Add tests for service agents iam_emails

tests/modules/project/service_agents.tfvars

@@ -0,0 +1,25 @@
+services = [
+  "container.googleapis.com",
+  "run.googleapis.com"
+]
+shared_vpc_service_config = {
+  host_project = "host-project"
+  service_agent_iam = {
+    "roles/compute.networkUser" = [
+      "$service_agents:cloudservices", "$service_agents:container-engine"
+    ]
+    "roles/vpcaccess.user" = [
+      "$service_agents:cloudrun"
+    ]
+    "roles/container.hostServiceAgentUser" = [
+      "$service_agents:container-engine"
+    ]
+  }
+}
+project_reuse = {
+  use_data_source = false
+  attributes = {
+    name   = "my-project"
+    number = 12345
+  }
+}

tests/modules/project/service_agents.yaml

@@ -0,0 +1,158 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+  google_compute_shared_vpc_service_project.shared_vpc_service[0]:
+    host_project: host-project
+    service_project: my-project
+  google_project_iam_member.service_agents["container-engine-robot"]:
+    condition: []
+    member: serviceAccount:service-12345@container-engine-robot.iam.gserviceaccount.com
+    project: my-project
+    role: roles/container.serviceAgent
+  google_project_iam_member.service_agents["gkenode"]:
+    condition: []
+    member: serviceAccount:service-12345@gcp-sa-gkenode.iam.gserviceaccount.com
+    project: my-project
+    role: roles/container.defaultNodeServiceAgent
+  google_project_iam_member.service_agents["serverless-robot-prod"]:
+    condition: []
+    member: serviceAccount:service-12345@serverless-robot-prod.iam.gserviceaccount.com
+    project: my-project
+    role: roles/run.serviceAgent
+  google_project_iam_member.shared_vpc_host_robots["roles/compute.networkUser:cloudservices"]:
+    condition: []
+    member: serviceAccount:12345@cloudservices.gserviceaccount.com
+    project: host-project
+    role: roles/compute.networkUser
+  google_project_iam_member.shared_vpc_host_robots["roles/compute.networkUser:container-engine"]:
+    condition: []
+    member: serviceAccount:service-12345@container-engine-robot.iam.gserviceaccount.com
+    project: host-project
+    role: roles/compute.networkUser
+  google_project_iam_member.shared_vpc_host_robots["roles/container.hostServiceAgentUser:container-engine"]:
+    condition: []
+    member: serviceAccount:service-12345@container-engine-robot.iam.gserviceaccount.com
+    project: host-project
+    role: roles/container.hostServiceAgentUser
+  google_project_iam_member.shared_vpc_host_robots["roles/vpcaccess.user:cloudrun"]:
+    condition: []
+    member: serviceAccount:service-12345@serverless-robot-prod.iam.gserviceaccount.com
+    project: host-project
+    role: roles/vpcaccess.user
+  google_project_service.project_services["container.googleapis.com"]:
+    disable_dependent_services: false
+    disable_on_destroy: false
+    project: my-project
+    service: container.googleapis.com
+    timeouts: null
+  google_project_service.project_services["run.googleapis.com"]:
+    disable_dependent_services: false
+    disable_on_destroy: false
+    project: my-project
+    service: run.googleapis.com
+    timeouts: null
+  google_project_service_identity.default["container.googleapis.com"]:
+    project: my-project
+    service: container.googleapis.com
+    timeouts: null
+  google_project_service_identity.default["run.googleapis.com"]:
+    project: my-project
+    service: run.googleapis.com
+    timeouts: null
+
+outputs:
+  default_service_accounts:
+    compute: 12345-compute@developer.gserviceaccount.com
+    gae: my-project@appspot.gserviceaccount.com
+  id: my-project
+  name: my-project
+  number: 12345
+  project_id: my-project
+  service_agents:
+    cloudrun:
+      api: run.googleapis.com
+      display_name: Google Cloud Run Service Agent
+      email: service-12345@serverless-robot-prod.iam.gserviceaccount.com
