spanner: bootstrap permissions for TestAccSpannerDatabase_cmek and …

…`TestAccSpannerDatabase_mrcmek` (#12152)

mmv1/third_party/terraform/services/spanner/resource_spanner_database_test.go.tmpl

@@ -517,19 +517,27 @@ resource "google_spanner_database" "database" {
 `, context)
 }
 
-{{ if ne $.TargetVersionName `ga` -}}
-{{/* Field is not beta, but google_project_service_identity dependency is */ -}}
 func TestAccSpannerDatabase_cmek(t *testing.T) {
-	acctest.SkipIfVcr(t)
 	t.Parallel()
 
+	// Handle bootstrapping out of band so we don't need beta provider, and for consistency with mrcmek test
+	if acctest.BootstrapPSARole(t, "service-", "gcp-sa-spanner", "roles/cloudkms.cryptoKeyEncrypterDecrypter") {
+		t.Fatal("Stopping the test because a role was added to the policy.")
+	}
+
+	// Make the keys outside of Terraform so that a) the project isn't littered with a key from each run and b) so that VCR
+	// can work.
+	kmsKey := acctest.BootstrapKMSKeyWithPurposeInLocationAndName(t, "ENCRYPT_DECRYPT", "europe-west1", "tf-test-cmek-test-key-europe-west1")
+
 	context := map[string]interface{}{
+		"key_name":      kmsKey.CryptoKey.Name,
+		"key_ring_name": kmsKey.KeyRing.Name,
 		"random_suffix": acctest.RandString(t, 10),
 	}
 
 	acctest.VcrTest(t, resource.TestCase{
 		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
-		ProtoV5ProviderFactories: acctest.ProtoV5ProviderBetaFactories(t),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
 		CheckDestroy:             testAccCheckSpannerDatabaseDestroyProducer(t),
 		Steps: []resource.TestStep{
 			{
@@ -548,14 +556,14 @@ func TestAccSpannerDatabase_cmek(t *testing.T) {
 func testAccSpannerDatabase_cmek(context map[string]interface{}) string {
 	return acctest.Nprintf(`
 resource "google_spanner_instance" "main" {
-  provider     = google-beta
-  config       = "regional-europe-west1"
+  name         = "tf-test-%{random_suffix}"
   display_name = "main-instance1"
-  num_nodes    = 1
+
+  config           = "regional-europe-west1"
+  processing_units = 200
 }
 
 resource "google_spanner_database" "database" {
-  provider = google-beta
   instance = google_spanner_instance.main.name
   name     = "tf-test-cmek-db%{random_suffix}"
   ddl = [
@@ -564,68 +572,33 @@ resource "google_spanner_database" "database" {
   ]
 
   encryption_config {
-  	kms_key_name = google_kms_crypto_key.example-key.id
+    kms_key_name = "%{key_name}"
   }
 
   deletion_protection = false
-
-  depends_on = [google_kms_crypto_key_iam_member.crypto-key-binding]
-}
-
-resource "google_kms_key_ring" "keyring" {
-  provider = google-beta
-  name     = "tf-test-ring%{random_suffix}"
-  location = "europe-west1"
-}
-
-resource "google_kms_crypto_key" "example-key" {
-  provider        = google-beta
-  name            = "tf-test-key%{random_suffix}"
-  key_ring        = google_kms_key_ring.keyring.id
-  rotation_period = "100000s"
-}
-
-resource "google_kms_crypto_key_iam_member" "crypto-key-binding" {
-  provider      = google-beta
-  crypto_key_id = google_kms_crypto_key.example-key.id
-  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
-
-  member = google_project_service_identity.ck_sa.member
-}
-
-data "google_project" "project" {
-  provider = google-beta
-}
-
-resource "google_project_service_identity" "ck_sa" {
-  provider = google-beta
-  project  = data.google_project.project.project_id
-  service  = "spanner.googleapis.com"
 }
-
 `, context)
 }
 
 func TestAccSpannerDatabase_mrcmek(t *testing.T) {
-	acctest.SkipIfVcr(t)
 	t.Parallel()
 
 	kms1 := acctest.BootstrapKMSKeyWithPurposeInLocationAndName(t, "ENCRYPT_DECRYPT", "us-central1", "tf-mr-cmek-test-key-us-central1")
 	kms2 := acctest.BootstrapKMSKeyWithPurposeInLocationAndName(t, "ENCRYPT_DECRYPT", "us-east1", "tf-mr-cmek-test-key-us-east1")
 	kms3 := acctest.BootstrapKMSKeyWithPurposeInLocationAndName(t, "ENCRYPT_DECRYPT", "us-east4", "tf-mr-cmek-test-key-us-east4")
 	context := map[string]interface{}{
 		"random_suffix": acctest.RandString(t, 10),
-		"key_ring1":      kms1.KeyRing.Name,
-		"key_name1":      kms1.CryptoKey.Name,
-		"key_ring2":      kms2.KeyRing.Name,
-		"key_name2":      kms2.CryptoKey.Name,
-		"key_ring3":      kms3.KeyRing.Name,
-		"key_name3":      kms3.CryptoKey.Name,
+		"key_ring1":     kms1.KeyRing.Name,
+		"key_name1":     kms1.CryptoKey.Name,
+		"key_ring2":     kms2.KeyRing.Name,
+		"key_name2":     kms2.CryptoKey.Name,
+		"key_ring3":     kms3.KeyRing.Name,
+		"key_name3":     kms3.CryptoKey.Name,
 	}
 
 	acctest.VcrTest(t, resource.TestCase{
 		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
-		ProtoV5ProviderFactories: acctest.ProtoV5ProviderBetaFactories(t),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
 		CheckDestroy:             testAccCheckSpannerDatabaseDestroyProducer(t),
 		Steps: []resource.TestStep{
 			{
@@ -644,14 +617,14 @@ func TestAccSpannerDatabase_mrcmek(t *testing.T) {
 func testAccSpannerDatabase_mrcmek(context map[string]interface{}) string {
 	return acctest.Nprintf(`
 resource "google_spanner_instance" "main" {
-  provider     = google-beta
-  config       = "nam3"
-  display_name = "main-instance1"
-  num_nodes    = 1
+  name         = "tf-test-%{random_suffix}"
+  display_name = "Terraform test"
+
+  config           = "nam3"
+  processing_units = 200
 }
 
 resource "google_spanner_database" "database" {
-  provider = google-beta
   instance = google_spanner_instance.main.name
   name     = "tf-test-mrcmek-db%{random_suffix}"
   ddl = [
@@ -660,19 +633,14 @@ resource "google_spanner_database" "database" {
   ]
 
   encryption_config {
-  	kms_key_names = [
-	  "%{key_name1}",
-	  "%{key_name2}",
-	  "%{key_name3}",
-	]
+    kms_key_names = [
+      "%{key_name1}",
+      "%{key_name2}",
+      "%{key_name3}",
+    ]
   }
 
   deletion_protection = false
-
 }
-
-
 `, context)
 }
-
-{{- end }}