From 0f28d266dd04898fb448a0246a2ab837da79fb69 Mon Sep 17 00:00:00 2001
From: apichick <mirene@google.com>
Date: Thu, 19 Sep 2024 12:29:01 +0200
Subject: [PATCH] Secure source manager (#2569)

* Added secure-source-manager-instance module

* Fixes after review
---
 README.md                                     |   2 +-
 modules/README.md                             |   1 +
 .../secure-source-manager-instance/README.md  | 179 ++++++++++++++++++
 modules/secure-source-manager-instance/iam.tf |  80 ++++++++
 .../secure-source-manager-instance/main.tf    |  47 +++++
 .../secure-source-manager-instance/outputs.tf |  35 ++++
 .../variables-iam.tf                          |  39 ++++
 .../variables.tf                              |  71 +++++++
 .../versions.tf                               |  29 +++
 .../examples/iam-bindings-additive.yaml       |  56 ++++++
 .../examples/iam-bindings.yaml                |  46 +++++
 .../examples/iam.yaml                         |  56 ++++++
 .../examples/private-instance.yaml            |  42 ++++
 .../examples/public-instance-with-cmek.yaml   |  40 ++++
 .../examples/public-instance.yaml             |  40 ++++
 15 files changed, 762 insertions(+), 1 deletion(-)
 create mode 100644 modules/secure-source-manager-instance/README.md
 create mode 100644 modules/secure-source-manager-instance/iam.tf
 create mode 100644 modules/secure-source-manager-instance/main.tf
 create mode 100644 modules/secure-source-manager-instance/outputs.tf
 create mode 100644 modules/secure-source-manager-instance/variables-iam.tf
 create mode 100644 modules/secure-source-manager-instance/variables.tf
 create mode 100644 modules/secure-source-manager-instance/versions.tf
 create mode 100644 tests/modules/secure_source_manager_instance/examples/iam-bindings-additive.yaml
 create mode 100644 tests/modules/secure_source_manager_instance/examples/iam-bindings.yaml
 create mode 100644 tests/modules/secure_source_manager_instance/examples/iam.yaml
 create mode 100644 tests/modules/secure_source_manager_instance/examples/private-instance.yaml
 create mode 100644 tests/modules/secure_source_manager_instance/examples/public-instance-with-cmek.yaml
 create mode 100644 tests/modules/secure_source_manager_instance/examples/public-instance.yaml

diff --git a/README.md b/README.md
index b7e598589..39410b8b8 100644
--- a/README.md
+++ b/README.md
@@ -34,7 +34,7 @@ Currently available modules:
 - **networking** - [DNS](./modules/dns), [DNS Response Policy](./modules/dns-response-policy/), [Cloud Endpoints](./modules/endpoints), [address reservation](./modules/net-address), [NAT](./modules/net-cloudnat), [VLAN Attachment](./modules/net-vlan-attachment/), [External Application LB](./modules/net-lb-app-ext/), [External Passthrough Network LB](./modules/net-lb-ext), [External Regional Application Load Balancer](./modules/net-lb-app-ext-regional/), [Firewall policy](./modules/net-firewall-policy), [Internal Application LB](./modules/net-lb-app-int), [Cross-region Internal Application LB](./modules/net-lb-app-int-cross-region), [Internal Passthrough Network LB](./modules/net-lb-int), [Internal Proxy Network LB](./modules/net-lb-proxy-int), [IPSec over Interconnect](./modules/net-ipsec-over-interconnect), [VPC](./modules/net-vpc), [VPC firewall](./modules/net-vpc-firewall), [VPC peering](./modules/net-vpc-peering), [VPN dynamic](./modules/net-vpn-dynamic), [HA VPN](./modules/net-vpn-ha), [VPN static](./modules/net-vpn-static), [Service Directory](./modules/service-directory), [Secure Web Proxy](./modules/net-swp)
 - **compute** - [VM/VM group](./modules/compute-vm), [MIG](./modules/compute-mig), [COS container](./modules/cloud-config-container/cos-generic-metadata/) (coredns, mysql, onprem, squid), [GKE cluster](./modules/gke-cluster-standard), [GKE hub](./modules/gke-hub), [GKE nodepool](./modules/gke-nodepool), [GCVE private cloud](./modules/gcve-private-cloud)
 - **data** - <!-- [AlloyDB instance](./modules/alloydb-instance), --> [Analytics Hub](./modules/analytics-hub), [BigQuery dataset](./modules/bigquery-dataset), [Bigtable instance](./modules/bigtable-instance), [Dataplex](./modules/dataplex), [Dataplex DataScan](./modules/dataplex-datascan), [Cloud SQL instance](./modules/cloudsql-instance), [Spanner instance](./modules/spanner-instance), [Firestore](./modules/firestore), [Data Catalog Policy Tag](./modules/data-catalog-policy-tag), [Data Catalog Tag](./modules/data-catalog-tag), [Data Catalog Tag Template](./modules/data-catalog-tag-template), [Datafusion](./modules/datafusion), [Dataproc](./modules/dataproc), [GCS](./modules/gcs), [Pub/Sub](./modules/pubsub), [Dataform Repository](./modules/dataform-repository/)
