From 44d00ed6709558d814ab53df012e3aa9b6f9ab13 Mon Sep 17 00:00:00 2001
From: Ludovico Magnocavallo <ludomagno@google.com>
Date: Fri, 27 Mar 2026 08:56:07 +0100
Subject: [PATCH] Implement group membership in compute-vm module (#3816)

* implement group membership in compute-vm module

* fix newline, update copyright
---
 modules/GEMINI.md                             | 12 +++++++++
 modules/compute-vm/README.md                  | 19 ++++++++++++++
 modules/compute-vm/main.tf                    | 10 ++++++-
 .../compute_vm/examples/group-membership.yaml | 26 +++++++++++++++++++
 4 files changed, 66 insertions(+), 1 deletion(-)
 create mode 100644 modules/GEMINI.md
 create mode 100644 tests/modules/compute_vm/examples/group-membership.yaml

diff --git a/modules/GEMINI.md b/modules/GEMINI.md
new file mode 100644
index 000000000..ea2846883
--- /dev/null
+++ b/modules/GEMINI.md
@@ -0,0 +1,12 @@
+# Module testing notes
+
+## Generating test inventory files
+
+1. Specify `inventory=filename.yaml` in the `tftest` annotation in `README.md`.
+2. Create the empty inventory file in `tests/modules/<module_name>/examples/` (note the underscore in module name, e.g., `compute_vm`).
+3. Place the standard copyright blurb at the top.
+4. Add `counts: { foo: 1 }` to the inventory file.
+5. Run the specific test using `pytest "tests/examples/test_plan.py::test_example[terraform:modules/<module-name>:Heading Name:Index]"`.
+6. Use the test failure output to replace `counts` with the actual resource types and counts.
+7. Add `values: { foo: 1 }` to the inventory file and run the test again.
+8. Use the output to replace `values` with the actual mapped attributes. Remove unnecessary or overly verbose keys like large instance configurations, and use `{}` for resources where specific values don't need validation.
\ No newline at end of file
diff --git a/modules/compute-vm/README.md b/modules/compute-vm/README.md
index cca2c3472..9b2e918e3 100644
--- a/modules/compute-vm/README.md
+++ b/modules/compute-vm/README.md
@@ -965,6 +965,25 @@ module "instance-group" {
 # tftest inventory=group.yaml e2e
 ```
 
+You can also use the `group` variable to add the instance to an existing unmanaged instance group by providing the group's self link or ID in the `membership` field.
+
+```hcl
+module "instance-group-membership" {
+  source     = "./fabric/modules/compute-vm"
+  project_id = var.project_id
+  zone       = "${var.region}-b"
+  name       = "ilb-test-member"
+  network_interfaces = [{
+    network    = var.vpc.self_link
+    subnetwork = var.subnet.self_link
+  }]
+  group = {
+    membership = "my-existing-group-id"
+  }
+}
+# tftest inventory=group-membership.yaml
+```
+
 ### Instance Schedule and Resource Policies
 
 One instance start and stop schedule can be defined via the `instance_schedule` variable. Note that this requires [additional permissions on Compute Engine Service Agent](https://cloud.google.com/compute/docs/instances/schedule-instance-start-stop#service_agent_required_roles). Already defined resource policies can be set via the `resource_policies` variable.
diff --git a/modules/compute-vm/main.tf b/modules/compute-vm/main.tf
index 05d14fd09..a5457b41d 100644
--- a/modules/compute-vm/main.tf
+++ b/modules/compute-vm/main.tf
@@ -98,7 +98,7 @@ resource "google_compute_instance_iam_binding" "default" {
 }
 
 resource "google_compute_instance_group" "unmanaged" {
-  count   = var.group != null && !local.is_template ? 1 : 0
+  count   = try(var.group.membership, null) == null && var.group != null && !local.is_template ? 1 : 0
   project = local.project_id
   network = (
     length(var.network_interfaces) > 0
@@ -119,6 +119,14 @@ resource "google_compute_instance_group" "unmanaged" {
   }
 }
 
+resource "google_compute_instance_group_membership" "unmanaged" {
+  count          = try(var.group.membership, null) != null && !local.is_template ? 1 : 0
+  project        = local.project_id
+  zone           = local.zone
+  instance       = google_compute_instance.default[0].self_link
+  instance_group = var.group.membership
+}
+
 resource "google_service_account" "service_account" {
   count        = try(var.service_account.auto_create, null) == true ? 1 : 0
   project      = local.project_id
diff --git a/tests/modules/compute_vm/examples/group-membership.yaml b/tests/modules/compute_vm/examples/group-membership.yaml
new file mode 100644
index 000000000..5e486a2c6
--- /dev/null
+++ b/tests/modules/compute_vm/examples/group-membership.yaml
@@ -0,0 +1,26 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+  module.instance-group-membership.google_compute_instance.default[0]: {}
+  module.instance-group-membership.google_compute_instance_group_membership.unmanaged[0]:
+    instance_group: my-existing-group-id
+    project: project-id
+    timeouts: null
+    zone: europe-west8-b
+
+counts:
+  google_compute_instance: 1
+  google_compute_instance_group_membership: 1
+