Merge branch 'master' into ehorning/support-gcs-object-upload

tests/modules/dataplex_datascan/examples/datascan_iam.yaml

@@ -11,6 +11,7 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
+
 values:
   module.dataplex-datascan.google_dataplex_datascan.datascan:
     data:
@@ -57,11 +58,19 @@ values:
     - group:user-group@example.com
     project: my-project-name
     role: roles/dataplex.dataScanViewer
+  module.dataplex-datascan.google_dataplex_datascan_iam_member.bindings["am1-viewer"]:
+    condition: []
+    data_scan_id: test-datascan
+    location: us-central1
+    member: user:am1@example.com
+    project: my-project-name
+    role: roles/dataplex.dataScanViewer
 
 counts:
   google_dataplex_datascan: 1
   google_dataplex_datascan_iam_binding: 3
+  google_dataplex_datascan_iam_member: 1
   modules: 1
-  resources: 4
+  resources: 5
 
-outputs: {}
+outputs: {}

tests/modules/folder/examples/iam-policy.yaml

@@ -1,27 +0,0 @@
-# Copyright 2022 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-values:
-  module.folder.google_folder.folder[0]:
-    display_name: my-folder
-    parent: folders/657104291943
-    timeouts: null
-  module.folder.google_folder_iam_policy.authoritative[0]:
-    policy_data: '{"auditConfigs":[{"auditLogConfigs":[{"exemptedMembers":["group:organization-admins@example.org"],"logType":"ADMIN_READ"}],"service":"allServices"},{"auditLogConfigs":[{"logType":"DATA_WRITE"},{"logType":"DATA_READ"}],"service":"storage.googleapis.com"}],"bindings":[{"members":["group:org-admins@example.com"],"role":"roles/owner"},{"members":["group:org-admins@example.com"],"role":"roles/resourcemanager.folderAdmin"},{"members":["group:org-admins@example.com"],"role":"roles/resourcemanager.organizationAdmin"},{"members":["group:org-admins@example.com"],"role":"roles/resourcemanager.projectCreator"}]}'
-
-counts:
-  google_folder: 1
-  google_folder_iam_policy: 1
-  modules: 1
-  resources: 2

tests/modules/folder/examples/iam.yaml

@@ -16,6 +16,7 @@ values:
   module.folder.google_folder.folder[0]:
     display_name: Folder name
     parent: organizations/1234567890
+    timeouts: null
   module.folder.google_folder_iam_binding.authoritative["roles/owner"]:
     condition: []
     members:
@@ -32,28 +33,17 @@ values:
     members:
     - group:cloud-owners@example.org
     role: roles/resourcemanager.projectCreator
-  module.folder.google_folder_iam_member.additive["roles/compute.admin-user:a1@example.org"]:
-    condition: []
-    member: user:a1@example.org
-    role: roles/compute.admin
-  module.folder.google_folder_iam_member.additive["roles/compute.admin-user:a2@example.org"]:
-    condition: []
-    member: user:a2@example.org
-    role: roles/compute.admin
-  module.folder.google_folder_iam_member.additive["roles/compute.viewer-user:a2@example.org"]:
-    condition: []
-    member: user:a2@example.org
-    role: roles/compute.viewer
-  module.folder.google_folder_iam_member.additive["roles/storage.admin-user:am1@example.org"]:
+  module.folder.google_folder_iam_member.bindings["am1-storage-admin"]:
     condition: []
     member: user:am1@example.org
     role: roles/storage.admin
-  module.folder.google_folder_iam_member.additive["roles/storage.objectViewer-user:am2@example.org"]:
-    condition: []
-    member: user:am2@example.org
-    role: roles/storage.objectViewer
 
 counts:
   google_folder: 1
   google_folder_iam_binding: 3
-  google_folder_iam_member: 5
+  google_folder_iam_member: 1
+  modules: 1
+  resources: 5
+
+outputs: {}
+