-- **development** - [API Gateway](./modules/api-gateway), [Apigee](./modules/apigee), [Artifact Registry](./modules/artifact-registry), [Container Registry](./modules/container-registry), [Cloud Source Repository](./modules/source-repository), [Workstation cluster](./modules/workstation-cluster)
+- **development** - [API Gateway](./modules/api-gateway), [Apigee](./modules/apigee), [Artifact Registry](./modules/artifact-registry), [Container Registry](./modules/container-registry), [Cloud Source Repository](./modules/source-repository), [Secure Source Manager instance](./modules/secure-source-manager-instance), [Workstation cluster](./modules/workstation-cluster)
 - **security** - [Binauthz](./modules/binauthz/), [Certificate Authority Service (CAS)](./modules/certificate-authority-service), [KMS](./modules/kms), [SecretManager](./modules/secret-manager), [VPC Service Control](./modules/vpc-sc), [Certificate Manager](./modules/certificate-manager/)
 - **serverless** - [Cloud Function v1](./modules/cloud-function-v1), [Cloud Function v2](./modules/cloud-function-v2), [Cloud Run](./modules/cloud-run), [Cloud Run v2](./modules/cloud-run-v2)
 
diff --git a/modules/README.md b/modules/README.md
index 7fc97d6b8..daf9d7ca7 100644
--- a/modules/README.md
+++ b/modules/README.md
@@ -104,6 +104,7 @@ These modules are used in the examples included in this repository. If you are u
 - [Artifact Registry](./artifact-registry)
 - [Container Registry](./container-registry)
 - [Cloud Source Repository](./source-repository)
+- [Secure Source Manager instance](./secure-source-manager-instance)
 - [Workstation cluster](./workstation-cluster)
 
 ## Security
diff --git a/modules/secure-source-manager-instance/README.md b/modules/secure-source-manager-instance/README.md
new file mode 100644
index 000000000..5d71d3605
--- /dev/null
+++ b/modules/secure-source-manager-instance/README.md
@@ -0,0 +1,179 @@
+# Secure Source Manager
+
+This module allows to create a Secure Source Manager instance and repositories in it. Additionally it allows creating instance IAM bindings and repository IAM bindings.
+
+## Examples
+
+<!-- BEGIN TOC -->
+- [Examples](#examples)
+  - [Public instance](#public-instance)
+  - [Public instance with CMEK](#public-instance-with-cmek)
+  - [Private instance](#private-instance)
+  - [IAM](#iam)
+- [Variables](#variables)
+- [Outputs](#outputs)
+<!-- END TOC -->
+
+### Public instance
+
+```hcl
+module "ssm_instance" {
+  source      = "./fabric/modules/secure-source-manager-instance"
+  project_id  = var.project_id
+  instance_id = "my-instance"
+  location    = var.region
+  repositories = {
+    my-repository = {
+      location = var.region
+    }
+  }
+}
+# tftest modules=1 resources=2 inventory=public-instance.yaml
+```
+
+### Public instance with CMEK 
+
+```hcl
+module "ssm_instance" {
+  source      = "./fabric/modules/secure-source-manager-instance"
+  project_id  = var.project_id
+  instance_id = "my-instance"
+  location    = var.region
+  kms_key     = "projects/another-project-id/locations/${var.region}/keyRings/my-key-ring/cryptoKeys/my-key"
+  repositories = {
+    my-repository = {
+      location = var.region
+    }
+  }
+}
+# tftest modules=1 resources=2 inventory=public-instance-with-cmek.yaml
+```
+
+### Private instance
+
+```hcl
+module "ssm_instance" {
+  source      = "./fabric/modules/secure-source-manager-instance"
+  project_id  = var.project_id
+  instance_id = "my-instance"
+  location    = var.region
+  ca_pool     = "projects/another-project/locations/${var.region}/caPools/my-ca-pool"
+  repositories = {
+    my-repository = {
+      location = var.region
+    }
+  }
+}
+# tftest modules=1 resources=2 inventory=private-instance.yaml
+```
+
+### IAM
+
+```hcl
+module "ssm_instance" {
+  source      = "./fabric/modules/secure-source-manager-instance"
+  project_id  = var.project_id
+  instance_id = "my-instance"
+  location    = var.region
+  iam = {
+    "roles/securesourcemanager.instanceOwner" = [
+      "group:my-instance-admins@myorg.com"
+    ]
+  }
+  repositories = {
+    my-repository = {
+      location = var.region
+      iam = {
+        "roles/securesourcemanager.repoAdmin" = [
+          "group:my-repo-admins@myorg.com"
+        ]
+      }
