From f086bc5aabd977c8946707777903a6c89b4d0b86 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Wiktor=20Niesiob=C4=99dzki?= <wiktorn@google.com>
Date: Sat, 16 Nov 2024 08:48:42 +0000
Subject: [PATCH] Fix E2E tests, make service account outputs depend on IAM
 grants

---
 modules/cloud-run-v2/README.md         |  1 +
 modules/iam-service-account/README.md  | 12 +++----
 modules/iam-service-account/outputs.tf | 44 +++++++++++++++++++++++---
 modules/pubsub/README.md               |  5 +++
 4 files changed, 52 insertions(+), 10 deletions(-)

diff --git a/modules/cloud-run-v2/README.md b/modules/cloud-run-v2/README.md
index 1f49509279..3053ae7b16 100644
--- a/modules/cloud-run-v2/README.md
+++ b/modules/cloud-run-v2/README.md
@@ -112,6 +112,7 @@ module "cloud_run" {
       }
     }
   }
+  deletion_protection = false
 }
 # tftest inventory=gcs-mount.yaml e2e
 ```
diff --git a/modules/iam-service-account/README.md b/modules/iam-service-account/README.md
index f201469523..459c7c9f29 100644
--- a/modules/iam-service-account/README.md
+++ b/modules/iam-service-account/README.md
@@ -68,10 +68,10 @@ module "myproject-default-service-accounts" {
 | name | description | sensitive |
 |---|---|:---:|
 | [email](outputs.tf#L17) | Service account email. |  |
-| [iam_email](outputs.tf#L25) | IAM-format service account email. |  |
-| [id](outputs.tf#L33) | Fully qualified service account id. |  |
-| [key](outputs.tf#L42) | Service account key. | ✓ |
-| [name](outputs.tf#L48) | Service account name. |  |
-| [service_account](outputs.tf#L57) | Service account resource. |  |
-| [service_account_credentials](outputs.tf#L62) | Service account json credential templates for uploaded public keys data. |  |
+| [iam_email](outputs.tf#L34) | IAM-format service account email. |  |
+| [id](outputs.tf#L51) | Fully qualified service account id. |  |
+| [key](outputs.tf#L69) | Service account key. | ✓ |
+| [name](outputs.tf#L75) | Service account name. |  |
+| [service_account](outputs.tf#L93) | Service account resource. |  |
+| [service_account_credentials](outputs.tf#L98) | Service account json credential templates for uploaded public keys data. |  |
 <!-- END TFDOC -->
diff --git a/modules/iam-service-account/outputs.tf b/modules/iam-service-account/outputs.tf
index 79210caec8..1693fff175 100644
--- a/modules/iam-service-account/outputs.tf
+++ b/modules/iam-service-account/outputs.tf
@@ -18,7 +18,16 @@ output "email" {
   description = "Service account email."
   value       = local.resource_email_static
   depends_on = [
-    local.service_account
+    local.service_account,
+    google_service_account_iam_binding.authoritative,
+    google_service_account_iam_binding.bindings,
+    google_service_account_iam_member.bindings,
+    google_billing_account_iam_member.billing-roles,
+    google_folder_iam_member.folder-roles,
+    google_organization_iam_member.organization-roles,
+    google_project_iam_member.project-roles,
+    google_service_account_iam_member.additive,
+    google_storage_bucket_iam_member.bucket-roles,
   ]
 }
 
@@ -26,7 +35,16 @@ output "iam_email" {
   description = "IAM-format service account email."
   value       = local.resource_iam_email_static
   depends_on = [
-    local.service_account
+    local.service_account,
+    google_service_account_iam_binding.authoritative,
+    google_service_account_iam_binding.bindings,
+    google_service_account_iam_member.bindings,
+    google_billing_account_iam_member.billing-roles,
+    google_folder_iam_member.folder-roles,
+    google_organization_iam_member.organization-roles,
+    google_project_iam_member.project-roles,
+    google_service_account_iam_member.additive,
+    google_storage_bucket_iam_member.bucket-roles,
   ]
 }
 
@@ -35,7 +53,16 @@ output "id" {
   value       = local.service_account_id_static
   depends_on = [
     data.google_service_account.service_account,
-    google_service_account.service_account
+    google_service_account.service_account,
+    google_service_account_iam_binding.authoritative,
+    google_service_account_iam_binding.bindings,
+    google_service_account_iam_member.bindings,
+    google_billing_account_iam_member.billing-roles,
+    google_folder_iam_member.folder-roles,
+    google_organization_iam_member.organization-roles,
+    google_project_iam_member.project-roles,
+    google_service_account_iam_member.additive,
+    google_storage_bucket_iam_member.bucket-roles,
   ]
 }
 
@@ -50,7 +77,16 @@ output "name" {
   value       = local.service_account_id_static
   depends_on = [
     data.google_service_account.service_account,
-    google_service_account.service_account
+    google_service_account.service_account,
+    google_service_account_iam_binding.authoritative,
+    google_service_account_iam_binding.bindings,
+    google_service_account_iam_member.bindings,
+    google_billing_account_iam_member.billing-roles,
+    google_folder_iam_member.folder-roles,
+    google_organization_iam_member.organization-roles,
+    google_project_iam_member.project-roles,
+    google_service_account_iam_member.additive,
+    google_storage_bucket_iam_member.bucket-roles,
   ]
 }
 
diff --git a/modules/pubsub/README.md b/modules/pubsub/README.md
index 87d80779d7..dcfcde1d38 100644
--- a/modules/pubsub/README.md
+++ b/modules/pubsub/README.md
@@ -136,6 +136,11 @@ module "iam-service-account" {
   source     = "./fabric/modules/iam-service-account"
   project_id = var.project_id
   name       = "fixture-service-account"
+  iam_project_roles = {
+    "${var.project_id}" = [
+      "roles/bigquery.dataEditor",
+    ]
+  }
 }
 
 module "pubsub" {