Fix E2E tests, make service account outputs depend on IAM grants

GoogleCloudPlatform · Nov 16, 2024 · f086bc5 · f086bc5
1 parent e0d6f0e
commit f086bc5
Show file tree

Hide file tree

Showing 4 changed files with 52 additions and 10 deletions.
diff --git a/modules/cloud-run-v2/README.md b/modules/cloud-run-v2/README.md
@@ -112,6 +112,7 @@ module "cloud_run" {
       }
     }
   }
+  deletion_protection = false
 }
 # tftest inventory=gcs-mount.yaml e2e
 ```

diff --git a/modules/iam-service-account/README.md b/modules/iam-service-account/README.md
@@ -68,10 +68,10 @@ module "myproject-default-service-accounts" {
 | name | description | sensitive |
 |---|---|:---:|
 | [email](outputs.tf#L17) | Service account email. |  |
-| [iam_email](outputs.tf#L25) | IAM-format service account email. |  |
-| [id](outputs.tf#L33) | Fully qualified service account id. |  |
-| [key](outputs.tf#L42) | Service account key. | ✓ |
-| [name](outputs.tf#L48) | Service account name. |  |
-| [service_account](outputs.tf#L57) | Service account resource. |  |
-| [service_account_credentials](outputs.tf#L62) | Service account json credential templates for uploaded public keys data. |  |
+| [iam_email](outputs.tf#L34) | IAM-format service account email. |  |
+| [id](outputs.tf#L51) | Fully qualified service account id. |  |
+| [key](outputs.tf#L69) | Service account key. | ✓ |
+| [name](outputs.tf#L75) | Service account name. |  |
+| [service_account](outputs.tf#L93) | Service account resource. |  |
+| [service_account_credentials](outputs.tf#L98) | Service account json credential templates for uploaded public keys data. |  |
 <!-- END TFDOC -->
diff --git a/modules/iam-service-account/outputs.tf b/modules/iam-service-account/outputs.tf
@@ -18,15 +18,33 @@ output "email" {
   description = "Service account email."
   value       = local.resource_email_static
   depends_on = [
-    local.service_account
+    local.service_account,
+    google_service_account_iam_binding.authoritative,
+    google_service_account_iam_binding.bindings,
+    google_service_account_iam_member.bindings,
+    google_billing_account_iam_member.billing-roles,
+    google_folder_iam_member.folder-roles,
+    google_organization_iam_member.organization-roles,
+    google_project_iam_member.project-roles,
+    google_service_account_iam_member.additive,
+    google_storage_bucket_iam_member.bucket-roles,
   ]
 }
 
 output "iam_email" {
   description = "IAM-format service account email."
   value       = local.resource_iam_email_static
   depends_on = [
-    local.service_account
+    local.service_account,
+    google_service_account_iam_binding.authoritative,
+    google_service_account_iam_binding.bindings,
+    google_service_account_iam_member.bindings,
+    google_billing_account_iam_member.billing-roles,
+    google_folder_iam_member.folder-roles,
+    google_organization_iam_member.organization-roles,
+    google_project_iam_member.project-roles,
+    google_service_account_iam_member.additive,
+    google_storage_bucket_iam_member.bucket-roles,
   ]
 }
 
@@ -35,7 +53,16 @@ output "id" {
   value       = local.service_account_id_static
   depends_on = [
     data.google_service_account.service_account,
-    google_service_account.service_account
+    google_service_account.service_account,
+    google_service_account_iam_binding.authoritative,
+    google_service_account_iam_binding.bindings,
+    google_service_account_iam_member.bindings,
+    google_billing_account_iam_member.billing-roles,
+    google_folder_iam_member.folder-roles,
+    google_organization_iam_member.organization-roles,
+    google_project_iam_member.project-roles,
+    google_service_account_iam_member.additive,
+    google_storage_bucket_iam_member.bucket-roles,
   ]
 }
 
@@ -50,7 +77,16 @@ output "name" {
   value       = local.service_account_id_static
   depends_on = [
     data.google_service_account.service_account,
-    google_service_account.service_account
+    google_service_account.service_account,
+    google_service_account_iam_binding.authoritative,
+    google_service_account_iam_binding.bindings,
+    google_service_account_iam_member.bindings,
+    google_billing_account_iam_member.billing-roles,
+    google_folder_iam_member.folder-roles,
+    google_organization_iam_member.organization-roles,
+    google_project_iam_member.project-roles,
+    google_service_account_iam_member.additive,
+    google_storage_bucket_iam_member.bucket-roles,
   ]
 }
 

diff --git a/modules/pubsub/README.md b/modules/pubsub/README.md
@@ -136,6 +136,11 @@ module "iam-service-account" {
   source     = "./fabric/modules/iam-service-account"
   project_id = var.project_id
   name       = "fixture-service-account"
+  iam_project_roles = {
+    "${var.project_id}" = [
+      "roles/bigquery.dataEditor",
+    ]
+  }
 }
 
 module "pubsub" {