+    }
+  }
+}
+# tftest modules=1 resources=4 inventory=iam.yaml
+```
+
+```hcl
+
+module "ssm_instance" {
+  source      = "./fabric/modules/secure-source-manager-instance"
+  project_id  = var.project_id
+  instance_id = "my-instance"
+  location    = var.region
+  iam_bindings_additive = {
+    my-instance-admin = {
+      role   = "roles/securesourcemanager.instanceOwner"
+      member = "group:my-instance-admins@myorg.com"
+    }
+  }
+  repositories = {
+    my-repository = {
+      location = var.region
+      iam_bindings_additive = {
+        my-repository-admin = {
+          role   = "roles/securesourcemanager.repoAdmin"
+          member = "group:my-repo-admins@myorg.com"
+        }
+      }
+    }
+  }
+}
+# tftest modules=1 resources=4 inventory=iam-bindings.yaml
+```
+
+```hcl
+module "ssm_instance" {
+  source      = "./fabric/modules/secure-source-manager-instance"
+  project_id  = var.project_id
+  instance_id = "my-instance"
+  location    = var.region
+  iam_bindings = {
+    my-instance-admin = {
+      role = "roles/securesourcemanager.instanceOwner"
+      members = [
+        "group:my-instance-admins@myorg.com"
+      ]
+    }
+  }
+  repositories = {
+    my-repository = {
+      location = var.region
+      iam_bindings = {
+        my-repository-admin = {
+          role = "roles/securesourcemanager.repoAdmin"
+          members = [
+            "group:my-repo-admins@myorg.com"
+          ]
+        }
+      }
+    }
+  }
+}
+# tftest modules=1 resources=4 inventory=iam-bindings-additive.yaml
+```
+<!-- BEGIN TFDOC -->
+## Variables
+
+| name | description | type | required | default |
+|---|---|:---:|:---:|:---:|
+| [instance_id](variables.tf#L23) | Instance ID. | <code>string</code> | ✓ |  |
+| [location](variables.tf#L40) | Location. | <code>string</code> | ✓ |  |
+| [project_id](variables.tf#L45) | Project ID. | <code>string</code> | ✓ |  |
+| [repositories](variables.tf#L50) | Repositories. | <code title="map&#40;object&#40;&#123;&#10;  description &#61; optional&#40;string&#41;&#10;  iam         &#61; optional&#40;map&#40;list&#40;string&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings &#61; optional&#40;map&#40;object&#40;&#123;&#10;    role    &#61; string&#10;    members &#61; list&#40;string&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  iam_bindings_additive &#61; optional&#40;map&#40;object&#40;&#123;&#10;    role   &#61; string&#10;    member &#61; string&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;  initial_config &#61; optional&#40;object&#40;&#123;&#10;    default_branch &#61; optional&#40;string&#41;&#10;    gitignores     &#61; optional&#40;string&#41;&#10;    license        &#61; optional&#40;string&#41;&#10;    readme         &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  location &#61; string&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | ✓ |  |
+| [ca_pool](variables.tf#L17) | CA pool. | <code>string</code> |  | <code>null</code> |
+| [iam](variables-iam.tf#L17) | IAM bindings. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [iam_bindings](variables-iam.tf#L23) | IAM bindings. | <code title="map&#40;object&#40;&#123;&#10;  role    &#61; string&#10;  members &#61; list&#40;string&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [iam_bindings_additive](variables-iam.tf#L32) | IAM bindings. | <code title="map&#40;object&#40;&#123;&#10;  role   &#61; string&#10;  member &#61; string&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [kms_key](variables.tf#L28) | KMS key. | <code>string</code> |  | <code>null</code> |
+| [labels](variables.tf#L34) | Instance labels. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> |
+
+## Outputs
+
+| name | description | sensitive |
+|---|---|:---:|
+| [instance](outputs.tf#L17) | Instance. |  |
+| [instance_id](outputs.tf#L22) | Instance id. |  |
+| [repositories](outputs.tf#L27) | Repositories. |  |
+| [repository_ids](outputs.tf#L32) | Repository ids. |  |
+<!-- END TFDOC -->
diff --git a/modules/secure-source-manager-instance/iam.tf b/modules/secure-source-manager-instance/iam.tf
new file mode 100644
index 000000000..da159aa22
--- /dev/null
+++ b/modules/secure-source-manager-instance/iam.tf
@@ -0,0 +1,80 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+  repository_iam = merge([for k1, v1 in var.repositories : { for k2, v2 in v1.iam :
+    "${k1}.${k2}" => {
+      repository = k1
+      role       = k2
+      members    = v2
+  } }]...)