tests/modules/gcve_private_cloud/examples/basic.yaml

@@ -0,0 +1,42 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+  module.gcve-pc.google_vmwareengine_network.private-cloud-network[0]:
+    description: Terraform-managed.
+    location: europe-west8
+    name: europe-west8-default
+    project: gcve-test-project
+    timeouts: null
+    type: LEGACY
+  module.gcve-pc.google_vmwareengine_private_cloud.private-cloud:
+    description: Terraform-managed.
+    location: europe-west8-a
+    management_cluster:
+    - cluster_id: gcve-pc-mgmt-cluster
+      node_type_configs:
+      - custom_core_count: 0
+        node_count: 3
+        node_type_id: standard-72
+    name: gcve-pc
+    network_config:
+    - management_cidr: 192.168.0.0/24
+    project: gcve-test-project
+    timeouts: null
+
+counts:
+  google_vmwareengine_network: 1
+  google_vmwareengine_private_cloud: 1
+  modules: 1
+  resources: 2

tests/modules/gcve_private_cloud/examples/custom.yaml

@@ -0,0 +1,42 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+  module.gcve-pc.google_vmwareengine_network.private-cloud-network[0]:
+    description: Terraform-managed.
+    location: europe-west8
+    name: europe-west8-default
+    project: gcve-test-project
+    timeouts: null
+    type: LEGACY
+  module.gcve-pc.google_vmwareengine_private_cloud.private-cloud:
+    description: Terraform-managed.
+    location: europe-west8-a
+    management_cluster:
+    - cluster_id: gcve-pc-mgmt-cluster
+      node_type_configs:
+      - custom_core_count: 28
+        node_count: 6
+        node_type_id: standard-72
+    name: gcve-pc
+    network_config:
+    - management_cidr: 192.168.0.0/24
+    project: gcve-test-project
+    timeouts: null
+
+counts:
+  google_vmwareengine_network: 1
+  google_vmwareengine_private_cloud: 1
+  modules: 1
+  resources: 2

tests/modules/iam_service_account/examples/basic.yaml

@@ -27,7 +27,7 @@ values:
     display_name: Terraform-managed.
     project: myproject
     timeouts: null
-  module.myproject-default-service-accounts.google_service_account_iam_binding.roles["roles/iam.serviceAccountUser"]:
+  module.myproject-default-service-accounts.google_service_account_iam_binding.authoritative["roles/iam.serviceAccountUser"]:
     condition: []
     members:
     - user:foo@example.com

tests/modules/kms/examples/basic.yaml

@@ -19,12 +19,14 @@ values:
     purpose: ENCRYPT_DECRYPT
     rotation_period: null
     skip_initial_version_creation: null
+    timeouts: null
   module.kms.google_kms_crypto_key.default["key-b"]:
     labels: null
     name: key-b
     purpose: ENCRYPT_DECRYPT
     rotation_period: 604800s
     skip_initial_version_creation: null
+    timeouts: null
   module.kms.google_kms_crypto_key.default["key-c"]:
     labels:
       env: test
@@ -32,23 +34,29 @@ values:
     purpose: ENCRYPT_DECRYPT
     rotation_period: null
     skip_initial_version_creation: null
+    timeouts: null
   module.kms.google_kms_crypto_key_iam_binding.default["key-a.roles/cloudkms.admin"]:
     condition: []
     members:
     - user:user3@example.com
     role: roles/cloudkms.admin
-  module.kms.google_kms_crypto_key_iam_member.default["key-b.roles/cloudkms.cryptoKeyEncrypterDecrypteruser:user4@example.com"]:
-    condition: []
+  ? module.kms.google_kms_crypto_key_iam_member.default["key-b.roles/cloudkms.cryptoKeyEncrypterDecrypteruser:user4@example.com"]
+  : condition: []
     member: user:user4@example.com
     role: roles/cloudkms.cryptoKeyEncrypterDecrypter
-  module.kms.google_kms_crypto_key_iam_member.default["key-b.roles/cloudkms.cryptoKeyEncrypterDecrypteruser:user5@example.com"]:
-    condition: []
+  ? module.kms.google_kms_crypto_key_iam_member.default["key-b.roles/cloudkms.cryptoKeyEncrypterDecrypteruser:user5@example.com"]
+  : condition: []
     member: user:user5@example.com
     role: roles/cloudkms.cryptoKeyEncrypterDecrypter
+  module.kms.google_kms_crypto_key_iam_member.members["key-b-am1"]:
+    condition: []
+    member: user:am1@example.com
+    role: roles/cloudkms.cryptoKeyEncrypterDecrypter
   module.kms.google_kms_key_ring.default[0]:
     location: europe-west1
     name: test
     project: my-project
+    timeouts: null
   module.kms.google_kms_key_ring_iam_member.default["roles/cloudkms.cryptoKeyEncrypterDecrypteruser:user1@example.com"]:
     condition: []
     member: user:user1@example.com
@@ -61,6 +69,10 @@ values:
 counts:
   google_kms_crypto_key: 3
   google_kms_crypto_key_iam_binding: 1
-  google_kms_crypto_key_iam_member: 2
+  google_kms_crypto_key_iam_member: 3
   google_kms_key_ring: 1
   google_kms_key_ring_iam_member: 2
+  modules: 1
+  resources: 10
+
+outputs: {}