+      iam_email: serviceAccount:service-12345@serverless-robot-prod.iam.gserviceaccount.com
+      is_primary: true
+      name: serverless-robot-prod
+      role: roles/run.serviceAgent
+    cloudservices:
+      api: null
+      display_name: Google APIs Service Agent
+      email: 12345@cloudservices.gserviceaccount.com
+      iam_email: serviceAccount:12345@cloudservices.gserviceaccount.com
+      is_primary: false
+      name: cloudservices
+      role: null
+    cloudsvc:
+      api: null
+      display_name: Google APIs Service Agent
+      email: 12345@cloudservices.gserviceaccount.com
+      iam_email: serviceAccount:12345@cloudservices.gserviceaccount.com
+      is_primary: false
+      name: cloudservices
+      role: null
+    container:
+      api: container.googleapis.com
+      display_name: Kubernetes Engine Service Agent
+      email: service-12345@container-engine-robot.iam.gserviceaccount.com
+      iam_email: serviceAccount:service-12345@container-engine-robot.iam.gserviceaccount.com
+      is_primary: true
+      name: container-engine-robot
+      role: roles/container.serviceAgent
+    container-engine:
+      api: container.googleapis.com
+      display_name: Kubernetes Engine Service Agent
+      email: service-12345@container-engine-robot.iam.gserviceaccount.com
+      iam_email: serviceAccount:service-12345@container-engine-robot.iam.gserviceaccount.com
+      is_primary: true
+      name: container-engine-robot
+      role: roles/container.serviceAgent
+    container-engine-robot:
+      api: container.googleapis.com
+      display_name: Kubernetes Engine Service Agent
+      email: service-12345@container-engine-robot.iam.gserviceaccount.com
+      iam_email: serviceAccount:service-12345@container-engine-robot.iam.gserviceaccount.com
+      is_primary: true
+      name: container-engine-robot
+      role: roles/container.serviceAgent
+    gkenode:
+      api: container.googleapis.com
+      display_name: Kubernetes Engine Node Service Agent
+      email: service-12345@gcp-sa-gkenode.iam.gserviceaccount.com
+      iam_email: serviceAccount:service-12345@gcp-sa-gkenode.iam.gserviceaccount.com
+      is_primary: false
+      name: gkenode
+      role: roles/container.defaultNodeServiceAgent
+    run:
+      api: run.googleapis.com
+      display_name: Google Cloud Run Service Agent
+      email: service-12345@serverless-robot-prod.iam.gserviceaccount.com
+      iam_email: serviceAccount:service-12345@serverless-robot-prod.iam.gserviceaccount.com
+      is_primary: true
+      name: serverless-robot-prod
+      role: roles/run.serviceAgent
+    serverless-robot-prod:
+      api: run.googleapis.com
+      display_name: Google Cloud Run Service Agent
+      email: service-12345@serverless-robot-prod.iam.gserviceaccount.com
+      iam_email: serviceAccount:service-12345@serverless-robot-prod.iam.gserviceaccount.com
+      is_primary: true
+      name: serverless-robot-prod
+      role: roles/run.serviceAgent
+  services:
+  - container.googleapis.com
+  - run.googleapis.com

tests/modules/project/service_agents_universe.tfvars

@@ -0,0 +1,32 @@
+services = [
+  "container.googleapis.com",
+  "run.googleapis.com"
+]
+shared_vpc_service_config = {
+  host_project = "host-project"
+  service_agent_iam = {
+    "roles/compute.networkUser" = [
+      "$service_agents:cloudservices", "$service_agents:container-engine"
+    ]
+    "roles/vpcaccess.user" = [
+      "$service_agents:cloudrun"
+    ]
+    "roles/container.hostServiceAgentUser" = [
+      "$service_agents:container-engine"
+    ]
+  }
+}
+project_reuse = {
+  use_data_source = false
+  attributes = {
+    name   = "my-project"
+    number = 12345
+  }
+}
+universe = {
+  prefix = "alpha"
+  unavailable_services = [
+    "xxx.googleapis.com",
+    "yyy.googleapis.com"
+  ]
+}