+  repository_iam_bindings = merge([for k1, v1 in var.repositories : { for k2, v2 in v1.iam_bindings :
+    "${k1}.${k2}" => merge(v2, {
+      repository = k1
+  }) }]...)
+  repository_iam_bindings_additive = merge([for k1, v1 in var.repositories : { for k2, v2 in v1.iam_bindings_additive :
+    "${k1}.${k2}" => merge(v2, {
+      repository = k1
+  }) }]...)
+}
+
+resource "google_secure_source_manager_instance_iam_binding" "authoritative" {
+  for_each    = var.iam
+  project     = google_secure_source_manager_instance.instance.project
+  instance_id = google_secure_source_manager_instance.instance.instance_id
+  role        = each.key
+  members     = each.value
+}
+
+resource "google_secure_source_manager_instance_iam_binding" "bindings" {
+  for_each    = var.iam_bindings
+  project     = google_secure_source_manager_instance.instance.project
+  instance_id = google_secure_source_manager_instance.instance.instance_id
+  role        = each.value.role
+  members     = each.value.members
+}
+
+resource "google_secure_source_manager_instance_iam_member" "bindings" {
+  for_each    = var.iam_bindings_additive
+  project     = google_secure_source_manager_instance.instance.project
+  instance_id = google_secure_source_manager_instance.instance.instance_id
+  role        = each.value.role
+  member      = each.value.member
+}
+
+resource "google_secure_source_manager_repository_iam_binding" "authoritative" {
+  for_each      = local.repository_iam
+  project       = google_secure_source_manager_repository.repositories[each.value.repository].project
+  repository_id = google_secure_source_manager_repository.repositories[each.value.repository].repository_id
+  role          = each.value.role
+  members       = each.value.members
+}
+
+resource "google_secure_source_manager_repository_iam_binding" "bindings" {
+  for_each      = local.repository_iam_bindings
+  project       = google_secure_source_manager_repository.repositories[each.value.repository].project
+  repository_id = google_secure_source_manager_repository.repositories[each.value.repository].repository_id
+  role          = each.value.role
+  members       = each.value.members
+}
+
+resource "google_secure_source_manager_repository_iam_member" "bindings" {
+  for_each      = local.repository_iam_bindings_additive
+  project       = google_secure_source_manager_repository.repositories[each.value.repository].project
+  repository_id = google_secure_source_manager_repository.repositories[each.value.repository].repository_id
+  role          = each.value.role
+  member        = each.value.member
+}
diff --git a/modules/secure-source-manager-instance/main.tf b/modules/secure-source-manager-instance/main.tf
new file mode 100644
index 000000000..0ef58549d
--- /dev/null
+++ b/modules/secure-source-manager-instance/main.tf
@@ -0,0 +1,47 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+resource "google_secure_source_manager_instance" "instance" {
+  instance_id = var.instance_id
+  project     = var.project_id
+  location    = var.location
+  labels      = var.labels
+  kms_key     = var.kms_key
+  dynamic "private_config" {
+    for_each = var.ca_pool == null ? [] : [""]
+    content {
+      is_private = true
+      ca_pool    = var.ca_pool
+    }
+  }
+}
+
+resource "google_secure_source_manager_repository" "repositories" {
+  for_each      = var.repositories
+  repository_id = each.key
+  instance      = google_secure_source_manager_instance.instance.name
+  project       = var.project_id
+  location      = each.value.location
+  dynamic "initial_config" {
+    for_each = each.value.initial_config == null ? [] : [""]
+    content {
+      default_branch = each.value.initial_config.default_branch
+      gitignores     = each.value.initial_config.gitignores
+      license        = each.value.initial_config.license
+      readme         = each.value.initial_config.readme
+    }
+  }
+}
\ No newline at end of file
diff --git a/modules/secure-source-manager-instance/outputs.tf b/modules/secure-source-manager-instance/outputs.tf
new file mode 100644
index 000000000..5ce9600c9
--- /dev/null
+++ b/modules/secure-source-manager-instance/outputs.tf
@@ -0,0 +1,35 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "instance" {
+  description = "Instance."
