam_member" "crypto_key2" {
crypto_key_id = google_kms_crypto_key.key2.id
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-alloydb.iam.gserviceaccount.com"
}
`, context)
}
Expand Down Expand Up @@ -1044,7 +1032,7 @@ resource "google_alloydb_cluster" "default" {
lifecycle {
prevent_destroy = true
}
depends_on = [google_kms_crypto_key_iam_binding.crypto_key]
depends_on = [google_kms_crypto_key_iam_member.crypto_key]
}
resource "google_compute_network" "default" {
Expand All @@ -1053,12 +1041,10 @@ resource "google_compute_network" "default" {
data "google_project" "project" {}
resource "google_kms_crypto_key_iam_binding" "crypto_key" {
resource "google_kms_crypto_key_iam_member" "crypto_key" {
crypto_key_id = "%{key_name}"
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
members = [
"serviceAccount:service-${data.google_project.project.number}@gcp-sa-alloydb.iam.gserviceaccount.com",
]
member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-alloydb.iam.gserviceaccount.com"
}
`, context)
}
Expand All @@ -1076,7 +1062,7 @@ resource "google_alloydb_cluster" "default" {
kms_key_name = "%{key_name}"
}
}
depends_on = [google_kms_crypto_key_iam_binding.crypto_key]
depends_on = [google_kms_crypto_key_iam_member.crypto_key]
}
resource "google_compute_network" "default" {
Expand All @@ -1085,12 +1071,10 @@ resource "google_compute_network" "default" {
data "google_project" "project" {}
resource "google_kms_crypto_key_iam_binding" "crypto_key" {
resource "google_kms_crypto_key_iam_member" "crypto_key" {
crypto_key_id = "%{key_name}"
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
members = [
"serviceAccount:service-${data.google_project.project.number}@gcp-sa-alloydb.iam.gserviceaccount.com",
]
member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-alloydb.iam.gserviceaccount.com"
}
`, context)
}
Expand Down
8 changes: 3 additions & 5 deletions google-beta/services/alloydb/resource_alloydb_secondary_cluster_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -521,7 +521,7 @@ resource "google_alloydb_cluster" "secondary" {
kms_key_name = google_kms_crypto_key.key.id
}
depends_on = [google_alloydb_instance.primary, google_kms_crypto_key_iam_binding.crypto_key]
depends_on = [google_alloydb_instance.primary, google_kms_crypto_key_iam_member.crypto_key]
}
data "google_project" "project" {}
Expand All @@ -540,12 +540,10 @@ resource "google_kms_crypto_key" "key" {
key_ring = google_kms_key_ring.keyring.id
}
resource "google_kms_crypto_key_iam_binding" "crypto_key" {
resource "google_kms_crypto_key_iam_member" "crypto_key" {
crypto_key_id = google_kms_crypto_key.key.id
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
members = [
"serviceAccount:service-${data.google_project.project.number}@gcp-sa-alloydb.iam.gserviceaccount.com",
]
member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-alloydb.iam.gserviceaccount.com"
}
`, context)
}
Expand Down
8 changes: 3 additions & 5 deletions google-beta/services/apigee/resource_apigee_environment_generated_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -341,15 +341,13 @@ resource "google_project_service_identity" "apigee_sa" {
service = google_project_service.apigee.service
}
resource "google_kms_crypto_key_iam_binding" "apigee_sa_keyuser" {
resource "google_kms_crypto_key_iam_member" "apigee_sa_keyuser" {
provider = google-beta
crypto_key_id = google_kms_crypto_key.apigee_key.id
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
members = [
"serviceAccount:${google_project_service_identity.apigee_sa.email}",
]
member = "serviceAccount:${google_project_service_identity.apigee_sa.email}"
}
resource "google_apigee_organization" "apigee_org" {
Expand All @@ -364,7 +362,7 @@ resource "google_apigee_organization" "apigee_org" {
depends_on = [
google_service_networking_connection.apigee_vpc_connection,
google_project_service.apigee,
google_kms_crypto_key_iam_binding.apigee_sa_keyuser,
google_kms_crypto_key_iam_member.apigee_sa_keyuser,
