From 6d65f344ece6070e28b6c89413183967b45ee4fd Mon Sep 17 00:00:00 2001 From: The Magician Date: Mon, 11 Dec 2023 02:52:30 -0800 Subject: [PATCH] Remove use of `google_kms_crypto_key_iam_binding` resources in acceptance tests to reduce test failures related to missing permissions (#9590) (#6737) * Replace use of `google_kms_crypto_key_iam_binding` with `_member` equivalent * Replace use of `google_kms_crypto_key_iam_binding` with `_member` equivalent in examples files * Split `google_kms_crypto_key_iam_binding` with 2 members into two `_member` IAM resources in example file * Replace `google_kms_crypto_key_iam_binding` with 5 members into `_member` IAM resources created via for_each loop When this example is used to generate a test the crypto key used is a bootstrapped resource. By using an authoritative `_binding` IAM resource we allow conflict between tests using the same bootstrapped cypto key * Fix mistyped argument name * Remove use of for_each in acceptance test, create separate example files for test vs docs * SKip `TestAccCloudfunctions2function_cloudfunctions2CmekExample` in VCR * Skip `TestAccDataprocMetastoreService_dataprocMetastoreServiceCmekTestExample` in VCR [upstream:9e772a85d6c113ae38b6e5439d7ae72380481bec] Signed-off-by: Modular Magician --- .changelog/9590.txt | 3 + .../alloydb/resource_alloydb_backup_test.go | 6 +- .../alloydb/resource_alloydb_cluster_test.go | 74 ++++++++----------- ...resource_alloydb_secondary_cluster_test.go | 8 +- ...ource_apigee_environment_generated_test.go | 8 +- ...resource_apigee_instance_generated_test.go | 8 +- ...urce_apigee_organization_generated_test.go | 24 +++--- ...cloudfunctions2_function_generated_test.go | 69 ++++++++++++----- ...resource_compute_instance_template_test.go | 4 + ...rce_data_fusion_instance_generated_test.go | 8 +- ...taproc_metastore_service_generated_test.go | 20 +++-- .../resource_logging_bucket_config_test.go | 16 ++-- .../resource_sql_database_instance_test.go | 18 ++--- website/docs/r/apigee_instance.html.markdown | 8 +- .../docs/r/apigee_nat_address.html.markdown | 8 +- .../docs/r/apigee_organization.html.markdown | 16 ++-- .../r/cloudfunctions2_function.html.markdown | 4 +- .../docs/r/data_fusion_instance.html.markdown | 8 +- ...vateca_certificate_authority.html.markdown | 16 ++-- 19 files changed, 159 insertions(+), 167 deletions(-) create mode 100644 .changelog/9590.txt diff --git a/.changelog/9590.txt b/.changelog/9590.txt new file mode 100644 index 0000000000..8ec013c069 --- /dev/null +++ b/.changelog/9590.txt @@ -0,0 +1,3 @@ +```release-note:none + +``` diff --git a/google-beta/services/alloydb/resource_alloydb_backup_test.go b/google-beta/services/alloydb/resource_alloydb_backup_test.go index 923ff3dcc7..944366e48d 100644 --- a/google-beta/services/alloydb/resource_alloydb_backup_test.go +++ b/google-beta/services/alloydb/resource_alloydb_backup_test.go @@ -232,12 +232,10 @@ resource "google_kms_crypto_key" "key" { key_ring = google_kms_key_ring.keyring.id } -resource "google_kms_crypto_key_iam_binding" "crypto_key" { +resource "google_kms_crypto_key_iam_member" "crypto_key" { crypto_key_id = google_kms_crypto_key.key.id role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" - members = [ - "serviceAccount:service-${data.google_project.project.number}@gcp-sa-alloydb.iam.gserviceaccount.com", - ] + member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-alloydb.iam.gserviceaccount.com" } `, context) } diff --git a/google-beta/services/alloydb/resource_alloydb_cluster_test.go b/google-beta/services/alloydb/resource_alloydb_cluster_test.go index 7a354ddf04..c895de56e2 100644 --- a/google-beta/services/alloydb/resource_alloydb_cluster_test.go +++ b/google-beta/services/alloydb/resource_alloydb_cluster_test.go @@ -493,7 +493,7 @@ resource "google_alloydb_cluster" "default" { encryption_config { kms_key_name = google_kms_crypto_key.key.id } - depends_on = [google_kms_crypto_key_iam_binding.crypto_key] + depends_on = [google_kms_crypto_key_iam_member.crypto_key] } resource "google_compute_network" "default" { name = "tf-test-alloydb-cluster%{random_suffix}" @@ -507,12 +507,10 @@ resource "google_kms_crypto_key" "key" { name = "%{key_name}" key_ring = google_kms_key_ring.keyring.id } -resource "google_kms_crypto_key_iam_binding" "crypto_key" { +resource "google_kms_crypto_key_iam_member" "crypto_key" { crypto_key_id = google_kms_crypto_key.key.id role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" - members = [ - "serviceAccount:service-${data.google_project.project.number}@gcp-sa-alloydb.iam.gserviceaccount.com", - ] + member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-alloydb.iam.gserviceaccount.com" } `, context) } @@ -584,7 +582,7 @@ resource "google_alloydb_cluster" "default" { lifecycle { prevent_destroy = true } - depends_on = [google_kms_crypto_key_iam_binding.crypto_key] + depends_on = [google_kms_crypto_key_iam_member.crypto_key] } resource "google_compute_network" "default" { @@ -603,12 +601,10 @@ resource "google_kms_crypto_key" "key" { key_ring = google_kms_key_ring.keyring.id } -resource "google_kms_crypto_key_iam_binding" "crypto_key" { +resource "google_kms_crypto_key_iam_member" "crypto_key" { crypto_key_id = google_kms_crypto_key.key.id role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" - members = [ - "serviceAccount:service-${data.google_project.project.number}@gcp-sa-alloydb.iam.gserviceaccount.com", - ] + member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-alloydb.iam.gserviceaccount.com" } `, context) } @@ -634,9 +630,9 @@ resource "google_alloydb_cluster" "default" { } } lifecycle { - prevent_destroy = true + prevent_destroy = true } - depends_on = [google_kms_crypto_key_iam_binding.crypto_key] + depends_on = [google_kms_crypto_key_iam_member.crypto_key] } resource "google_compute_network" "default" { @@ -656,24 +652,20 @@ resource "google_kms_crypto_key" "key" { } resource "google_kms_crypto_key" "key2" { - name = "%{key_name}-2" - key_ring = google_kms_key_ring.keyring.id + name = "%{key_name}-2" + key_ring = google_kms_key_ring.keyring.id } -resource "google_kms_crypto_key_iam_binding" "crypto_key" { +resource "google_kms_crypto_key_iam_member" "crypto_key" { crypto_key_id = google_kms_crypto_key.key.id role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" - members = [ - "serviceAccount:service-${data.google_project.project.number}@gcp-sa-alloydb.iam.gserviceaccount.com", - ] + member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-alloydb.iam.gserviceaccount.com" } -resource "google_kms_crypto_key_iam_binding" "crypto_key2" { - crypto_key_id = google_kms_crypto_key.key2.id - role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" - members = [ - "serviceAccount:service-${data.google_project.project.number}@gcp-sa-alloydb.iam.gserviceaccount.com", - ] +resource "google_kms_crypto_key_iam_member" "crypto_key2" { + crypto_key_id = google_kms_crypto_key.key2.id + role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" + member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-alloydb.iam.gserviceaccount.com" } `, context) } @@ -698,7 +690,7 @@ resource "google_alloydb_cluster" "default" { retention_period = "510s" } } - depends_on = [google_kms_crypto_key_iam_binding.crypto_key] + depends_on = [google_kms_crypto_key_iam_member.crypto_key] } resource "google_compute_network" "default" { @@ -722,20 +714,16 @@ resource "google_kms_crypto_key" "key2" { key_ring = google_kms_key_ring.keyring.id } -resource "google_kms_crypto_key_iam_binding" "crypto_key" { +resource "google_kms_crypto_key_iam_member" "crypto_key" { crypto_key_id = google_kms_crypto_key.key.id role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" - members = [ - "serviceAccount:service-${data.google_project.project.number}@gcp-sa-alloydb.iam.gserviceaccount.com", - ] + member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-alloydb.iam.gserviceaccount.com" } -resource "google_kms_crypto_key_iam_binding" "crypto_key2" { - crypto_key_id = google_kms_crypto_key.key2.id - role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" - members = [ - "serviceAccount:service-${data.google_project.project.number}@gcp-sa-alloydb.iam.gserviceaccount.com", - ] +resource "google_kms_crypto_key_iam_member" "crypto_key2" { + crypto_key_id = google_kms_crypto_key.key2.id + role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" + member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-alloydb.iam.gserviceaccount.com" } `, context) } @@ -1044,7 +1032,7 @@ resource "google_alloydb_cluster" "default" { lifecycle { prevent_destroy = true } - depends_on = [google_kms_crypto_key_iam_binding.crypto_key] + depends_on = [google_kms_crypto_key_iam_member.crypto_key] } resource "google_compute_network" "default" { @@ -1053,12 +1041,10 @@ resource "google_compute_network" "default" { data "google_project" "project" {} -resource "google_kms_crypto_key_iam_binding" "crypto_key" { +resource "google_kms_crypto_key_iam_member" "crypto_key" { crypto_key_id = "%{key_name}" role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" - members = [ - "serviceAccount:service-${data.google_project.project.number}@gcp-sa-alloydb.iam.gserviceaccount.com", - ] + member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-alloydb.iam.gserviceaccount.com" } `, context) } @@ -1076,7 +1062,7 @@ resource "google_alloydb_cluster" "default" { kms_key_name = "%{key_name}" } } - depends_on = [google_kms_crypto_key_iam_binding.crypto_key] + depends_on = [google_kms_crypto_key_iam_member.crypto_key] } resource "google_compute_network" "default" { @@ -1085,12 +1071,10 @@ resource "google_compute_network" "default" { data "google_project" "project" {} -resource "google_kms_crypto_key_iam_binding" "crypto_key" { +resource "google_kms_crypto_key_iam_member" "crypto_key" { crypto_key_id = "%{key_name}" role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" - members = [ - "serviceAccount:service-${data.google_project.project.number}@gcp-sa-alloydb.iam.gserviceaccount.com", - ] + member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-alloydb.iam.gserviceaccount.com" } `, context) } diff --git a/google-beta/services/alloydb/resource_alloydb_secondary_cluster_test.go b/google-beta/services/alloydb/resource_alloydb_secondary_cluster_test.go index 12e3703215..ff66637dda 100644 --- a/google-beta/services/alloydb/resource_alloydb_secondary_cluster_test.go +++ b/google-beta/services/alloydb/resource_alloydb_secondary_cluster_test.go @@ -521,7 +521,7 @@ resource "google_alloydb_cluster" "secondary" { kms_key_name = google_kms_crypto_key.key.id } - depends_on = [google_alloydb_instance.primary, google_kms_crypto_key_iam_binding.crypto_key] + depends_on = [google_alloydb_instance.primary, google_kms_crypto_key_iam_member.crypto_key] } data "google_project" "project" {} @@ -540,12 +540,10 @@ resource "google_kms_crypto_key" "key" { key_ring = google_kms_key_ring.keyring.id } -resource "google_kms_crypto_key_iam_binding" "crypto_key" { +resource "google_kms_crypto_key_iam_member" "crypto_key" { crypto_key_id = google_kms_crypto_key.key.id role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" - members = [ - "serviceAccount:service-${data.google_project.project.number}@gcp-sa-alloydb.iam.gserviceaccount.com", - ] + member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-alloydb.iam.gserviceaccount.com" } `, context) } diff --git a/google-beta/services/apigee/resource_apigee_environment_generated_test.go b/google-beta/services/apigee/resource_apigee_environment_generated_test.go index 6227104a9a..c4e858ec62 100644 --- a/google-beta/services/apigee/resource_apigee_environment_generated_test.go +++ b/google-beta/services/apigee/resource_apigee_environment_generated_test.go @@ -341,15 +341,13 @@ resource "google_project_service_identity" "apigee_sa" { service = google_project_service.apigee.service } -resource "google_kms_crypto_key_iam_binding" "apigee_sa_keyuser" { +resource "google_kms_crypto_key_iam_member" "apigee_sa_keyuser" { provider = google-beta crypto_key_id = google_kms_crypto_key.apigee_key.id role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" - members = [ - "serviceAccount:${google_project_service_identity.apigee_sa.email}", - ] + member = "serviceAccount:${google_project_service_identity.apigee_sa.email}" } resource "google_apigee_organization" "apigee_org" { @@ -364,7 +362,7 @@ resource "google_apigee_organization" "apigee_org" { depends_on = [ google_service_networking_connection.apigee_vpc_connection, google_project_service.apigee, - google_kms_crypto_key_iam_binding.apigee_sa_keyuser, + google_kms_crypto_key_iam_member.apigee_sa_keyuser, ] } diff --git a/google-beta/services/apigee/resource_apigee_instance_generated_test.go b/google-beta/services/apigee/resource_apigee_instance_generated_test.go index 61bee5edc6..f539ce1376 100644 --- a/google-beta/services/apigee/resource_apigee_instance_generated_test.go +++ b/google-beta/services/apigee/resource_apigee_instance_generated_test.go @@ -427,15 +427,13 @@ resource "google_project_service_identity" "apigee_sa" { service = google_project_service.apigee.service } -resource "google_kms_crypto_key_iam_binding" "apigee_sa_keyuser" { +resource "google_kms_crypto_key_iam_member" "apigee_sa_keyuser" { provider = google-beta crypto_key_id = google_kms_crypto_key.apigee_key.id role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" - members = [ - "serviceAccount:${google_project_service_identity.apigee_sa.email}", - ] + member = "serviceAccount:${google_project_service_identity.apigee_sa.email}" } resource "google_apigee_organization" "apigee_org" { @@ -450,7 +448,7 @@ resource "google_apigee_organization" "apigee_org" { depends_on = [ google_service_networking_connection.apigee_vpc_connection, - google_kms_crypto_key_iam_binding.apigee_sa_keyuser, + google_kms_crypto_key_iam_member.apigee_sa_keyuser, ] } diff --git a/google-beta/services/apigee/resource_apigee_organization_generated_test.go b/google-beta/services/apigee/resource_apigee_organization_generated_test.go