+  value       = google_secure_source_manager_instance.instance
+}
+
+output "instance_id" {
+  description = "Instance id."
+  value       = google_secure_source_manager_instance.instance.id
+}
+
+output "repositories" {
+  description = "Repositories."
+  value       = google_secure_source_manager_repository.repositories
+}
+
+output "repository_ids" {
+  description = "Repository ids."
+  value       = { for k, v in google_secure_source_manager_repository.repositories : k => v.id }
+}
diff --git a/modules/secure-source-manager-instance/variables-iam.tf b/modules/secure-source-manager-instance/variables-iam.tf
new file mode 100644
index 000000000..253c797fe
--- /dev/null
+++ b/modules/secure-source-manager-instance/variables-iam.tf
@@ -0,0 +1,39 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "iam" {
+  description = "IAM bindings."
+  type        = map(list(string))
+  default     = {}
+}
+
+variable "iam_bindings" {
+  description = "IAM bindings."
+  type = map(object({
+    role    = string
+    members = list(string)
+  }))
+  default = {}
+}
+
+variable "iam_bindings_additive" {
+  description = "IAM bindings."
+  type = map(object({
+    role   = string
+    member = string
+  }))
+  default = {}
+}
\ No newline at end of file
diff --git a/modules/secure-source-manager-instance/variables.tf b/modules/secure-source-manager-instance/variables.tf
new file mode 100644
index 000000000..ef0e5f7a8
--- /dev/null
+++ b/modules/secure-source-manager-instance/variables.tf
@@ -0,0 +1,71 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "ca_pool" {
+  description = "CA pool."
+  type        = string
+  default     = null
+}
+
+variable "instance_id" {
+  description = "Instance ID."
+  type        = string
+}
+
+variable "kms_key" {
+  description = "KMS key."
+  type        = string
+  default     = null
+}
+
+variable "labels" {
+  description = "Instance labels."
+  type        = map(string)
+  default     = {}
+}
+
+variable "location" {
+  description = "Location."
+  type        = string
+}
+
+variable "project_id" {
+  description = "Project ID."
+  type        = string
+}
+
+variable "repositories" {
+  description = "Repositories."
+  type = map(object({
+    description = optional(string)
+    iam         = optional(map(list(string)), {})
+    iam_bindings = optional(map(object({
+      role    = string
+      members = list(string)
+    })), {})
+    iam_bindings_additive = optional(map(object({
+      role   = string
+      member = string
+    })), {})
+    initial_config = optional(object({
+      default_branch = optional(string)
+      gitignores     = optional(string)
+      license        = optional(string)
+      readme         = optional(string)
+    }))
+    location = string
+  }))
+}
diff --git a/modules/secure-source-manager-instance/versions.tf b/modules/secure-source-manager-instance/versions.tf
new file mode 100644
index 000000000..f569ce5af
--- /dev/null
+++ b/modules/secure-source-manager-instance/versions.tf
@@ -0,0 +1,29 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Fabric release: v35.0.0
+
+terraform {
+  required_version = ">= 1.7.4"
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = ">= 6.1.0, < 7.0.0" # tftest
+    }
+    google-beta = {
+      source  = "hashicorp/google-beta"
+      version = ">= 6.1.0, < 7.0.0" # tftest
+    }
+  }
+}
diff --git a/tests/modules/secure_source_manager_instance/examples/iam-bindings-additive.yaml b/tests/modules/secure_source_manager_instance/examples/iam-bindings-additive.yaml
new file mode 100644
index 000000000..a81bbd30b
--- /dev/null
+++ b/tests/modules/secure_source_manager_instance/examples/iam-bindings-additive.yaml
@@ -0,0 +1,56 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+  module.ssm_instance.google_secure_source_manager_instance.instance:
+    effective_labels:
+      goog-terraform-provisioned: 'true'
+    instance_id: my-instance
+    kms_key: null
+    labels: null
+    location: europe-west8
+    private_config: []
+    project: project-id
+    terraform_labels:
+      goog-terraform-provisioned: 'true'
+    timeouts: null