tests/modules/net_firewall_policy/examples/factory.yaml

@@ -18,7 +18,7 @@ values:
   module.firewall-policy.google_compute_firewall_policy_association.hierarchical["test"]:
     attachment_target: folders/4567890123
     name: test-1-test
-  module.firewall-policy.google_compute_firewall_policy_rule.hierarchical["egress/icmp"]:
+  module.firewall-policy.google_compute_firewall_policy_rule.hierarchical["ingress/icmp"]:
     action: allow
     direction: INGRESS
     disabled: false
@@ -41,7 +41,7 @@ values:
     priority: 1000
     target_resources: null
     target_service_accounts: null
-  module.firewall-policy.google_compute_firewall_policy_rule.hierarchical["ingress/smtp"]:
+  module.firewall-policy.google_compute_firewall_policy_rule.hierarchical["egress/smtp"]:
     action: deny
     direction: EGRESS
     disabled: false

tests/modules/net_vpc/examples/factory.yaml

@@ -14,12 +14,66 @@
 
 values:
   module.vpc.google_compute_network.network[0]:
+    auto_create_subnetworks: false
+    delete_default_routes_on_create: false
+    description: Terraform-managed.
+    enable_ula_internal_ipv6: null
     name: my-network
+    network_firewall_policy_enforcement_order: AFTER_CLASSIC_FIREWALL
     project: my-project
     routing_mode: GLOBAL
+    timeouts: null
+  module.vpc.google_compute_route.gateway["private-googleapis"]:
+    description: Terraform-managed.
+    dest_range: 199.36.153.8/30
+    name: my-network-private-googleapis
+    next_hop_gateway: default-internet-gateway
+    next_hop_ilb: null
+    next_hop_instance: null
+    next_hop_vpn_tunnel: null
+    priority: 1000
+    project: my-project
+    tags: null
+    timeouts: null
+  module.vpc.google_compute_route.gateway["restricted-googleapis"]:
+    description: Terraform-managed.
+    dest_range: 199.36.153.4/30
+    name: my-network-restricted-googleapis
+    next_hop_gateway: default-internet-gateway
+    next_hop_ilb: null
+    next_hop_instance: null
+    next_hop_vpn_tunnel: null
+    priority: 1000
+    project: my-project
+    tags: null
+    timeouts: null
+  module.vpc.google_compute_subnetwork.proxy_only["europe-west4/subnet-proxy"]:
+    description: Terraform-managed proxy-only subnet for Regional HTTPS or Internal
+      HTTPS LB.
+    ip_cidr_range: 10.1.0.0/24
+    ipv6_access_type: null
+    log_config: []
+    name: subnet-proxy
+    project: my-project
+    purpose: REGIONAL_MANAGED_PROXY
+    region: europe-west4
+    role: ACTIVE
+    timeouts: null
+  module.vpc.google_compute_subnetwork.psc["europe-west4/subnet-psc"]:
+    description: Terraform-managed subnet for Private Service Connect (PSC NAT).
+    ip_cidr_range: 10.2.0.0/24
+    ipv6_access_type: null
+    log_config: []
+    name: subnet-psc
+    project: my-project
+    purpose: PRIVATE_SERVICE_CONNECT
+    region: europe-west4
+    role: null
+    timeouts: null
   module.vpc.google_compute_subnetwork.subnetwork["europe-west1/subnet-detailed"]:
     description: Sample description
     ip_cidr_range: 10.0.0.0/24
+    ipv6_access_type: null
     log_config:
     - aggregation_interval: INTERVAL_5_SEC
       filter_expr: 'true'
@@ -34,9 +88,11 @@ values:
     secondary_ip_range:
     - ip_cidr_range: 192.168.0.0/24
       range_name: secondary-range-a
+    timeouts: null
   module.vpc.google_compute_subnetwork.subnetwork["europe-west4/simple"]:
     description: Terraform-managed.
     ip_cidr_range: 10.0.1.0/24
+    ipv6_access_type: null
     log_config: []
     name: simple
     private_ip_google_access: true
@@ -44,9 +100,11 @@ values:
     region: europe-west4
     role: null
     secondary_ip_range: []
+    timeouts: null
   module.vpc.google_compute_subnetwork.subnetwork["europe-west8/simple"]:
     description: Terraform-managed.
     ip_cidr_range: 10.0.2.0/24
+    ipv6_access_type: null
     log_config: []
     name: simple
     private_ip_google_access: true
@@ -54,7 +112,8 @@ values:
     region: europe-west8
     role: null
     secondary_ip_range: []
-  module.vpc.google_compute_subnetwork_iam_binding.binding["europe-west1/subnet-detailed.roles/compute.networkUser"]:
+    timeouts: null
+  module.vpc.google_compute_subnetwork_iam_binding.authoritative["europe-west1/subnet-detailed.roles/compute.networkUser"]:
     condition: []
     members:
     - group:lorem@example.com
@@ -64,16 +123,13 @@ values:
     region: europe-west1
     role: roles/compute.networkUser
     subnetwork: subnet-detailed
-  module.vpc.google_compute_subnetwork.proxy_only["europe-west4/subnet-proxy"]:
-    region: europe-west4
-    ip_cidr_range: 10.1.0.0/24
-    purpose: REGIONAL_MANAGED_PROXY
-  module.vpc.google_compute_subnetwork.psc["europe-west4/subnet-psc"]:
-    region: europe-west4
-    ip_cidr_range: 10.2.0.0/24
-    purpose: PRIVATE_SERVICE_CONNECT
 
 counts:
   google_compute_network: 1
+  google_compute_route: 2
   google_compute_subnetwork: 5
   google_compute_subnetwork_iam_binding: 1
+  modules: 1
+  resources: 9
+
+outputs: {}

tests/modules/net_vpc/examples/shared-vpc.yaml

@@ -30,7 +30,7 @@ values:
       range_name: pods
     - ip_cidr_range: 192.168.0.0/24
       range_name: services
-  module.vpc-host.google_compute_subnetwork_iam_binding.binding["europe-west1/subnet-1.roles/compute.networkUser"]:
+  module.vpc-host.google_compute_subnetwork_iam_binding.authoritative["europe-west1/subnet-1.roles/compute.networkUser"]:
     condition: []
     members:
     - serviceAccount:cloudsvc
@@ -39,7 +39,7 @@ values:
     region: europe-west1
     role: roles/compute.networkUser
     subnetwork: subnet-1
-  module.vpc-host.google_compute_subnetwork_iam_binding.binding["europe-west1/subnet-1.roles/compute.securityAdmin"]:
+  module.vpc-host.google_compute_subnetwork_iam_binding.authoritative["europe-west1/subnet-1.roles/compute.securityAdmin"]:
     condition: []
     members:
     - serviceAccount:gke

tests/modules/net_vpc/examples/subnet-iam.yaml

@@ -14,18 +14,64 @@
 
 values:
   module.vpc.google_compute_network.network[0]:
+    auto_create_subnetworks: false
+    delete_default_routes_on_create: false
+    description: Terraform-managed.
+    enable_ula_internal_ipv6: null
     name: my-network
+    network_firewall_policy_enforcement_order: AFTER_CLASSIC_FIREWALL
     project: my-project
+    routing_mode: GLOBAL
+    timeouts: null
+  module.vpc.google_compute_route.gateway["private-googleapis"]:
+    description: Terraform-managed.
+    dest_range: 199.36.153.8/30
+    name: my-network-private-googleapis
+    next_hop_gateway: default-internet-gateway
+    next_hop_ilb: null
+    next_hop_instance: null
+    next_hop_vpn_tunnel: null
+    priority: 1000
+    project: my-project
+    tags: null
+    timeouts: null
+  module.vpc.google_compute_route.gateway["restricted-googleapis"]:
+    description: Terraform-managed.
+    dest_range: 199.36.153.4/30
+    name: my-network-restricted-googleapis
+    next_hop_gateway: default-internet-gateway
+    next_hop_ilb: null
+    next_hop_instance: null
+    next_hop_vpn_tunnel: null
+    priority: 1000
+    project: my-project
+    tags: null
+    timeouts: null
   module.vpc.google_compute_subnetwork.subnetwork["europe-west1/subnet-1"]:
+    description: Terraform-managed.
+    ip_cidr_range: 10.0.1.0/24
+    ipv6_access_type: null
+    log_config: []
     name: subnet-1
+    private_ip_google_access: true
     project: my-project
     region: europe-west1
+    role: null
+    secondary_ip_range: []
+    timeouts: null
   module.vpc.google_compute_subnetwork.subnetwork["europe-west1/subnet-2"]:
+    description: Terraform-managed.
+    ip_cidr_range: 10.0.1.0/24
+    ipv6_access_type: null
+    log_config: []
