Skip to content

Commit

Permalink
Remove use of google_kms_crypto_key_iam_binding resource in tests, …
Browse files Browse the repository at this point in the history
…to make tests stable in overnight testing (GoogleCloudPlatform#9621)

* Remove `google_kms_crypto_key_iam_binding` resources that affect shared crypto keys

* Remove unnecessary use of `google_kms_crypto_key_iam_binding` (no shared crypto key affected)

By removing this usage of `google_kms_crypto_key_iam_binding` I intend to make it easier to identify when acc tests affect shared resources that aren't provisioned by the test

* Remove unnecessary use of `google_kms_crypto_key_iam_binding` (no shared crypto key affected)

* Fix call to config function in acc test

* Update mmv1/third_party/terraform/services/cloudfunctions/resource_cloudfunctions_function_test.go.erb

* Skip `TestAccCloudFunctionsFunction_cmek` in VCR
  • Loading branch information
SarahFrench authored and kapreus committed Jan 2, 2024
1 parent 9bf73d9 commit 51fe6af
Show file tree
Hide file tree
Showing 4 changed files with 31 additions and 22 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -8,13 +8,11 @@ resource "google_kms_crypto_key" "crypto_key" {
key_ring = google_kms_key_ring.key_ring.id
}

resource "google_kms_crypto_key_iam_binding" "crypto_key_binding" {
resource "google_kms_crypto_key_iam_member" "crypto_key_binding" {
crypto_key_id = google_kms_crypto_key.crypto_key.id
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"

members = [
"serviceAccount:service-${data.google_project.project.number}@gcp-sa-sourcemanager.iam.gserviceaccount.com"
]
member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-sourcemanager.iam.gserviceaccount.com"
}

resource "google_secure_source_manager_instance" "<%= ctx[:primary_resource_id] %>" {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -295,7 +295,9 @@ func TestAccCloudFunctionsFunction_dockerRepository(t *testing.T) {

<% unless version == "ga" -%>
func TestAccCloudFunctionsFunction_cmek(t *testing.T) {
acctest.SkipIfVcr(t)
t.Parallel()

kmsKey := acctest.BootstrapKMSKeyInLocation(t, "us-central1")
funcResourceName := "google_cloudfunctions_function.function"
arRepoName := fmt.Sprintf("tf-cmek-test-docker-repository-%s", acctest.RandString(t, 10))
Expand Down Expand Up @@ -1078,24 +1080,37 @@ resource "google_artifact_registry_repository_iam_binding" "binding" {
]
}

resource "google_kms_crypto_key_iam_binding" "gcf_cmek_keyuser" {
resource "google_kms_crypto_key_iam_member" "gcf_cmek_keyuser_1" {
crypto_key_id = "%s"
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"

members = [
"serviceAccount:service-${data.google_project.project.number}@gcf-admin-robot.iam.gserviceaccount.com",
"serviceAccount:service-${data.google_project.project.number}@gcp-sa-artifactregistry.iam.gserviceaccount.com",
"serviceAccount:service-${data.google_project.project.number}@gs-project-accounts.iam.gserviceaccount.com",
]
member = "serviceAccount:service-${data.google_project.project.number}@gcf-admin-robot.iam.gserviceaccount.com"
}

resource "google_kms_crypto_key_iam_member" "gcf_cmek_keyuser_2" {
crypto_key_id = "%s"
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"

member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-artifactregistry.iam.gserviceaccount.com"
}

resource "google_kms_crypto_key_iam_member" "gcf_cmek_keyuser_3" {
crypto_key_id = "%s"
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"

member = "serviceAccount:service-${data.google_project.project.number}@gs-project-accounts.iam.gserviceaccount.com"
}


resource "google_artifact_registry_repository" "encoded-ar-repo" {
repository_id = "%s"
kms_key_name = "%s"
location = "us-central1"
format = "DOCKER"
depends_on = [
google_kms_crypto_key_iam_binding.gcf_cmek_keyuser
google_kms_crypto_key_iam_member.gcf_cmek_keyuser_1,
google_kms_crypto_key_iam_member.gcf_cmek_keyuser_2,
google_kms_crypto_key_iam_member.gcf_cmek_keyuser_3,
]
}

Expand Down Expand Up @@ -1123,7 +1138,7 @@ resource "google_cloudfunctions_function" "function" {
timeout = 61
entry_point = "helloGET"
}
`, kmsKey, arRepoName, kmsKey, bucketName, zipFilePath, functionName, kmsKey)
`, kmsKey, kmsKey, kmsKey, arRepoName, kmsKey, bucketName, zipFilePath, functionName, kmsKey)
}
<% end -%>

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6905,12 +6905,10 @@ data "google_compute_image" "my_image" {

data "google_project" "project" {}

resource "google_kms_crypto_key_iam_binding" "crypto_key" {
resource "google_kms_crypto_key_iam_member" "crypto_key" {
crypto_key_id = "%{key_name}"
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
members = [
"serviceAccount:${data.google_project.project.number}-compute@developer.gserviceaccount.com",
]
member = "serviceAccount:${data.google_project.project.number}-compute@developer.gserviceaccount.com"
}

resource "google_compute_instance" "foobar" {
Expand All @@ -6932,7 +6930,7 @@ resource "google_compute_instance" "foobar" {
network_interface {
network = "default"
}
depends_on = [google_kms_crypto_key_iam_binding.crypto_key]
depends_on = [google_kms_crypto_key_iam_member.crypto_key]

}
`, context)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -642,7 +642,7 @@ resource "google_spanner_database" "database" {

deletion_protection = false

depends_on = [google_kms_crypto_key_iam_binding.crypto-key-binding]
depends_on = [google_kms_crypto_key_iam_member.crypto-key-binding]
}

resource "google_kms_key_ring" "keyring" {
Expand All @@ -658,14 +658,12 @@ resource "google_kms_crypto_key" "example-key" {
rotation_period = "100000s"
}

resource "google_kms_crypto_key_iam_binding" "crypto-key-binding" {
resource "google_kms_crypto_key_iam_member" "crypto-key-binding" {
provider = google-beta
crypto_key_id = google_kms_crypto_key.example-key.id
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"

members = [
"serviceAccount:${google_project_service_identity.ck_sa.email}",
]
member = "serviceAccount:${google_project_service_identity.ck_sa.email}"
}

data "google_project" "project" {
Expand Down

0 comments on commit 51fe6af

Please sign in to comment.