+  module.ssm_instance.google_secure_source_manager_instance_iam_binding.bindings["my-instance-admin"]:
+    condition: []
+    instance_id: my-instance
+    members:
+    - group:my-instance-admins@myorg.com
+    project: project-id
+    role: roles/securesourcemanager.instanceOwner
+  module.ssm_instance.google_secure_source_manager_repository.repositories["my-repository"]:
+    description: null
+    initial_config: []
+    location: europe-west8
+    project: project-id
+    repository_id: my-repository
+    timeouts: null
+  module.ssm_instance.google_secure_source_manager_repository_iam_binding.bindings["my-repository.my-repository-admin"]:
+    condition: []
+    members:
+    - group:my-repo-admins@myorg.com
+    project: project-id
+    repository_id: my-repository
+    role: roles/securesourcemanager.repoAdmin
+
+counts:
+  google_secure_source_manager_instance: 1
+  google_secure_source_manager_instance_iam_binding: 1
+  google_secure_source_manager_repository: 1
+  google_secure_source_manager_repository_iam_binding: 1
+  modules: 1
+  resources: 4
\ No newline at end of file
diff --git a/tests/modules/secure_source_manager_instance/examples/iam-bindings.yaml b/tests/modules/secure_source_manager_instance/examples/iam-bindings.yaml
new file mode 100644
index 000000000..bbf36cd4c
--- /dev/null
+++ b/tests/modules/secure_source_manager_instance/examples/iam-bindings.yaml
@@ -0,0 +1,46 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+  module.ssm_instance.google_secure_source_manager_instance.instance:
+    effective_labels:
+      goog-terraform-provisioned: 'true'
+    instance_id: my-instance
+    kms_key: null
+    labels: null
+    location: europe-west8
+    private_config: []
+    project: project-id
+    terraform_labels:
+      goog-terraform-provisioned: 'true'
+    timeouts: null
+  module.ssm_instance.google_secure_source_manager_instance_iam_member.bindings["my-instance-admin"]:
+    condition: []
+    instance_id: my-instance
+    member: group:my-instance-admins@myorg.com
+    project: project-id
+    role: roles/securesourcemanager.instanceOwner
+  module.ssm_instance.google_secure_source_manager_repository.repositories["my-repository"]:
+    description: null
+    initial_config: []
+    location: europe-west8
+    project: project-id
+    repository_id: my-repository
+    timeouts: null
+  module.ssm_instance.google_secure_source_manager_repository_iam_member.bindings["my-repository.my-repository-admin"]:
+    condition: []
+    member: group:my-repo-admins@myorg.com
+    project: project-id
+    repository_id: my-repository
+    role: roles/securesourcemanager.repoAdmin
\ No newline at end of file
diff --git a/tests/modules/secure_source_manager_instance/examples/iam.yaml b/tests/modules/secure_source_manager_instance/examples/iam.yaml
new file mode 100644
index 000000000..6dae43789
--- /dev/null
+++ b/tests/modules/secure_source_manager_instance/examples/iam.yaml
@@ -0,0 +1,56 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+  module.ssm_instance.google_secure_source_manager_instance.instance:
+    effective_labels:
+      goog-terraform-provisioned: 'true'
+    instance_id: my-instance
+    kms_key: null
+    labels: null
+    location: europe-west8
+    private_config: []
+    project: project-id
+    terraform_labels:
+      goog-terraform-provisioned: 'true'
+    timeouts: null
+  ? module.ssm_instance.google_secure_source_manager_instance_iam_binding.authoritative["roles/securesourcemanager.instanceOwner"]
+  : condition: []
+    instance_id: my-instance
+    members:
+    - group:my-instance-admins@myorg.com
+    project: project-id
+    role: roles/securesourcemanager.instanceOwner
+  module.ssm_instance.google_secure_source_manager_repository.repositories["my-repository"]:
+    description: null
+    initial_config: []
+    location: europe-west8
+    project: project-id
+    repository_id: my-repository
+    timeouts: null
+  ? module.ssm_instance.google_secure_source_manager_repository_iam_binding.authoritative["my-repository.roles/securesourcemanager.repoAdmin"]
+  : condition: []