     name: subnet-2
     private_ip_google_access: true
     project: my-project
     region: europe-west1
-  module.vpc.google_compute_subnetwork_iam_binding.binding["europe-west1/subnet-1.roles/compute.networkUser"]:
+    role: null
+    secondary_ip_range: []
+    timeouts: null
+  module.vpc.google_compute_subnetwork_iam_binding.authoritative["europe-west1/subnet-1.roles/compute.networkUser"]:
     condition: []
     members:
     - group:group1@example.com
@@ -34,16 +80,20 @@ values:
     region: europe-west1
     role: roles/compute.networkUser
     subnetwork: subnet-1
-  module.vpc.google_compute_subnetwork_iam_member.binding["europe-west1/subnet-2.roles/compute.networkUser.user:user2@example.com"]:
-    condition: []
-    member: user:user2@example.com
+  module.vpc.google_compute_subnetwork_iam_binding.bindings["europe-west1/subnet-1.roles/compute.networkUser.test_condition"]:
+    condition:
+    - description: null
+      expression: resource.matchTag('123456789012/env', 'prod')
+      title: test_condition
+    members:
+    - group:group2@example.com
     project: my-project
     region: europe-west1
     role: roles/compute.networkUser
-    subnetwork: subnet-2
-  module.vpc.google_compute_subnetwork_iam_member.binding["europe-west1/subnet-2.roles/compute.networkUser.group:group2@example.com"]:
+    subnetwork: subnet-1
+  module.vpc.google_compute_subnetwork_iam_member.bindings["subnet-2-am1"]:
     condition: []
-    member: group:group2@example.com
+    member: user:am1@example.com
     project: my-project
     region: europe-west1
     role: roles/compute.networkUser
@@ -51,7 +101,11 @@ values:
 
 counts:
   google_compute_network: 1
-  google_compute_subnetwork: 2
-  google_compute_subnetwork_iam_binding: 1
-  google_compute_subnetwork_iam_member: 2
   google_compute_route: 2
+  google_compute_subnetwork: 2
+  google_compute_subnetwork_iam_binding: 2
+  google_compute_subnetwork_iam_member: 1
+  modules: 1
+  resources: 8
+
+outputs: {}

tests/modules/net_vpc/psa_routes_export.yaml

@@ -46,7 +46,6 @@ counts:
   google_service_networking_connection: 1
 
 outputs:
-  bindings: {}
   name: __missing__
   network: __missing__
   project_id: test-project

tests/modules/net_vpc/psa_routes_import.yaml

@@ -46,7 +46,6 @@ counts:
   google_service_networking_connection: 1
 
 outputs:
-  bindings: {}
   name: __missing__
   network: __missing__
   project_id: test-project

tests/modules/net_vpc/psa_routes_import_export.yaml

@@ -46,7 +46,6 @@ counts:
   google_service_networking_connection: 1
 
 outputs:
-  bindings: {}
   name: __missing__
   network: __missing__
   project_id: test-project

tests/modules/net_vpc/shared_vpc.yaml

@@ -35,7 +35,6 @@ counts:
   google_compute_shared_vpc_service_project: 2
 
 outputs:
-  bindings: {}
   project_id: test-project
   subnet_ips: {}
   subnet_regions: {}