]
}
Expand Down
8 changes: 3 additions & 5 deletions google-beta/services/apigee/resource_apigee_instance_generated_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -427,15 +427,13 @@ resource "google_project_service_identity" "apigee_sa" {
service = google_project_service.apigee.service
}
resource "google_kms_crypto_key_iam_binding" "apigee_sa_keyuser" {
resource "google_kms_crypto_key_iam_member" "apigee_sa_keyuser" {
provider = google-beta
crypto_key_id = google_kms_crypto_key.apigee_key.id
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
members = [
"serviceAccount:${google_project_service_identity.apigee_sa.email}",
]
member = "serviceAccount:${google_project_service_identity.apigee_sa.email}"
}
resource "google_apigee_organization" "apigee_org" {
Expand All @@ -450,7 +448,7 @@ resource "google_apigee_organization" "apigee_org" {
depends_on = [
google_service_networking_connection.apigee_vpc_connection,
google_kms_crypto_key_iam_binding.apigee_sa_keyuser,
google_kms_crypto_key_iam_member.apigee_sa_keyuser,
]
}
Expand Down
24 changes: 9 additions & 15 deletions google-beta/services/apigee/resource_apigee_organization_generated_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -289,15 +289,13 @@ resource "google_project_service_identity" "apigee_sa" {
service = google_project_service.apigee.service
}
resource "google_kms_crypto_key_iam_binding" "apigee_sa_keyuser" {
resource "google_kms_crypto_key_iam_member" "apigee_sa_keyuser" {
provider = google-beta
crypto_key_id = google_kms_crypto_key.apigee_key.id
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
members = [
"serviceAccount:${google_project_service_identity.apigee_sa.email}",
]
member = "serviceAccount:${google_project_service_identity.apigee_sa.email}"
}
resource "google_apigee_organization" "org" {
Expand All @@ -323,7 +321,7 @@ resource "google_apigee_organization" "org" {
depends_on = [
google_service_networking_connection.apigee_vpc_connection,
google_kms_crypto_key_iam_binding.apigee_sa_keyuser,
google_kms_crypto_key_iam_member.apigee_sa_keyuser,
]
}
`, context)
Expand Down Expand Up @@ -412,15 +410,13 @@ resource "google_project_service_identity" "apigee_sa" {
service = google_project_service.apigee.service
}
resource "google_kms_crypto_key_iam_binding" "apigee_sa_keyuser" {
resource "google_kms_crypto_key_iam_member" "apigee_sa_keyuser" {
provider = google-beta
crypto_key_id = google_kms_crypto_key.apigee_key.id
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
members = [
"serviceAccount:${google_project_service_identity.apigee_sa.email}",
]
member = "serviceAccount:${google_project_service_identity.apigee_sa.email}"
}
resource "google_apigee_organization" "org" {
Expand All @@ -445,7 +441,7 @@ resource "google_apigee_organization" "org" {
}
depends_on = [
google_kms_crypto_key_iam_binding.apigee_sa_keyuser,
google_kms_crypto_key_iam_member.apigee_sa_keyuser,
]
}
`, context)
Expand Down Expand Up @@ -569,15 +565,13 @@ resource "google_project_service_identity" "apigee_sa" {
service = google_project_service.apigee.service
}
resource "google_kms_crypto_key_iam_binding" "apigee_sa_keyuser" {
resource "google_kms_crypto_key_iam_member" "apigee_sa_keyuser" {
provider = google-beta
crypto_key_id = google_kms_crypto_key.apigee_key.id
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
members = [
"serviceAccount:${google_project_service_identity.apigee_sa.email}",
]
member = "serviceAccount:${google_project_service_identity.apigee_sa.email}"
}
resource "google_apigee_organization" "org" {
Expand All @@ -593,7 +587,7 @@ resource "google_apigee_organization" "org" {
depends_on = [
google_service_networking_connection.apigee_vpc_connection,
google_project_service.apigee,
google_kms_crypto_key_iam_binding.apigee_sa_keyuser,
google_kms_crypto_key_iam_member.apigee_sa_keyuser,
]
}
`, context)
Expand Down
Loading

0 comments on commit 6d65f34

Please sign in to comment.