From 8415202e734674bd5d730680126c159640c0e27a Mon Sep 17 00:00:00 2001
From: Julio Castillo <jccb@google.com>
Date: Wed, 2 Jul 2025 17:56:27 +0200
Subject: [PATCH 1/3] Fix workflow in master

---
 .github/actions/fabric-tests/action.yml | 4 ++--
 .github/workflows/tests.yml             | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/actions/fabric-tests/action.yml b/.github/actions/fabric-tests/action.yml
index f31e77e74..28a085155 100644
--- a/.github/actions/fabric-tests/action.yml
+++ b/.github/actions/fabric-tests/action.yml
@@ -1,4 +1,4 @@
-# Copyright 2024 Google LLC
+# Copyright 2025 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -71,7 +71,7 @@ runs:
     - name: Pin provider versions
       shell: bash
       run: |
-        for f in $(find . -name versions.tf); do
+        for f in $(find . -name versions.tf  -o -name versions.tofu); do
           sed -i 's/>=\(.*# tftest\)/=\1/g' $f;
         done
     - name: Install Python Dependencies
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index da628acf4..106567784 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -83,7 +83,7 @@ jobs:
           mkdir -p ${{ env.TF_PLUGIN_CACHE_DIR }}
           echo 'plugin_cache_dir = "${{ env.TF_PLUGIN_CACHE_DIR }}"' | tee -a /home/runner/.terraformrc
           echo 'disable_checkpoint = true' | tee -a /home/runner/.terraformrc
-          sed -i -e 's/>=\(.*# tftest\)/=\1/g'  tools/lockfile/versions.tf
+          sed -i -e 's/>=\(.*# tftest\)/=\1/g' tools/lockfile/versions.tf tools/lockfile/versions.tofu
 
           # change terraform version to the one that is running
           sed -i 's/required_version = .*$/required_version = ">= ${{ matrix.version }}"/g' tools/lockfile/versions.tf

From 3058792b6519cf03dda1e2e4e007299dc8b53144 Mon Sep 17 00:00:00 2001
From: V0idC0de <26016825+V0idC0de@users.noreply.github.com>
Date: Wed, 2 Jul 2025 18:14:17 +0200
Subject: [PATCH 2/3] Fix for service agent substitutions in project factory
 additive bindings (#3210)

* fix: Use consistent substitution for Service Agents

Fixes broken substitution of Service Agents when calling module `project-iam`. Setting `iam_bindings` and `iam_bindings_additive` now substitutes like `iam`, where it already works.

* Fix reference

---------

Co-authored-by: Julio Castillo <jccb@google.com>
---
 modules/project-factory/main.tf | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/modules/project-factory/main.tf b/modules/project-factory/main.tf
index f9e2e9ef7..b6af6aab4 100644
--- a/modules/project-factory/main.tf
+++ b/modules/project-factory/main.tf
@@ -178,7 +178,8 @@ module "projects-iam" {
           # other automation service account (project/automation/rw)
           local.context.iam_principals[vv],
           # project's service identities
-          local.service_agents_email[each.key][vv],
+          local.service_agents_email["${each.key}/${vv}"],
+          local.service_agents_email[vv],
           # passthrough + error handling using tonumber until Terraform gets fail/raise function
           (
             strcontains(vv, ":")
@@ -206,7 +207,8 @@ module "projects-iam" {
         # other automation service account (project/automation/rw)
         local.context.iam_principals[v.member],
         # project's service identities
-        local.service_agents_email[each.key][v.member],
+        local.service_agents_email["${each.key}/${v.member}"],
+        local.service_agents_email[v.member],
         # passthrough + error handling using tonumber until Terraform gets fail/raise function
         (
           strcontains(v.member, ":")
@@ -271,7 +273,8 @@ module "projects-iam" {
             # other automation service account (project/automation/rw)
             local.context.iam_principals[v.member],
             # project's service identities
-            local.service_agents_email[each.key][v.member],
+            local.service_agents_email["${each.key}/${v.member}"],
+            local.service_agents_email[v.member],
             # passthrough + error handling using tonumber until Terraform gets fail/raise function
             (
               strcontains(v.member, ":")

From 272658c7789e65adb607a63c6488ce8d6f8cbb4b Mon Sep 17 00:00:00 2001
From: apichick <mirene@google.com>
Date: Thu, 3 Jul 2025 14:57:04 +0200
Subject: [PATCH 3/3] Fixed bug in project network tier resource, it was not
 working if the project was not created (#3213)

---
 modules/project/main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/project/main.tf b/modules/project/main.tf
index 066a1febd..ceb458c88 100644
--- a/modules/project/main.tf
+++ b/modules/project/main.tf
@@ -128,5 +128,5 @@ resource "google_monitoring_monitored_project" "primary" {
 resource "google_compute_project_default_network_tier" "default_network_tier" {
   count        = var.default_network_tier == null ? 0 : 1
   network_tier = var.default_network_tier
-  project      = google_project.project[0].id
+  project      = local.project.project_id
 }