tests/modules/organization/examples/basic.yaml

@@ -25,6 +25,7 @@ values:
         deny_all: null
         enforce: 'TRUE'
         values: []
+    timeouts: null
   module.org.google_org_policy_policy.default["compute.skipDefaultNetworkCreation"]:
     name: organizations/1234567890/policies/compute.skipDefaultNetworkCreation
     parent: organizations/1234567890
@@ -37,6 +38,7 @@ values:
         deny_all: null
         enforce: 'TRUE'
         values: []
+    timeouts: null
   module.org.google_org_policy_policy.default["compute.trustedImageProjects"]:
     name: organizations/1234567890/policies/compute.trustedImageProjects
     parent: organizations/1234567890
@@ -52,6 +54,7 @@ values:
         - allowed_values:
           - projects/my-project
           denied_values: null
+    timeouts: null
   module.org.google_org_policy_policy.default["compute.vmExternalIpAccess"]:
     name: organizations/1234567890/policies/compute.vmExternalIpAccess
     parent: organizations/1234567890
@@ -64,6 +67,20 @@ values:
         deny_all: 'TRUE'
         enforce: null
         values: []
+    timeouts: null
+  module.org.google_org_policy_policy.default["custom.gkeEnableAutoUpgrade"]:
+    name: organizations/1234567890/policies/custom.gkeEnableAutoUpgrade
+    parent: organizations/1234567890
+    spec:
+    - inherit_from_parent: null
+      reset: null
+      rules:
+      - allow_all: null
+        condition: []
+        deny_all: null
+        enforce: 'TRUE'
+        values: []
+    timeouts: null
   module.org.google_org_policy_policy.default["iam.allowedPolicyMemberDomains"]:
     name: organizations/1234567890/policies/iam.allowedPolicyMemberDomains
     parent: organizations/1234567890
@@ -95,6 +112,7 @@ values:
           - C0xxxxxxx
           - C0yyyyyyy
           denied_values: null
+    timeouts: null
   module.org.google_org_policy_policy.default["iam.disableServiceAccountKeyCreation"]:
     name: organizations/1234567890/policies/iam.disableServiceAccountKeyCreation
     parent: organizations/1234567890
@@ -107,6 +125,7 @@ values:
         deny_all: null
         enforce: 'TRUE'
         values: []
+    timeouts: null
   module.org.google_org_policy_policy.default["iam.disableServiceAccountKeyUpload"]:
     name: organizations/1234567890/policies/iam.disableServiceAccountKeyUpload
     parent: organizations/1234567890
@@ -128,6 +147,7 @@ values:
         deny_all: null
         enforce: 'FALSE'
         values: []
+    timeouts: null
   module.org.google_organization_iam_binding.authoritative["roles/owner"]:
     condition: []
     members:
@@ -146,30 +166,34 @@ values:
     - group:cloud-admins@example.org
     org_id: '1234567890'
     role: roles/resourcemanager.projectCreator
-  module.org.google_organization_iam_member.additive["roles/compute.admin-user:compute@example.org"]:
+  module.org.google_organization_iam_member.bindings["am1-storage-admin"]:
     condition: []
-    member: user:compute@example.org
+    member: user:am1@example.org
     org_id: '1234567890'
-    role: roles/compute.admin
-  module.org.google_organization_iam_member.additive["roles/container.viewer-user:compute@example.org"]:
-    condition: []
-    member: user:compute@example.org
-    org_id: '1234567890'
-    role: roles/container.viewer
+    role: roles/storage.admin
   module.org.google_tags_tag_key.default["allowexternal"]:
     description: Allow external identities.
     parent: organizations/1234567890
     purpose: null
     purpose_data: null
     short_name: allowexternal
+    timeouts: null
   module.org.google_tags_tag_value.default["allowexternal/false"]:
+    description: Managed by the Terraform organization module.
     short_name: 'false'
+    timeouts: null
   module.org.google_tags_tag_value.default["allowexternal/true"]:
+    description: Managed by the Terraform organization module.
     short_name: 'true'
+    timeouts: null
 
 counts:
   google_org_policy_policy: 8
   google_organization_iam_binding: 3
-  google_organization_iam_member: 2
+  google_organization_iam_member: 1
   google_tags_tag_key: 1
   google_tags_tag_value: 2
+  modules: 1
+  resources: 15
+
+outputs: {}