index 05bb2be967..9809c37a30 100644 --- a/google-beta/services/apigee/resource_apigee_organization_generated_test.go +++ b/google-beta/services/apigee/resource_apigee_organization_generated_test.go @@ -289,15 +289,13 @@ resource "google_project_service_identity" "apigee_sa" { service = google_project_service.apigee.service } -resource "google_kms_crypto_key_iam_binding" "apigee_sa_keyuser" { +resource "google_kms_crypto_key_iam_member" "apigee_sa_keyuser" { provider = google-beta crypto_key_id = google_kms_crypto_key.apigee_key.id role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" - members = [ - "serviceAccount:${google_project_service_identity.apigee_sa.email}", - ] + member = "serviceAccount:${google_project_service_identity.apigee_sa.email}" } resource "google_apigee_organization" "org" { @@ -323,7 +321,7 @@ resource "google_apigee_organization" "org" { depends_on = [ google_service_networking_connection.apigee_vpc_connection, - google_kms_crypto_key_iam_binding.apigee_sa_keyuser, + google_kms_crypto_key_iam_member.apigee_sa_keyuser, ] } `, context) @@ -412,15 +410,13 @@ resource "google_project_service_identity" "apigee_sa" { service = google_project_service.apigee.service } -resource "google_kms_crypto_key_iam_binding" "apigee_sa_keyuser" { +resource "google_kms_crypto_key_iam_member" "apigee_sa_keyuser" { provider = google-beta crypto_key_id = google_kms_crypto_key.apigee_key.id role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" - members = [ - "serviceAccount:${google_project_service_identity.apigee_sa.email}", - ] + member = "serviceAccount:${google_project_service_identity.apigee_sa.email}" } resource "google_apigee_organization" "org" { @@ -445,7 +441,7 @@ resource "google_apigee_organization" "org" { } depends_on = [ - google_kms_crypto_key_iam_binding.apigee_sa_keyuser, + google_kms_crypto_key_iam_member.apigee_sa_keyuser, ] } `, context) @@ -569,15 +565,13 @@ resource "google_project_service_identity" "apigee_sa" { service = google_project_service.apigee.service } -resource "google_kms_crypto_key_iam_binding" "apigee_sa_keyuser" { +resource "google_kms_crypto_key_iam_member" "apigee_sa_keyuser" { provider = google-beta crypto_key_id = google_kms_crypto_key.apigee_key.id role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" - members = [ - "serviceAccount:${google_project_service_identity.apigee_sa.email}", - ] + member = "serviceAccount:${google_project_service_identity.apigee_sa.email}" } resource "google_apigee_organization" "org" { @@ -593,7 +587,7 @@ resource "google_apigee_organization" "org" { depends_on = [ google_service_networking_connection.apigee_vpc_connection, google_project_service.apigee, - google_kms_crypto_key_iam_binding.apigee_sa_keyuser, + google_kms_crypto_key_iam_member.apigee_sa_keyuser, ] } `, context) diff --git a/google-beta/services/cloudfunctions2/resource_cloudfunctions2_function_generated_test.go b/google-beta/services/cloudfunctions2/resource_cloudfunctions2_function_generated_test.go index 747c874fe0..fcb59f9182 100644 --- a/google-beta/services/cloudfunctions2/resource_cloudfunctions2_function_generated_test.go +++ b/google-beta/services/cloudfunctions2/resource_cloudfunctions2_function_generated_test.go @@ -765,6 +765,7 @@ resource "google_cloudfunctions2_function" "function" { } func TestAccCloudfunctions2function_cloudfunctions2CmekExample(t *testing.T) { + acctest.SkipIfVcr(t) t.Parallel() context := map[string]interface{}{ @@ -834,34 +835,58 @@ resource "google_artifact_registry_repository" "unencoded-ar-repo" { format = "DOCKER" } -resource "google_artifact_registry_repository_iam_binding" "binding" { +resource "google_artifact_registry_repository_iam_member" "member" { provider = google-beta location = google_artifact_registry_repository.encoded-ar-repo.location repository = google_artifact_registry_repository.encoded-ar-repo.name role = "roles/artifactregistry.admin" - members = [ - "serviceAccount:service-${data.google_project.project.number}@gcf-admin-robot.iam.gserviceaccount.com", - ] + member = "serviceAccount:service-${data.google_project.project.number}@gcf-admin-robot.iam.gserviceaccount.com" } -resource "google_kms_crypto_key_iam_binding" "gcf_cmek_keyuser" { +resource "google_kms_crypto_key_iam_member" "gcf_cmek_keyuser_1" { provider = google-beta crypto_key_id = "%{kms_key_name}" role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" - members = [ - "serviceAccount:service-${data.google_project.project.number}@gcf-admin-robot.iam.gserviceaccount.com", - "serviceAccount:service-${data.google_project.project.number}@gcp-sa-artifactregistry.iam.gserviceaccount.com", - "serviceAccount:service-${data.google_project.project.number}@gs-project-accounts.iam.gserviceaccount.com", - "serviceAccount:service-${data.google_project.project.number}@serverless-robot-prod.iam.gserviceaccount.com", - "serviceAccount:${google_project_service_identity.ea_sa.email}", - ] + member = "serviceAccount:service-${data.google_project.project.number}@gcf-admin-robot.iam.gserviceaccount.com" +} - depends_on = [ - google_project_service_identity.ea_sa - ] +resource "google_kms_crypto_key_iam_member" "gcf_cmek_keyuser_2" { + provider = google-beta + + crypto_key_id = "%{kms_key_name}" + role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" + + member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-artifactregistry.iam.gserviceaccount.com" +} + +resource "google_kms_crypto_key_iam_member" "gcf_cmek_keyuser_3" { + provider = google-beta + + crypto_key_id = "%{kms_key_name}" + role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" + + member = "serviceAccount:service-${data.google_project.project.number}@gs-project-accounts.iam.gserviceaccount.com" +} + +resource "google_kms_crypto_key_iam_member" "gcf_cmek_keyuser_4" { + provider = google-beta + + crypto_key_id = "%{kms_key_name}" + role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" + + member = "serviceAccount:service-${data.google_project.project.number}@serverless-robot-prod.iam.gserviceaccount.com" +} + +resource "google_kms_crypto_key_iam_member" "gcf_cmek_keyuser_5" { + provider = google-beta + + crypto_key_id = "%{kms_key_name}" + role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" + + member = "serviceAccount:${google_project_service_identity.ea_sa.email}" } resource "google_artifact_registry_repository" "encoded-ar-repo" { @@ -871,8 +896,13 @@ resource "google_artifact_registry_repository" "encoded-ar-repo" { repository_id = "tf-test-cmek-repo%{random_suffix}" format = "DOCKER" kms_key_name = "%{kms_key_name}" + depends_on = [ - google_kms_crypto_key_iam_binding.gcf_cmek_keyuser + google_kms_crypto_key_iam_member.gcf_cmek_keyuser_1, + google_kms_crypto_key_iam_member.gcf_cmek_keyuser_2, + google_kms_crypto_key_iam_member.gcf_cmek_keyuser_3, + google_kms_crypto_key_iam_member.gcf_cmek_keyuser_4, + google_kms_crypto_key_iam_member.gcf_cmek_keyuser_5, ] } @@ -904,9 +934,12 @@ resource "google_cloudfunctions2_function" "function" { } depends_on = [ - google_kms_crypto_key_iam_binding.gcf_cmek_keyuser + google_kms_crypto_key_iam_member.gcf_cmek_keyuser_1, + google_kms_crypto_key_iam_member.gcf_cmek_keyuser_2, + google_kms_crypto_key_iam_member.gcf_cmek_keyuser_3, + google_kms_crypto_key_iam_member.gcf_cmek_keyuser_4, + google_kms_crypto_key_iam_member.gcf_cmek_keyuser_5, ] - } `, context) } diff --git a/google-beta/services/compute/resource_compute_instance_template_test.go b/google-beta/services/compute/resource_compute_instance_template_test.go index cb15bacfe7..33e40d85c3 100644 --- a/google-beta/services/compute/resource_compute_instance_template_test.go +++ b/google-beta/services/compute/resource_compute_instance_template_test.go @@ -3623,6 +3623,10 @@ resource "google_compute_image" "image" { kms_key_self_link = data.google_kms_crypto_key.key.id kms_key_service_account = google_service_account.test.email } + + depends_on = [ + google_kms_crypto_key_iam_member.crypto_key + ] } diff --git a/google-beta/services/datafusion/resource_data_fusion_instance_generated_test.go b/google-beta/services/datafusion/resource_data_fusion_instance_generated_test.go index ff66a767d2..5ca50a7c7a 100644 --- a/google-beta/services/datafusion/resource_data_fusion_instance_generated_test.go +++ b/google-beta/services/datafusion/resource_data_fusion_instance_generated_test.go @@ -175,7 +175,7 @@ resource "google_data_fusion_instance" "cmek" { key_reference = google_kms_crypto_key.crypto_key.id } - depends_on = [google_kms_crypto_key_iam_binding.crypto_key_binding] + depends_on = [google_kms_crypto_key_iam_member.crypto_key_member] } resource "google_kms_crypto_key" "crypto_key" { @@ -188,13 +188,11 @@ resource "google_kms_key_ring" "key_ring" { location = "us-central1" } -resource "google_kms_crypto_key_iam_binding" "crypto_key_binding" { +resource "google_kms_crypto_key_iam_member" "crypto_key_member" { crypto_key_id = google_kms_crypto_key.crypto_key.id role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" - members = [ - "serviceAccount:service-${data.google_project.project.number}@gcp-sa-datafusion.iam.gserviceaccount.com" - ] + member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-datafusion.iam.gserviceaccount.com" } data "google_project" "project" {} diff --git a/google-beta/services/dataprocmetastore/resource_dataproc_metastore_service_generated_test.go