tests/modules/project/service_agents_universe.yaml

@@ -0,0 +1,160 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+  google_compute_shared_vpc_service_project.shared_vpc_service[0]:
+    deletion_policy: null
+    host_project: host-project
+    service_project: alpha:my-project
+    timeouts: null
+  google_project_iam_member.service_agents["container-engine-robot"]:
+    condition: []
+    member: serviceAccount:service-12345@container-engine-robot.alpha-system.iam.gserviceaccount.com
+    project: alpha:my-project
+    role: roles/container.serviceAgent
+  google_project_iam_member.service_agents["gkenode"]:
+    condition: []
+    member: serviceAccount:service-12345@gcp-sa-gkenode.alpha-system.iam.gserviceaccount.com
+    project: alpha:my-project
+    role: roles/container.defaultNodeServiceAgent
+  google_project_iam_member.service_agents["serverless-robot-prod"]:
+    condition: []
+    member: serviceAccount:service-12345@serverless-robot-prod.alpha-system.iam.gserviceaccount.com
+    project: alpha:my-project
+    role: roles/run.serviceAgent
+  google_project_iam_member.shared_vpc_host_robots["roles/compute.networkUser:cloudservices"]:
+    condition: []
+    member: serviceAccount:12345@cloudservices.alpha-system.iam.gserviceaccount.com
+    project: host-project
+    role: roles/compute.networkUser
+  google_project_iam_member.shared_vpc_host_robots["roles/compute.networkUser:container-engine"]:
+    condition: []
+    member: serviceAccount:service-12345@container-engine-robot.alpha-system.iam.gserviceaccount.com
+    project: host-project
+    role: roles/compute.networkUser
+  google_project_iam_member.shared_vpc_host_robots["roles/container.hostServiceAgentUser:container-engine"]:
+    condition: []
+    member: serviceAccount:service-12345@container-engine-robot.alpha-system.iam.gserviceaccount.com
+    project: host-project
+    role: roles/container.hostServiceAgentUser
+  google_project_iam_member.shared_vpc_host_robots["roles/vpcaccess.user:cloudrun"]:
+    condition: []
+    member: serviceAccount:service-12345@serverless-robot-prod.alpha-system.iam.gserviceaccount.com
+    project: host-project
+    role: roles/vpcaccess.user
+  google_project_service.project_services["container.googleapis.com"]:
+    disable_dependent_services: false
+    disable_on_destroy: false
+    project: alpha:my-project
+    service: container.googleapis.com
+    timeouts: null
+  google_project_service.project_services["run.googleapis.com"]:
+    disable_dependent_services: false
+    disable_on_destroy: false
+    project: alpha:my-project
+    service: run.googleapis.com
+    timeouts: null
+  google_project_service_identity.default["container.googleapis.com"]:
+    project: alpha:my-project
+    service: container.googleapis.com
+    timeouts: null
+  google_project_service_identity.default["run.googleapis.com"]:
+    project: alpha:my-project
+    service: run.googleapis.com
+    timeouts: null
+
+outputs:
+  default_service_accounts:
+    compute: 12345-compute@developer.gserviceaccount.com
+    gae: alpha:my-project@appspot.gserviceaccount.com
+  id: alpha:my-project
+  name: my-project
+  number: 12345
+  project_id: alpha:my-project
+  service_agents:
+    cloudrun:
+      api: run.googleapis.com
+      display_name: Google Cloud Run Service Agent
+      email: service-12345@serverless-robot-prod.alpha-system.iam.gserviceaccount.com
+      iam_email: serviceAccount:service-12345@serverless-robot-prod.alpha-system.iam.gserviceaccount.com
+      is_primary: true
+      name: serverless-robot-prod