tests/modules/organization/examples/iam-policy.yaml

@@ -1,23 +0,0 @@
-# Copyright 2022 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-values:
-  module.org.google_organization_iam_policy.authoritative[0]:
-    org_id: '1122334455'
-    policy_data: '{"auditConfigs":[{"auditLogConfigs":[{"exemptedMembers":["group:organization-admins@example.org"],"logType":"ADMIN_READ"}],"service":"allServices"},{"auditLogConfigs":[{"logType":"DATA_WRITE"},{"logType":"DATA_READ"}],"service":"storage.googleapis.com"}],"bindings":[{"members":["group:org-admins@example.com"],"role":"roles/owner"},{"members":["group:org-admins@example.com"],"role":"roles/resourcemanager.folderAdmin"},{"members":["group:org-admins@example.com"],"role":"roles/resourcemanager.organizationAdmin"},{"members":["group:org-admins@example.com"],"role":"roles/resourcemanager.projectCreator"}]}'
-
-counts:
-  google_organization_iam_policy: 1
-  modules: 1
-  resources: 1

tests/modules/organization/test_plan_org_policies_modules.py

@@ -57,9 +57,9 @@ def test_policy_implementation():
       '@@ -116,0 +117,9 @@\n',
       '+  depends_on = [\n',
       '+    google_organization_iam_binding.authoritative,\n',
+      '+    google_organization_iam_binding.bindings,\n',
+      '+    google_organization_iam_member.bindings,\n',
       '+    google_organization_iam_custom_role.roles,\n',
-      '+    google_organization_iam_member.additive,\n',
-      '+    google_organization_iam_policy.authoritative,\n',
       '+    google_org_policy_custom_constraint.constraint,\n',
       '+    google_tags_tag_key.default,\n',
       '+    google_tags_tag_value.default,\n',

tests/modules/project/examples/iam-additive-members.yaml

@@ -1,33 +0,0 @@
-# Copyright 2022 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-values:
-  module.project.google_project.project[0]:
-    project_id: project-example
-  module.project.google_project_iam_member.additive["roles/editor-user:two@example.org"]:
-    condition: []
-    project: project-example
-    role: roles/editor
-  module.project.google_project_iam_member.additive["roles/owner-user:one@example.org"]:
-    condition: []
-    project: project-example
-    role: roles/owner
-  module.project.google_project_iam_member.additive["roles/owner-user:two@example.org"]:
-    condition: []
-    project: project-example
-    role: roles/owner
-
-counts:
-  google_project: 1
-  google_project_iam_member: 3

tests/modules/project/examples/iam-additive.yaml

@@ -1,36 +0,0 @@
-# Copyright 2022 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-values:
-  module.project.google_project.project[0]: {}
-  module.project.google_project_iam_member.additive["roles/owner-group:three@example.org"]:
-    condition: []
-    project: project-example
-    role: roles/owner
-  module.project.google_project_iam_member.additive["roles/storage.objectAdmin-group:two@example.org"]:
-    condition: []
-    project: project-example
-    role: roles/storage.objectAdmin
-  module.project.google_project_iam_member.additive["roles/viewer-group:one@example.org"]:
-    condition: []
-    project: project-example
-    role: roles/viewer
-  module.project.google_project_iam_member.additive["roles/viewer-group:two@xample.org"]:
-    condition: []
-    project: project-example
-    role: roles/viewer
-
-counts:
-  google_project: 1
-  google_project_iam_member: 4

tests/modules/project/examples/iam-authoritative.yaml

@@ -13,7 +13,16 @@
 # limitations under the License.
 
 values:
-  module.project.google_project.project[0]: {}
+  module.project.google_project.project[0]:
+    auto_create_network: false
+    billing_account: 123456-123456-123456
+    folder_id: '1234567890'
+    labels: null
+    name: foo-project-example
+    org_id: null
+    project_id: foo-project-example
+    skip_delete: false
+    timeouts: null
   module.project.google_project_iam_binding.authoritative["roles/container.hostServiceAgentUser"]:
     condition: []
     members:
@@ -37,3 +46,8 @@ counts:
   google_project: 1
   google_project_iam_binding: 1
   google_project_service: 2
+  modules: 1
+  resources: 4
+
+outputs: {}
+