b/google-beta/services/dataprocmetastore/resource_dataproc_metastore_service_generated_test.go index 8c11a6e6a4..666d0af135 100644 --- a/google-beta/services/dataprocmetastore/resource_dataproc_metastore_service_generated_test.go +++ b/google-beta/services/dataprocmetastore/resource_dataproc_metastore_service_generated_test.go @@ -80,6 +80,7 @@ resource "google_dataproc_metastore_service" "default" { } func TestAccDataprocMetastoreService_dataprocMetastoreServiceCmekTestExample(t *testing.T) { + acctest.SkipIfVcr(t) t.Parallel() context := map[string]interface{}{ @@ -123,7 +124,10 @@ resource "google_dataproc_metastore_service" "default" { version = "3.1.2" } - depends_on = [google_kms_crypto_key_iam_binding.crypto_key_binding] + depends_on = [ + google_kms_crypto_key_iam_member.crypto_key_member_1, + google_kms_crypto_key_iam_member.crypto_key_member_2, + ] } resource "google_kms_crypto_key" "crypto_key" { @@ -138,14 +142,18 @@ resource "google_kms_key_ring" "key_ring" { location = "us-central1" } -resource "google_kms_crypto_key_iam_binding" "crypto_key_binding" { +resource "google_kms_crypto_key_iam_member" "crypto_key_member_1" { crypto_key_id = google_kms_crypto_key.crypto_key.id role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" - members = [ - "serviceAccount:service-${data.google_project.project.number}@gcp-sa-metastore.iam.gserviceaccount.com", - "serviceAccount:${data.google_storage_project_service_account.gcs_account.email_address}" - ] + member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-metastore.iam.gserviceaccount.com" +} + +resource "google_kms_crypto_key_iam_member" "crypto_key_member_2" { + crypto_key_id = google_kms_crypto_key.crypto_key.id + role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" + + member = "serviceAccount:${data.google_storage_project_service_account.gcs_account.email_address}" } `, context) } diff --git a/google-beta/services/logging/resource_logging_bucket_config_test.go b/google-beta/services/logging/resource_logging_bucket_config_test.go index 1ba86c23f9..b11b633aae 100644 --- a/google-beta/services/logging/resource_logging_bucket_config_test.go +++ b/google-beta/services/logging/resource_logging_bucket_config_test.go @@ -345,22 +345,18 @@ resource "google_kms_crypto_key" "key2" { key_ring = google_kms_key_ring.keyring.id } -resource "google_kms_crypto_key_iam_binding" "crypto_key_binding1" { +resource "google_kms_crypto_key_iam_member" "crypto_key_member1" { crypto_key_id = google_kms_crypto_key.key1.id role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" - members = [ - "serviceAccount:${data.google_logging_project_cmek_settings.cmek_settings.service_account_id}", - ] + member = "serviceAccount:${data.google_logging_project_cmek_settings.cmek_settings.service_account_id}" } -resource "google_kms_crypto_key_iam_binding" "crypto_key_binding2" { +resource "google_kms_crypto_key_iam_member" "crypto_key_member2" { crypto_key_id = google_kms_crypto_key.key2.id role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" - members = [ - "serviceAccount:${data.google_logging_project_cmek_settings.cmek_settings.service_account_id}", - ] + member = "serviceAccount:${data.google_logging_project_cmek_settings.cmek_settings.service_account_id}" } `, context), keyRingName, cryptoKeyName, cryptoKeyNameUpdate) } @@ -380,7 +376,7 @@ resource "google_logging_project_bucket_config" "basic" { kms_key_name = google_kms_crypto_key.key1.id } - depends_on = [google_kms_crypto_key_iam_binding.crypto_key_binding1] + depends_on = [google_kms_crypto_key_iam_member.crypto_key_member1] } `, testAccLoggingBucketConfigProject_preCmekSettings(context, keyRingName, cryptoKeyName, cryptoKeyNameUpdate), bucketId) } @@ -400,7 +396,7 @@ resource "google_logging_project_bucket_config" "basic" { kms_key_name = google_kms_crypto_key.key2.id } - depends_on = [google_kms_crypto_key_iam_binding.crypto_key_binding2] + depends_on = [google_kms_crypto_key_iam_member.crypto_key_member2] } `, testAccLoggingBucketConfigProject_preCmekSettings(context, keyRingName, cryptoKeyName, cryptoKeyNameUpdate), bucketId) } diff --git a/google-beta/services/sql/resource_sql_database_instance_test.go b/google-beta/services/sql/resource_sql_database_instance_test.go index bb41c3c436..68fa400bca 100644 --- a/google-beta/services/sql/resource_sql_database_instance_test.go +++ b/google-beta/services/sql/resource_sql_database_instance_test.go @@ -3716,13 +3716,11 @@ resource "google_kms_crypto_key" "key" { key_ring = google_kms_key_ring.keyring.id } -resource "google_kms_crypto_key_iam_binding" "crypto_key" { +resource "google_kms_crypto_key_iam_member" "crypto_key" { crypto_key_id = google_kms_crypto_key.key.id