diff --git a/.changelog/7617.txt b/.changelog/7617.txt new file mode 100644 index 00000000000..8ec013c0699 --- /dev/null +++ b/.changelog/7617.txt @@ -0,0 +1,3 @@ +```release-note:none + +``` diff --git a/google/resource_compute_disk_test.go b/google/resource_compute_disk_test.go index f41a50569d9..e691134e8c0 100644 --- a/google/resource_compute_disk_test.go +++ b/google/resource_compute_disk_test.go @@ -414,13 +414,17 @@ func TestAccComputeDisk_encryptionKMS(t *testing.T) { importID := fmt.Sprintf("%s/%s/%s", pid, "us-central1-a", diskName) var disk compute.Disk + if BootstrapPSARole(t, "service-", "compute-system", "roles/cloudkms.cryptoKeyEncrypterDecrypter") { + t.Fatal("Stopping the test because a role was added to the policy.") + } + VcrTest(t, resource.TestCase{ PreCheck: func() { testAccPreCheck(t) }, ProtoV5ProviderFactories: ProtoV5ProviderFactories(t), CheckDestroy: testAccCheckComputeDiskDestroyProducer(t), Steps: []resource.TestStep{ { - Config: testAccComputeDisk_encryptionKMS(pid, diskName, kms.CryptoKey.Name), + Config: testAccComputeDisk_encryptionKMS(diskName, kms.CryptoKey.Name), Check: resource.ComposeTestCheckFunc( testAccCheckComputeDiskExists( t, "google_compute_disk.foobar", pid, &disk), @@ -719,26 +723,14 @@ resource "google_compute_disk" "foobar" { `, diskName) } -func testAccComputeDisk_encryptionKMS(pid, diskName, kmsKey string) string { +func testAccComputeDisk_encryptionKMS(diskName, kmsKey string) string { return fmt.Sprintf(` -data "google_project" "project" { - project_id = "%s" -} - data "google_compute_image" "my_image" { family = "debian-11" project = "debian-cloud" } -resource "google_project_iam_member" "kms-project-binding" { - project = data.google_project.project.project_id - role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" - member = "serviceAccount:service-${data.google_project.project.number}@compute-system.iam.gserviceaccount.com" -} - resource "google_compute_disk" "foobar" { - depends_on = [google_project_iam_member.kms-project-binding] - name = "%s" image = data.google_compute_image.my_image.self_link size = 10 @@ -749,7 +741,7 @@ resource "google_compute_disk" "foobar" { kms_key_self_link = "%s" } } -`, pid, diskName, kmsKey) +`, diskName, kmsKey) } func testAccComputeDisk_deleteDetach(instanceName, diskName string) string { diff --git a/google/resource_compute_instance_test.go b/google/resource_compute_instance_test.go index 2b2e7aa3cdf..c85f4e76667 100644 --- a/google/resource_compute_instance_test.go +++ b/google/resource_compute_instance_test.go @@ -431,13 +431,17 @@ func TestAccComputeInstance_kmsDiskEncryption(t *testing.T) { }, } + if BootstrapPSARole(t, "service-", "compute-system", "roles/cloudkms.cryptoKeyEncrypterDecrypter") { + t.Fatal("Stopping the test because a role was added to the policy.") + } + VcrTest(t, resource.TestCase{ PreCheck: func() { testAccPreCheck(t) }, ProtoV5ProviderFactories: ProtoV5ProviderFactories(t), CheckDestroy: testAccCheckComputeInstanceDestroyProducer(t), Steps: []resource.TestStep{ { - Config: testAccComputeInstance_disks_kms(GetTestProjectFromEnv(), bootKmsKeyName, diskNameToEncryptionKey, instanceName, RandString(t, 10)), + Config: testAccComputeInstance_disks_kms(bootKmsKeyName, diskNameToEncryptionKey, instanceName, RandString(t, 10)), Check: resource.ComposeTestCheckFunc( testAccCheckComputeInstanceExists(t, "google_compute_instance.foobar", &instance), testAccCheckComputeInstanceDiskKmsEncryptionKey("google_compute_instance.foobar", &instance, bootKmsKeyName, diskNameToEncryptionKey), @@ -3759,31 +3763,19 @@ resource "google_compute_instance" "foobar" { diskNameToEncryptionKey[diskNames[0]].RawKey) } -func testAccComputeInstance_disks_kms(pid string, bootEncryptionKey string, diskNameToEncryptionKey map[string]*compute.CustomerEncryptionKey, instance, suffix string) string { +func testAccComputeInstance_disks_kms(bootEncryptionKey string, diskNameToEncryptionKey map[string]*compute.CustomerEncryptionKey, instance, suffix string) string { diskNames := []string{} for k := range diskNameToEncryptionKey { diskNames = append(diskNames, k) } sort.Strings(diskNames) return fmt.Sprintf(` -data "google_project" "project" { - project_id = "%s" -} - data "google_compute_image" "my_image" { family = "debian-11" project = "debian-cloud" } -resource "google_project_iam_member" "kms-project-binding" { - project = data.google_project.project.project_id - role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" - member = "serviceAccount:service-${data.google_project.project.number}@compute-system.iam.gserviceaccount.com" -} - resource "google_compute_disk" "foobar" { - depends_on = [google_project_iam_member.kms-project-binding] - name = "%s" size = 10 type = "pd-ssd" @@ -3795,8 +3787,6 @@ resource "google_compute_disk" "foobar" { } resource "google_compute_disk" "foobar2" { - depends_on = [google_project_iam_member.kms-project-binding] - name = "%s" size = 10 type = "pd-ssd" @@ -3808,8 +3798,6 @@ resource "google_compute_disk" "foobar2" { } resource "google_compute_disk" "foobar3" { - depends_on = [google_project_iam_member.kms-project-binding] - name = "%s" size = 10 type = "pd-ssd" @@ -3828,8 +3816,6 @@ resource "google_compute_disk" "foobar4" { } resource "google_compute_instance" "foobar" { - depends_on = [google_project_iam_member.kms-project-binding] - name = "%s" machine_type = "e2-medium" zone = "us-central1-a" @@ -3867,7 +3853,7 @@ resource "google_compute_instance" "foobar" { foo = "bar" } } -`, pid, diskNames[0], diskNameToEncryptionKey[diskNames[0]].KmsKeyName, +`, diskNames[0], diskNameToEncryptionKey[diskNames[0]].KmsKeyName, diskNames[1], diskNameToEncryptionKey[diskNames[1]].KmsKeyName, diskNames[2], diskNameToEncryptionKey[diskNames[2]].KmsKeyName, "tf-testd-"+suffix, diff --git a/google/resource_container_cluster_test.go b/google/resource_container_cluster_test.go index fc05e823010..4afea917c4e 100644 --- a/google/resource_container_cluster_test.go +++ b/google/resource_container_cluster_test.go @@ -1231,13 +1231,17 @@ func TestAccContainerCluster_withBootDiskKmsKey(t *testing.T) { clusterName := fmt.Sprintf("tf-test-cluster-%s", RandString(t, 10)) kms := BootstrapKMSKeyInLocation(t, "us-central1") + if BootstrapPSARole(t, "service-", "compute-system", "roles/cloudkms.cryptoKeyEncrypterDecrypter") { + t.Fatal("Stopping the test because a role was added to the policy.") + } + VcrTest(t, resource.TestCase{ PreCheck: func() { testAccPreCheck(t) }, ProtoV5ProviderFactories: ProtoV5ProviderFactories(t), CheckDestroy: testAccCheckContainerClusterDestroyProducer(t), Steps: []resource.TestStep{ { - Config: testAccContainerCluster_withBootDiskKmsKey(GetTestProjectFromEnv(), clusterName, kms.CryptoKey.Name), + Config: testAccContainerCluster_withBootDiskKmsKey(clusterName, kms.CryptoKey.Name), }, { ResourceName: "google_container_cluster.with_boot_disk_kms_key", @@ -2547,13 +2551,17 @@ func TestAccContainerCluster_nodeAutoprovisioningDefaultsBootDiskKmsKey(t *testi clusterName := fmt.Sprintf("tf-test-cluster-%s", RandString(t, 10)) kms := BootstrapKMSKeyInLocation(t, "us-central1") + if BootstrapPSARole(t, "service-", "compute-system", "roles/cloudkms.cryptoKeyEncrypterDecrypter") { + t.Fatal("Stopping the test because a role was added to the policy.") + } + VcrTest(t, resource.TestCase{ PreCheck: func() { testAccPreCheck(t) }, ProtoV5ProviderFactories: ProtoV5ProviderFactories(t), CheckDestroy: testAccCheckContainerClusterDestroyProducer(t), Steps: []resource.TestStep{ { - Config: testAccContainerCluster_autoprovisioningDefaultsBootDiskKmsKey(GetTestProjectFromEnv(), clusterName, kms.CryptoKey.Name), + Config: testAccContainerCluster_autoprovisioningDefaultsBootDiskKmsKey(clusterName, kms.CryptoKey.Name), }, { ResourceName: "google_container_cluster.nap_boot_disk_kms_key", @@ -4398,18 +4406,8 @@ resource "google_container_cluster" "with_workload_metadata_config" { `, clusterName) } -func testAccContainerCluster_withBootDiskKmsKey(project, clusterName, kmsKeyName string) string { +func testAccContainerCluster_withBootDiskKmsKey(clusterName, kmsKeyName string) string { return fmt.Sprintf(` -data "google_project" "project" { - project_id = "%s" -} - -resource "google_project_iam_member" "kms-project-binding" { - project = data.google_project.project.project_id - role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" - member = "serviceAccount:service-${data.google_project.project.number}@compute-system.iam.gserviceaccount.com" -} - resource "google_container_cluster" "with_boot_disk_kms_key" { name = "%s" location = "us-central1-a" @@ -4427,7 +4425,7 @@ resource "google_container_cluster" "with_boot_disk_kms_key" { boot_disk_kms_key = "%s" } } -`, project, clusterName, kmsKeyName) +`, clusterName, kmsKeyName) } func testAccContainerCluster_networkRef(cluster, network string) string { @@ -4928,18 +4926,8 @@ resource "google_container_cluster" "with_autoprovisioning" { }`, cluster, imageTypeCfg) } -func testAccContainerCluster_autoprovisioningDefaultsBootDiskKmsKey(project, clusterName, kmsKeyName string) string { +func testAccContainerCluster_autoprovisioningDefaultsBootDiskKmsKey(clusterName, kmsKeyName string) string { return fmt.Sprintf(` -data "google_project" "project" { - project_id = "%s" -} - -resource "google_project_iam_member" "kms-project-binding" { - project = data.google_project.project.project_id - role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" - member = "serviceAccount:service-${data.google_project.project.number}@compute-system.iam.gserviceaccount.com" -} - resource "google_container_cluster" "nap_boot_disk_kms_key" { name = "%s" location = "us-central1-a" @@ -4962,7 +4950,7 @@ resource "google_container_cluster" "nap_boot_disk_kms_key" { } } } -`, project, clusterName, kmsKeyName) +`, clusterName, kmsKeyName) } func testAccContainerCluster_autoprovisioningDefaultsShieldedInstance(cluster string) string { diff --git a/google/resource_dataflow_job_test.go b/google/resource_dataflow_job_test.go index 830ed97cf51..a4d02620b9d 100644 --- a/google/resource_dataflow_job_test.go +++ b/google/resource_dataflow_job_test.go @@ -292,6 +292,10 @@ func TestAccDataflowJob_withKmsKey(t *testing.T) { job := "tf-test-dataflow-job-" + randStr zone := "us-central1-f" + if BootstrapPSARole(t, "service-", "compute-system", "roles/cloudkms.cryptoKeyEncrypterDecrypter") { + t.Fatal("Stopping the test because a role was added to the policy.") + } + VcrTest(t, resource.TestCase{ PreCheck: func() { testAccPreCheck(t) }, ProtoV5ProviderFactories: ProtoV5ProviderFactories(t), @@ -973,12 +977,6 @@ resource "google_project_iam_member" "kms-project-dataflow-binding" { member = "serviceAccount:service-${data.google_project.project.number}@dataflow-service-producer-prod.iam.gserviceaccount.com" } -resource "google_project_iam_member" "kms-project-compute-binding" { - project = data.google_project.project.project_id - role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" - member = "serviceAccount:service-${data.google_project.project.number}@compute-system.iam.gserviceaccount.com" -} - resource "google_kms_key_ring" "keyring" { name = "%s" location = "global" diff --git a/google/resource_dataproc_cluster_test.go b/google/resource_dataproc_cluster_test.go index 319e62ff61d..539a43f7e50 100644 --- a/google/resource_dataproc_cluster_test.go +++ b/google/resource_dataproc_cluster_test.go @@ -859,7 +859,10 @@ func TestAccDataprocCluster_KMS(t *testing.T) { rnd := RandString(t, 10) kms := BootstrapKMSKey(t) - pid := GetTestProjectFromEnv() + + if BootstrapPSARole(t, "service-", "compute-system", "roles/cloudkms.cryptoKeyEncrypterDecrypter") { + t.Fatal("Stopping the test because a role was added to the policy.") + } var cluster dataproc.Cluster VcrTest(t, resource.TestCase{ @@ -868,7 +871,7 @@ func TestAccDataprocCluster_KMS(t *testing.T) { CheckDestroy: testAccCheckDataprocClusterDestroy(t), Steps: []resource.TestStep{ { - Config: testAccDataprocCluster_KMS(pid, rnd, kms.CryptoKey.Name), + Config: testAccDataprocCluster_KMS(rnd, kms.CryptoKey.Name), Check: resource.ComposeTestCheckFunc( testAccCheckDataprocClusterExists(t, "google_dataproc_cluster.kms", &cluster), ), @@ -2043,21 +2046,9 @@ resource "google_dataproc_cluster" "with_net_ref_by_url" { `, netName, rnd, rnd, rnd) } -func testAccDataprocCluster_KMS(pid, rnd, kmsKey string) string { +func testAccDataprocCluster_KMS(rnd, kmsKey string) string { return fmt.Sprintf(` -data "google_project" "project" { - project_id = "%s" -} - -resource "google_project_iam_member" "kms-project-binding" { - project = data.google_project.project.project_id - role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" - member = "serviceAccount:service-${data.google_project.project.number}@compute-system.iam.gserviceaccount.com" -} - resource "google_dataproc_cluster" "kms" { - depends_on = [google_project_iam_member.kms-project-binding] - name = "tf-test-dproc-%s" region = "us-central1" @@ -2067,7 +2058,7 @@ resource "google_dataproc_cluster" "kms" { } } } -`, pid, rnd, kmsKey) +`, rnd, kmsKey) } func testAccDataprocCluster_withKerberos(rnd, kmsKey string) string { diff --git a/website/docs/r/compute_machine_image.html.markdown b/website/docs/r/compute_machine_image.html.markdown index fd33eddd4bf..f4181c71c0c 100644 --- a/website/docs/r/compute_machine_image.html.markdown +++ b/website/docs/r/compute_machine_image.html.markdown @@ -95,7 +95,6 @@ resource "google_compute_machine_image" "image" { machine_image_encryption_key { kms_key_name = google_kms_crypto_key.crypto_key.id } - depends_on = [google_project_iam_member.kms-project-binding] } resource "google_kms_crypto_key" "crypto_key" { @@ -109,17 +108,6 @@ resource "google_kms_key_ring" "key_ring" { name = "keyring" location = "us" } - -data "google_project" "project" { - provider = google-beta -} - -resource "google_project_iam_member" "kms-project-binding" { - provider = google-beta - project = data.google_project.project.project_id - role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" - member = "serviceAccount:service-${data.google_project.project.number}@compute-system.iam.gserviceaccount.com" -} ``` ## Argument Reference