tests/modules/project/examples/iam-bindings-additive.yaml

@@ -0,0 +1,46 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+  module.project.google_project.project[0]:
+    auto_create_network: false
+    billing_account: null
+    folder_id: null
+    labels: null
+    name: project-1
+    org_id: null
+    project_id: project-1
+    skip_delete: false
+    timeouts: null
+  module.project.google_project_iam_member.bindings["group-owner"]:
+    condition: []
+    member: group:p1-owners@example.org
+    project: project-1
+    role: roles/owner
+  module.project.google_project_service.project_services["compute.googleapis.com"]:
+    disable_dependent_services: false
+    disable_on_destroy: false
+    project: project-1
+    service: compute.googleapis.com
+    timeouts: null
+
+counts:
+  google_project: 1
+  google_project_iam_member: 1
+  google_project_service: 1
+  modules: 1
+  resources: 3
+
+outputs: {}
+

tests/modules/project/examples/iam-bindings.yaml

@@ -0,0 +1,57 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+  module.project.google_project.project[0]:
+    auto_create_network: false
+    billing_account: 123456-123456-123456
+    folder_id: '1234567890'
+    labels: null
+    name: foo-project-example
+    org_id: null
+    project_id: foo-project-example
+    skip_delete: false
+    timeouts: null
+  module.project.google_project_iam_binding.bindings["roles/resourcemanager.projectIamAdmin"]:
+    condition:
+    - description: null
+      expression: "api.getAttribute(\n  'iam.googleapis.com/modifiedGrantsByRole',\
+        \ []\n).hasOnly([\n  'roles/compute.networkAdmin'\n])\n"
+      title: delegated_network_user_one
+    members:
+    - group:test-admins@example.org
+    project: foo-project-example
+    role: roles/resourcemanager.projectIamAdmin
+  module.project.google_project_service.project_services["container.googleapis.com"]:
+    disable_dependent_services: false
+    disable_on_destroy: false
+    project: foo-project-example
+    service: container.googleapis.com
+    timeouts: null
+  module.project.google_project_service.project_services["stackdriver.googleapis.com"]:
+    disable_dependent_services: false
+    disable_on_destroy: false
+    project: foo-project-example
+    service: stackdriver.googleapis.com
+    timeouts: null
+
+counts:
+  google_project: 1
+  google_project_iam_binding: 1
+  google_project_service: 2
+  modules: 1
+  resources: 4
+
+outputs: {}
+

tests/modules/project/examples/iam-policy.yaml

@@ -1,34 +0,0 @@
-# Copyright 2022 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-values:
-  module.project.google_project.project[0]:
-    auto_create_network: false
-    billing_account: 123456-123456-123456
-    folder_id: '1234567890'
-    labels: null
-    name: my-project
-    org_id: null
-    project_id: my-project
-    skip_delete: false
-    timeouts: null
-  module.project.google_project_iam_policy.authoritative[0]:
-    policy_data: '{"auditConfigs":[{"auditLogConfigs":[{"exemptedMembers":["group:organization-admins@example.org"],"logType":"ADMIN_READ"}],"service":"allServices"},{"auditLogConfigs":[{"logType":"DATA_WRITE"},{"logType":"DATA_READ"}],"service":"storage.googleapis.com"}],"bindings":[{"members":["group:org-admins@example.com"],"role":"roles/owner"},{"members":["group:org-admins@example.com"],"role":"roles/resourcemanager.folderAdmin"},{"members":["group:org-admins@example.com"],"role":"roles/resourcemanager.organizationAdmin"},{"members":["group:org-admins@example.com"],"role":"roles/resourcemanager.projectCreator"}]}'
-    project: my-project
-
-counts:
-  google_project: 1
-  google_project_iam_policy: 1
-  modules: 1
-  resources: 2

tests/modules/source_repository/examples/simple.yaml

@@ -17,6 +17,7 @@ values:
     name: my-repo
     project: my-project
     pubsub_configs: []
+    timeouts: null
   module.repo.google_sourcerepo_repository_iam_binding.authoritative["roles/source.reader"]:
     condition: []
     members:
@@ -24,7 +25,19 @@ values:
     project: my-project
     repository: my-repo
     role: roles/source.reader
+  module.repo.google_sourcerepo_repository_iam_member.bindings["am1-reader"]:
+    condition: []
+    member: user:am1@example.com
+    project: my-project
+    repository: my-repo
+    role: roles/source.reader
 
 counts:
   google_sourcerepo_repository: 1
   google_sourcerepo_repository_iam_binding: 1
+  google_sourcerepo_repository_iam_member: 1
+  modules: 1
+  resources: 3
+
+outputs: {}
+