role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" - members = [ - "serviceAccount:service-${data.google_project.project.number}@gcp-sa-cloud-sql.iam.gserviceaccount.com", - ] + member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-cloud-sql.iam.gserviceaccount.com" } resource "google_sql_database_instance" "master" { @@ -3775,13 +3773,11 @@ resource "google_kms_crypto_key" "key" { key_ring = google_kms_key_ring.keyring.id } -resource "google_kms_crypto_key_iam_binding" "crypto_key" { +resource "google_kms_crypto_key_iam_member" "crypto_key" { crypto_key_id = google_kms_crypto_key.key.id role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" - members = [ - "serviceAccount:service-${data.google_project.project.number}@gcp-sa-cloud-sql.iam.gserviceaccount.com", - ] + member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-cloud-sql.iam.gserviceaccount.com" } resource "google_sql_database_instance" "master" { @@ -3814,13 +3810,11 @@ resource "google_kms_crypto_key" "key-rep" { key_ring = google_kms_key_ring.keyring-rep.id } -resource "google_kms_crypto_key_iam_binding" "crypto_key_rep" { +resource "google_kms_crypto_key_iam_member" "crypto_key_rep" { crypto_key_id = google_kms_crypto_key.key-rep.id role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" - members = [ - "serviceAccount:service-${data.google_project.project.number}@gcp-sa-cloud-sql.iam.gserviceaccount.com", - ] + member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-cloud-sql.iam.gserviceaccount.com" } resource "google_sql_database_instance" "replica" { diff --git a/website/docs/r/apigee_instance.html.markdown b/website/docs/r/apigee_instance.html.markdown index 7f4761559d..2455fcf2a7 100644 --- a/website/docs/r/apigee_instance.html.markdown +++ b/website/docs/r/apigee_instance.html.markdown @@ -185,13 +185,11 @@ resource "google_project_service_identity" "apigee_sa" { service = google_project_service.apigee.service } -resource "google_kms_crypto_key_iam_binding" "apigee_sa_keyuser" { +resource "google_kms_crypto_key_iam_member" "apigee_sa_keyuser" { crypto_key_id = google_kms_crypto_key.apigee_key.id role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" - members = [ - "serviceAccount:${google_project_service_identity.apigee_sa.email}", - ] + member = "serviceAccount:${google_project_service_identity.apigee_sa.email}" } resource "google_apigee_organization" "apigee_org" { @@ -204,7 +202,7 @@ resource "google_apigee_organization" "apigee_org" { depends_on = [ google_service_networking_connection.apigee_vpc_connection, - google_kms_crypto_key_iam_binding.apigee_sa_keyuser, + google_kms_crypto_key_iam_member.apigee_sa_keyuser, ] } diff --git a/website/docs/r/apigee_nat_address.html.markdown b/website/docs/r/apigee_nat_address.html.markdown index 7e599126cc..f1e9f4d766 100644 --- a/website/docs/r/apigee_nat_address.html.markdown +++ b/website/docs/r/apigee_nat_address.html.markdown @@ -73,13 +73,11 @@ resource "google_project_service_identity" "apigee_sa" { service = google_project_service.apigee.service } -resource "google_kms_crypto_key_iam_binding" "apigee_sa_keyuser" { +resource "google_kms_crypto_key_iam_member" "apigee_sa_keyuser" { crypto_key_id = google_kms_crypto_key.apigee_key.id role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" - members = [ - "serviceAccount:${google_project_service_identity.apigee_sa.email}", - ] + member = "serviceAccount:${google_project_service_identity.apigee_sa.email}" } resource "google_apigee_organization" "apigee_org" { @@ -92,7 +90,7 @@ resource "google_apigee_organization" "apigee_org" { depends_on = [ google_service_networking_connection.apigee_vpc_connection, - google_kms_crypto_key_iam_binding.apigee_sa_keyuser, + google_kms_crypto_key_iam_member.apigee_sa_keyuser, ] } diff --git a/website/docs/r/apigee_organization.html.markdown b/website/docs/r/apigee_organization.html.markdown index 34c818adb6..1bc68938b6 100644 --- a/website/docs/r/apigee_organization.html.markdown +++ b/website/docs/r/apigee_organization.html.markdown @@ -116,13 +116,11 @@ resource "google_project_service_identity" "apigee_sa" { service = google_project_service.apigee.service } -resource "google_kms_crypto_key_iam_binding" "apigee_sa_keyuser" { +resource "google_kms_crypto_key_iam_member" "apigee_sa_keyuser" { crypto_key_id = google_kms_crypto_key.apigee_key.id role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" - members = [ - "serviceAccount:${google_project_service_identity.apigee_sa.email}", - ] + member = "serviceAccount:${google_project_service_identity.apigee_sa.email}" } resource "google_apigee_organization" "org" { @@ -135,7 +133,7 @@ resource "google_apigee_organization" "org" { depends_on = [ google_service_networking_connection.apigee_vpc_connection, - google_kms_crypto_key_iam_binding.apigee_sa_keyuser, + google_kms_crypto_key_iam_member.apigee_sa_keyuser, ] } ``` @@ -165,13 +163,11 @@ resource "google_project_service_identity" "apigee_sa" { service = google_project_service.apigee.service } -resource "google_kms_crypto_key_iam_binding" "apigee_sa_keyuser" { +resource "google_kms_crypto_key_iam_member" "apigee_sa_keyuser" { crypto_key_id = google_kms_crypto_key.apigee_key.id role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" - members = [ - "serviceAccount:${google_project_service_identity.apigee_sa.email}", - ] + member = "serviceAccount:${google_project_service_identity.apigee_sa.email}" } resource "google_apigee_organization" "org" { @@ -183,7 +179,7 @@ resource "google_apigee_organization" "org" { runtime_database_encryption_key_name = google_kms_crypto_key.apigee_key.id depends_on = [ - google_kms_crypto_key_iam_binding.apigee_sa_keyuser, + google_kms_crypto_key_iam_member.apigee_sa_keyuser, ] } ``` diff --git a/website/docs/r/cloudfunctions2_function.html.markdown b/website/docs/r/cloudfunctions2_function.html.markdown index b8a67fef79..77d139e1a8 100644 --- a/website/docs/r/cloudfunctions2_function.html.markdown +++ b/website/docs/r/cloudfunctions2_function.html.markdown @@ -640,7 +640,7 @@ resource "google_cloudfunctions2_function" "function" { } } ``` -## Example Usage - Cloudfunctions2 Cmek +## Example Usage - Cloudfunctions2 Cmek Docs ```hcl @@ -659,7 +659,7 @@ resource "google_storage_bucket" "bucket" { location = "US" uniform_bucket_level_access = true } - + resource "google_storage_bucket_object" "object" { provider = google-beta diff --git a/website/docs/r/data_fusion_instance.html.markdown b/website/docs/r/data_fusion_instance.html.markdown index d16fc489e5..3f4f59ace7 100644 --- a/website/docs/r/data_fusion_instance.html.markdown +++ b/website/docs/r/data_fusion_instance.html.markdown @@ -113,7 +113,7 @@ resource "google_data_fusion_instance" "cmek" { key_reference = google_kms_crypto_key.crypto_key.id } - depends_on = [google_kms_crypto_key_iam_binding.crypto_key_binding] + depends_on = [google_kms_crypto_key_iam_member.crypto_key_member] } resource "google_kms_crypto_key" "crypto_key" { @@ -126,13 +126,11 @@ resource "google_kms_key_ring" "key_ring" { location = "us-central1" } -resource "google_kms_crypto_key_iam_binding" "crypto_key_binding" { +resource "google_kms_crypto_key_iam_member" "crypto_key_member" { crypto_key_id = google_kms_crypto_key.crypto_key.id role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" - members = [ - "serviceAccount:service-${data.google_project.project.number}@gcp-sa-datafusion.iam.gserviceaccount.com" - ] + member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-datafusion.iam.gserviceaccount.com" } data "google_project" "project" {} diff --git a/website/docs/r/privateca_certificate_authority.html.markdown b/website/docs/r/privateca_certificate_authority.html.markdown index de252c759f..b680cdbdfc 100644 --- a/website/docs/r/privateca_certificate_authority.html.markdown +++ b/website/docs/r/privateca_certificate_authority.html.markdown @@ -203,21 +203,17 @@ resource "google_project_service_identity" "privateca_sa" { service = "privateca.googleapis.com" } -resource "google_kms_crypto_key_iam_binding" "privateca_sa_keyuser_signerverifier" { +resource "google_kms_crypto_key_iam_member" "privateca_sa_keyuser_signerverifier" { crypto_key_id = "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key" role = "roles/cloudkms.signerVerifier" - members = [ - "serviceAccount:${google_project_service_identity.privateca_sa.email}", - ] + member = "serviceAccount:${google_project_service_identity.privateca_sa.email}" } -resource "google_kms_crypto_key_iam_binding" "privateca_sa_keyuser_viewer" { +resource "google_kms_crypto_key_iam_member" "privateca_sa_keyuser_viewer" { crypto_key_id = "projects/keys-project/locations/us-central1/keyRings/key-ring/cryptoKeys/crypto-key" role = "roles/viewer" - members = [ - "serviceAccount:${google_project_service_identity.privateca_sa.email}", - ] + member = "serviceAccount:${google_project_service_identity.privateca_sa.email}" } resource "google_privateca_certificate_authority" "default" { @@ -269,8 +265,8 @@ resource "google_privateca_certificate_authority" "default" { } depends_on = [ - google_kms_crypto_key_iam_binding.privateca_sa_keyuser_signerverifier, - google_kms_crypto_key_iam_binding.privateca_sa_keyuser_viewer, + google_kms_crypto_key_iam_member.privateca_sa_keyuser_signerverifier, + google_kms_crypto_key_iam_member.privateca_sa_keyuser_viewer, ] } ```