+    members:
+    - group:my-repo-admins@myorg.com
+    project: project-id
+    repository_id: my-repository
+    role: roles/securesourcemanager.repoAdmin
+
+counts:
+  google_secure_source_manager_instance: 1
+  google_secure_source_manager_instance_iam_binding: 1
+  google_secure_source_manager_repository: 1
+  google_secure_source_manager_repository_iam_binding: 1
+  modules: 1
+  resources: 4
\ No newline at end of file
diff --git a/tests/modules/secure_source_manager_instance/examples/private-instance.yaml b/tests/modules/secure_source_manager_instance/examples/private-instance.yaml
new file mode 100644
index 000000000..1c0537a3f
--- /dev/null
+++ b/tests/modules/secure_source_manager_instance/examples/private-instance.yaml
@@ -0,0 +1,42 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+  module.ssm_instance.google_secure_source_manager_instance.instance:
+    effective_labels:
+      goog-terraform-provisioned: 'true'
+    instance_id: my-instance
+    kms_key: null
+    labels: null
+    location: europe-west8
+    private_config:
+    - ca_pool: projects/another-project/locations/europe-west8/caPools/my-ca-pool
+      is_private: true
+    project: project-id
+    terraform_labels:
+      goog-terraform-provisioned: 'true'
+    timeouts: null
+  module.ssm_instance.google_secure_source_manager_repository.repositories["my-repository"]:
+    description: null
+    initial_config: []
+    location: europe-west8
+    project: project-id
+    repository_id: my-repository
+    timeouts: null
+
+counts:
+  google_secure_source_manager_instance: 1
+  google_secure_source_manager_repository: 1
+  modules: 1
+  resources: 2
\ No newline at end of file
diff --git a/tests/modules/secure_source_manager_instance/examples/public-instance-with-cmek.yaml b/tests/modules/secure_source_manager_instance/examples/public-instance-with-cmek.yaml
new file mode 100644
index 000000000..a4071b2c1
--- /dev/null
+++ b/tests/modules/secure_source_manager_instance/examples/public-instance-with-cmek.yaml
@@ -0,0 +1,40 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+  module.ssm_instance.google_secure_source_manager_instance.instance:
+    effective_labels:
+      goog-terraform-provisioned: 'true'
+    instance_id: my-instance
+    kms_key: projects/another-project-id/locations/europe-west8/keyRings/my-key-ring/cryptoKeys/my-key
+    labels: null
+    location: europe-west8
+    private_config: []
+    project: project-id
+    terraform_labels:
+      goog-terraform-provisioned: 'true'
+    timeouts: null
+  module.ssm_instance.google_secure_source_manager_repository.repositories["my-repository"]:
+    description: null
+    initial_config: []
+    location: europe-west8
+    project: project-id
+    repository_id: my-repository
+    timeouts: null
+
+counts:
+  google_secure_source_manager_instance: 1
+  google_secure_source_manager_repository: 1
+  modules: 1
+  resources: 2
\ No newline at end of file
diff --git a/tests/modules/secure_source_manager_instance/examples/public-instance.yaml b/tests/modules/secure_source_manager_instance/examples/public-instance.yaml
new file mode 100644
index 000000000..7856ca1ab
--- /dev/null
+++ b/tests/modules/secure_source_manager_instance/examples/public-instance.yaml
@@ -0,0 +1,40 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+  module.ssm_instance.google_secure_source_manager_instance.instance:
+    effective_labels:
+      goog-terraform-provisioned: 'true'
+    instance_id: my-instance
+    kms_key: null
+    labels: null
+    location: europe-west8
+    private_config: []
+    project: project-id
+    terraform_labels:
+      goog-terraform-provisioned: 'true'
+    timeouts: null
+  module.ssm_instance.google_secure_source_manager_repository.repositories["my-repository"]:
+    description: null
+    initial_config: []
+    location: europe-west8
+    project: project-id
+    repository_id: my-repository
+    timeouts: null
+
+counts:
+  google_secure_source_manager_instance: 1
+  google_secure_source_manager_repository: 1
+  modules: 1
+  resources: 2
\ No newline at end of file