From c969f0c047960d4957fc128d4dbfe895a9e6742a Mon Sep 17 00:00:00 2001 From: Sarah French <15078782+SarahFrench@users.noreply.github.com> Date: Tue, 12 Dec 2023 16:58:23 +0000 Subject: [PATCH] Remove use of `google_kms_crypto_key_iam_binding` resource in tests, to make tests stable in overnight testing (#9621) * Remove `google_kms_crypto_key_iam_binding` resources that affect shared crypto keys * Remove unnecessary use of `google_kms_crypto_key_iam_binding` (no shared crypto key affected) By removing this usage of `google_kms_crypto_key_iam_binding` I intend to make it easier to identify when acc tests affect shared resources that aren't provisioned by the test * Remove unnecessary use of `google_kms_crypto_key_iam_binding` (no shared crypto key affected) * Fix call to config function in acc test * Update mmv1/third_party/terraform/services/cloudfunctions/resource_cloudfunctions_function_test.go.erb * Skip `TestAccCloudFunctionsFunction_cmek` in VCR --- ...secure_source_manager_instance_cmek.tf.erb | 6 ++-- ...source_cloudfunctions_function_test.go.erb | 31 ++++++++++++++----- .../resource_compute_instance_test.go.erb | 8 ++--- .../resource_spanner_database_test.go.erb | 8 ++--- 4 files changed, 31 insertions(+), 22 deletions(-) diff --git a/mmv1/templates/terraform/examples/secure_source_manager_instance_cmek.tf.erb b/mmv1/templates/terraform/examples/secure_source_manager_instance_cmek.tf.erb index abde1100aaa7..c7fd6f9312d3 100644 --- a/mmv1/templates/terraform/examples/secure_source_manager_instance_cmek.tf.erb +++ b/mmv1/templates/terraform/examples/secure_source_manager_instance_cmek.tf.erb @@ -8,13 +8,11 @@ resource "google_kms_crypto_key" "crypto_key" { key_ring = google_kms_key_ring.key_ring.id } -resource "google_kms_crypto_key_iam_binding" "crypto_key_binding" { +resource "google_kms_crypto_key_iam_member" "crypto_key_binding" { crypto_key_id = google_kms_crypto_key.crypto_key.id role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" - members = [ - "serviceAccount:service-${data.google_project.project.number}@gcp-sa-sourcemanager.iam.gserviceaccount.com" - ] + member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-sourcemanager.iam.gserviceaccount.com" } resource "google_secure_source_manager_instance" "<%= ctx[:primary_resource_id] %>" { diff --git a/mmv1/third_party/terraform/services/cloudfunctions/resource_cloudfunctions_function_test.go.erb b/mmv1/third_party/terraform/services/cloudfunctions/resource_cloudfunctions_function_test.go.erb index 9bf727547801..0c2be3a3a1a3 100644 --- a/mmv1/third_party/terraform/services/cloudfunctions/resource_cloudfunctions_function_test.go.erb +++ b/mmv1/third_party/terraform/services/cloudfunctions/resource_cloudfunctions_function_test.go.erb @@ -295,7 +295,9 @@ func TestAccCloudFunctionsFunction_dockerRepository(t *testing.T) { <% unless version == "ga" -%> func TestAccCloudFunctionsFunction_cmek(t *testing.T) { + acctest.SkipIfVcr(t) t.Parallel() + kmsKey := acctest.BootstrapKMSKeyInLocation(t, "us-central1") funcResourceName := "google_cloudfunctions_function.function" arRepoName := fmt.Sprintf("tf-cmek-test-docker-repository-%s", acctest.RandString(t, 10)) @@ -1078,24 +1080,37 @@ resource "google_artifact_registry_repository_iam_binding" "binding" { ] } -resource "google_kms_crypto_key_iam_binding" "gcf_cmek_keyuser" { +resource "google_kms_crypto_key_iam_member" "gcf_cmek_keyuser_1" { crypto_key_id = "%s" role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" - members = [ - "serviceAccount:service-${data.google_project.project.number}@gcf-admin-robot.iam.gserviceaccount.com", - "serviceAccount:service-${data.google_project.project.number}@gcp-sa-artifactregistry.iam.gserviceaccount.com", - "serviceAccount:service-${data.google_project.project.number}@gs-project-accounts.iam.gserviceaccount.com", - ] + member = "serviceAccount:service-${data.google_project.project.number}@gcf-admin-robot.iam.gserviceaccount.com" } +resource "google_kms_crypto_key_iam_member" "gcf_cmek_keyuser_2" { + crypto_key_id = "%s" + role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" + + member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-artifactregistry.iam.gserviceaccount.com" +} + +resource "google_kms_crypto_key_iam_member" "gcf_cmek_keyuser_3" { + crypto_key_id = "%s" + role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" + + member = "serviceAccount:service-${data.google_project.project.number}@gs-project-accounts.iam.gserviceaccount.com" +} + + resource "google_artifact_registry_repository" "encoded-ar-repo" { repository_id = "%s" kms_key_name = "%s" location = "us-central1" format = "DOCKER" depends_on = [ - google_kms_crypto_key_iam_binding.gcf_cmek_keyuser + google_kms_crypto_key_iam_member.gcf_cmek_keyuser_1, + google_kms_crypto_key_iam_member.gcf_cmek_keyuser_2, + google_kms_crypto_key_iam_member.gcf_cmek_keyuser_3, ] } @@ -1123,7 +1138,7 @@ resource "google_cloudfunctions_function" "function" { timeout = 61 entry_point = "helloGET" } -`, kmsKey, arRepoName, kmsKey, bucketName, zipFilePath, functionName, kmsKey) +`, kmsKey, kmsKey, kmsKey, arRepoName, kmsKey, bucketName, zipFilePath, functionName, kmsKey) } <% end -%> diff --git a/mmv1/third_party/terraform/services/compute/resource_compute_instance_test.go.erb b/mmv1/third_party/terraform/services/compute/resource_compute_instance_test.go.erb index 6d747946cef6..f52854d8a441 100644 --- a/mmv1/third_party/terraform/services/compute/resource_compute_instance_test.go.erb +++ b/mmv1/third_party/terraform/services/compute/resource_compute_instance_test.go.erb @@ -6905,12 +6905,10 @@ data "google_compute_image" "my_image" { data "google_project" "project" {} -resource "google_kms_crypto_key_iam_binding" "crypto_key" { +resource "google_kms_crypto_key_iam_member" "crypto_key" { crypto_key_id = "%{key_name}" role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" - members = [ - "serviceAccount:${data.google_project.project.number}-compute@developer.gserviceaccount.com", - ] + member = "serviceAccount:${data.google_project.project.number}-compute@developer.gserviceaccount.com" } resource "google_compute_instance" "foobar" { @@ -6932,7 +6930,7 @@ resource "google_compute_instance" "foobar" { network_interface { network = "default" } - depends_on = [google_kms_crypto_key_iam_binding.crypto_key] + depends_on = [google_kms_crypto_key_iam_member.crypto_key] } `, context) diff --git a/mmv1/third_party/terraform/services/spanner/resource_spanner_database_test.go.erb b/mmv1/third_party/terraform/services/spanner/resource_spanner_database_test.go.erb index 5488cdf31c35..3eb94e373be8 100644 --- a/mmv1/third_party/terraform/services/spanner/resource_spanner_database_test.go.erb +++ b/mmv1/third_party/terraform/services/spanner/resource_spanner_database_test.go.erb @@ -642,7 +642,7 @@ resource "google_spanner_database" "database" { deletion_protection = false - depends_on = [google_kms_crypto_key_iam_binding.crypto-key-binding] + depends_on = [google_kms_crypto_key_iam_member.crypto-key-binding] } resource "google_kms_key_ring" "keyring" { @@ -658,14 +658,12 @@ resource "google_kms_crypto_key" "example-key" { rotation_period = "100000s" } -resource "google_kms_crypto_key_iam_binding" "crypto-key-binding" { +resource "google_kms_crypto_key_iam_member" "crypto-key-binding" { provider = google-beta crypto_key_id = google_kms_crypto_key.example-key.id role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" - members = [ - "serviceAccount:${google_project_service_identity.ck_sa.email}", - ] + member = "serviceAccount:${google_project_service_identity.ck_sa.email}" } data "google_project" "project" {