From 06da98fac6bc255341c1c6a138d33f7f1ff3b0dd Mon Sep 17 00:00:00 2001
From: Ludovico Magnocavallo <ludomagno@google.com>
Date: Thu, 5 Feb 2026 19:06:34 +0100
Subject: [PATCH] Fix regression in project factory module context (#3708)

* fix regression in pf

* regression test
---
 modules/project-factory/README.md             | 21 ++++++++++++++-----
 modules/project-factory/main.tf               |  2 +-
 modules/project-factory/projects.tf           |  4 ++--
 .../project_factory/examples/test-1.yaml      | 17 +++++++++++++++
 4 files changed, 36 insertions(+), 8 deletions(-)

diff --git a/modules/project-factory/README.md b/modules/project-factory/README.md
index b8dc5d151..daaa9c7a4 100644
--- a/modules/project-factory/README.md
+++ b/modules/project-factory/README.md
@@ -47,7 +47,6 @@ The code is meant to be executed by a high level service account with powerful p
 - [Variables](#variables)
 - [Outputs](#outputs)
 - [Tests](#tests)
-  - [Tags with $iam_principals interpolation](#tags-with-iam_principals-interpolation)
 <!-- END TOC -->
 
 ## Folder hierarchy
@@ -869,6 +868,7 @@ compute.disableSerialPortAccess:
 | [service_accounts](outputs.tf#L158) | Service account emails. |  |
 | [storage_buckets](outputs.tf#L163) | Bucket names. |  |
 <!-- END TFDOC -->
+
 ## Tests
 
 These tests validate fixes to the project factory.
@@ -876,6 +876,13 @@ These tests validate fixes to the project factory.
 ```hcl
 module "project-factory" {
   source = "./fabric/modules/project-factory"
+  context = {
+    condition_vars = {
+      organization = {
+        id = 1234567890
+      }
+    }
+  }
   data_defaults = {
     billing_account = "012345-67890A-ABCDEF"
     locations = {
@@ -895,7 +902,7 @@ module "project-factory" {
     projects = "data/projects"
   }
 }
-# tftest modules=4 resources=24 files=test-0,test-1,test-2 inventory=test-1.yaml
+# tftest modules=5 resources=25 files=test-0,test-1,test-2 inventory=test-1.yaml
 ```
 
 ```yaml
@@ -905,6 +912,13 @@ services:
   - iam.googleapis.com
   - contactcenteraiplatform.googleapis.com
   - container.googleapis.com
+iam_bindings_additive:
+  test_context:
+    role: roles/viewer
+    member: user:user1@example.com
+    condition:
+      title: Test context
+      expression: resource.matchTag('${organization.id}/context', 'project-factory')
 # tftest-file id=test-0 path=data/projects/test-0.yaml
 ```
 
@@ -929,8 +943,6 @@ services:
 # tftest-file id=test-2 path=data/projects/test-2.yaml
 ```
 
-### Tags with $iam_principals interpolation
-
 This test validates that `$iam_principals:service_accounts/...` interpolation works correctly
 within tags IAM definitions when referencing automation service accounts created by the same
 project-factory.
@@ -974,4 +986,3 @@ tags:
             - $iam_principals:service_accounts/tags-iam-test/automation/rw
 # tftest-file id=tags-iam-test path=data/projects/tags-iam-test.yaml
 ```
-
diff --git a/modules/project-factory/main.tf b/modules/project-factory/main.tf
index 90d85bf22..55ac766d1 100644
--- a/modules/project-factory/main.tf
+++ b/modules/project-factory/main.tf
@@ -39,7 +39,7 @@ resource "terraform_data" "defaults_preconditions" {
     }
     # precondition {
     #   condition     = local.projects_input == null
-    #   error_message = yamlencode(local.budget_project_sets)
+    #   error_message = yamlencode(var.context.condition_vars)
     # }
   }
 }
diff --git a/modules/project-factory/projects.tf b/modules/project-factory/projects.tf
index c344e1d1e..d3cbaa30e 100644
--- a/modules/project-factory/projects.tf
+++ b/modules/project-factory/projects.tf
@@ -95,11 +95,11 @@ module "projects" {
     each.value.contacts, var.data_merges.contacts
   )
   context = merge(local.ctx, {
-    condition_vars = {
+    condition_vars = merge(local.ctx.condition_vars, {
       folder_ids = {
         for k, v in local.ctx_folder_ids : replace(k, "$folder_ids:", "") => v
       }
-    }
+    })
     folder_ids = local.ctx_folder_ids
   })
   default_service_account = try(each.value.default_service_account, "keep")
diff --git a/tests/modules/project_factory/examples/test-1.yaml b/tests/modules/project_factory/examples/test-1.yaml
index 512cddac6..dc066b09c 100644
--- a/tests/modules/project_factory/examples/test-1.yaml
+++ b/tests/modules/project_factory/examples/test-1.yaml
@@ -20,3 +20,20 @@ values:
     project_id: test-1
   module.project-factory.module.projects["test-2"].google_project.project[0]:
     project_id: bar-test-2
+  module.project-factory.module.projects-iam["test-0"].google_project_iam_member.bindings["test_context"]:
+    condition:
+    - description: null
+      expression: resource.matchTag('1234567890/context', 'project-factory')
+      title: Test context
+    member: user:user1@example.com
+    project: foo-test-0
+    role: roles/viewer
+counts:
+  google_project: 3
+  google_project_iam_member: 6
+  google_project_service: 10
+  google_project_service_identity: 3
+  google_storage_project_service_account: 1
+  modules: 5
+  resources: 25
+  terraform_data: 2