+      role: roles/run.serviceAgent
+    cloudservices:
+      api: null
+      display_name: Google APIs Service Agent
+      email: 12345@cloudservices.alpha-system.iam.gserviceaccount.com
+      iam_email: serviceAccount:12345@cloudservices.alpha-system.iam.gserviceaccount.com
+      is_primary: false
+      name: cloudservices
+      role: null
+    cloudsvc:
+      api: null
+      display_name: Google APIs Service Agent
+      email: 12345@cloudservices.alpha-system.iam.gserviceaccount.com
+      iam_email: serviceAccount:12345@cloudservices.alpha-system.iam.gserviceaccount.com
+      is_primary: false
+      name: cloudservices
+      role: null
+    container:
+      api: container.googleapis.com
+      display_name: Kubernetes Engine Service Agent
+      email: service-12345@container-engine-robot.alpha-system.iam.gserviceaccount.com
+      iam_email: serviceAccount:service-12345@container-engine-robot.alpha-system.iam.gserviceaccount.com
+      is_primary: true
+      name: container-engine-robot
+      role: roles/container.serviceAgent
+    container-engine:
+      api: container.googleapis.com
+      display_name: Kubernetes Engine Service Agent
+      email: service-12345@container-engine-robot.alpha-system.iam.gserviceaccount.com
+      iam_email: serviceAccount:service-12345@container-engine-robot.alpha-system.iam.gserviceaccount.com
+      is_primary: true
+      name: container-engine-robot
+      role: roles/container.serviceAgent
+    container-engine-robot:
+      api: container.googleapis.com
+      display_name: Kubernetes Engine Service Agent
+      email: service-12345@container-engine-robot.alpha-system.iam.gserviceaccount.com
+      iam_email: serviceAccount:service-12345@container-engine-robot.alpha-system.iam.gserviceaccount.com
+      is_primary: true
+      name: container-engine-robot
+      role: roles/container.serviceAgent
+    gkenode:
+      api: container.googleapis.com
+      display_name: Kubernetes Engine Node Service Agent
+      email: service-12345@gcp-sa-gkenode.alpha-system.iam.gserviceaccount.com
+      iam_email: serviceAccount:service-12345@gcp-sa-gkenode.alpha-system.iam.gserviceaccount.com
+      is_primary: false
+      name: gkenode
+      role: roles/container.defaultNodeServiceAgent
+    run:
+      api: run.googleapis.com
+      display_name: Google Cloud Run Service Agent
+      email: service-12345@serverless-robot-prod.alpha-system.iam.gserviceaccount.com
+      iam_email: serviceAccount:service-12345@serverless-robot-prod.alpha-system.iam.gserviceaccount.com
+      is_primary: true
+      name: serverless-robot-prod
+      role: roles/run.serviceAgent
+    serverless-robot-prod:
+      api: run.googleapis.com
+      display_name: Google Cloud Run Service Agent
+      email: service-12345@serverless-robot-prod.alpha-system.iam.gserviceaccount.com
+      iam_email: serviceAccount:service-12345@serverless-robot-prod.alpha-system.iam.gserviceaccount.com
+      is_primary: true
+      name: serverless-robot-prod
+      role: roles/run.serviceAgent
+  services:
+  - container.googleapis.com
+  - run.googleapis.com

tests/modules/project/tftest.yaml

@@ -19,13 +19,15 @@ common_tfvars:
 
 tests:
   context:
-  prefix:
+  iam_by_principals_additive:
+  no_parent:
   no_prefix:
+  org_policies_boolean:
+  org_policies_list:
   parent_folder:
   parent_org:
-  no_parent:
+  prefix:
   service_encryption_keys:
-  org_policies_list:
-  org_policies_boolean:
-  iam_by_principals_additive:
+  service_agents:
+  service_agents_universe:
   universe: