Merge remote-tracking branch 'origin/master' into fast-dev

tests/modules/iam_service_account/examples/tags.yaml

@@ -0,0 +1,36 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+  module.service-account-with-tags.google_service_account.service_account[0]:
+    account_id: test-service-account
+    create_ignore_already_exists: null
+    description: null
+    disabled: false
+    display_name: Terraform-managed.
+    email: test-service-account@project-id.iam.gserviceaccount.com
+    member: serviceAccount:test-service-account@project-id.iam.gserviceaccount.com
+    project: project-id
+    timeouts: null
+  module.service-account-with-tags.google_tags_tag_binding.binding["foo"]:
+    tag_value: tagValues/123456789
+    timeouts: null
+
+counts:
+  google_service_account: 1
+  google_tags_tag_binding: 1
+  modules: 1
+  resources: 2
+
+outputs: {}

tests/modules/project_factory/bucket_iam.yaml

@@ -83,6 +83,124 @@ values:
     - group:gcp-devops@example.org
     - group:team-a-admins@example.org
     role: roles/viewer
+  module.hierarchy-folder-lvl-1["team-b"].google_folder.folder[0]:
+    deletion_protection: false
+    display_name: Team B
+    parent: folders/5678901234
+    tags: null
+    timeouts: null
+  module.projects["auto-team-a"].data.google_storage_project_service_account.gcs_sa[0]:
+    project: test-pf-auto-team-a
+    user_project: null
+  module.projects["auto-team-a"].google_essential_contacts_contact.contact["admin@example.org"]:
+    email: admin@example.org
+    language_tag: en
+    notification_category_subscriptions:
+    - ALL
+    parent: projects/test-pf-auto-team-a
+    timeouts: null
+  module.projects["auto-team-a"].google_project.project[0]:
+    auto_create_network: false
+    billing_account: 012345-67890A-BCDEF0
+    deletion_policy: DELETE
+    effective_labels:
+      environment: test
+      goog-terraform-provisioned: 'true'
+    labels:
+      environment: test
+    name: test-pf-auto-team-a
+    project_id: test-pf-auto-team-a
+    tags: null
+    terraform_labels:
+      environment: test
+      goog-terraform-provisioned: 'true'
+    timeouts: null
+  module.projects["auto-team-a"].google_project_iam_member.service_agents["container-engine-robot"]:
+    condition: []
+    project: test-pf-auto-team-a
+    role: roles/container.serviceAgent
+  module.projects["auto-team-a"].google_project_iam_member.service_agents["gkenode"]:
+    condition: []
+    project: test-pf-auto-team-a
+    role: roles/container.defaultNodeServiceAgent
+  module.projects["auto-team-a"].google_project_service.project_services["container.googleapis.com"]:
+    disable_dependent_services: false
+    disable_on_destroy: false
+    project: test-pf-auto-team-a
+    service: container.googleapis.com
+    timeouts: null
+  module.projects["auto-team-a"].google_project_service.project_services["stackdriver.googleapis.com"]:
+    disable_dependent_services: false
+    disable_on_destroy: false
+    project: test-pf-auto-team-a
+    service: stackdriver.googleapis.com
+    timeouts: null
+  module.projects["auto-team-a"].google_project_service.project_services["storage.googleapis.com"]:
+    disable_dependent_services: false
+    disable_on_destroy: false
+    project: test-pf-auto-team-a
+    service: storage.googleapis.com
+    timeouts: null
+  module.projects["auto-team-a"].google_project_service_identity.default["container.googleapis.com"]:
+    project: test-pf-auto-team-a
+    service: container.googleapis.com
+    timeouts: null
+  module.projects["auto-team-b"].data.google_storage_project_service_account.gcs_sa[0]:
+    project: test-pf-auto-team-b
+    user_project: null
+  module.projects["auto-team-b"].google_essential_contacts_contact.contact["admin@example.org"]:
+    email: admin@example.org
+    language_tag: en
+    notification_category_subscriptions:
+    - ALL
+    parent: projects/test-pf-auto-team-b
+    timeouts: null
+  module.projects["auto-team-b"].google_project.project[0]:
+    auto_create_network: false
+    billing_account: 012345-67890A-BCDEF0
+    deletion_policy: DELETE
+    effective_labels:
+      environment: test
+      goog-terraform-provisioned: 'true'
+    labels:
+      environment: test
+    name: test-pf-auto-team-b
+    project_id: test-pf-auto-team-b
+    tags: null
+    terraform_labels:
+      environment: test
+      goog-terraform-provisioned: 'true'
+    timeouts: null
+  module.projects["auto-team-b"].google_project_iam_member.service_agents["container-engine-robot"]:
+    condition: []
+    project: test-pf-auto-team-b
+    role: roles/container.serviceAgent
+  module.projects["auto-team-b"].google_project_iam_member.service_agents["gkenode"]:
+    condition: []
+    project: test-pf-auto-team-b
+    role: roles/container.defaultNodeServiceAgent
+  module.projects["auto-team-b"].google_project_service.project_services["container.googleapis.com"]:
+    disable_dependent_services: false
+    disable_on_destroy: false
+    project: test-pf-auto-team-b
+    service: container.googleapis.com
+    timeouts: null
+  module.projects["auto-team-b"].google_project_service.project_services["stackdriver.googleapis.com"]:
+    disable_dependent_services: false
+    disable_on_destroy: false
+    project: test-pf-auto-team-b
+    service: stackdriver.googleapis.com
+    timeouts: null
+  module.projects["auto-team-b"].google_project_service.project_services["storage.googleapis.com"]:
+    disable_dependent_services: false
+    disable_on_destroy: false
+    project: test-pf-auto-team-b
+    service: storage.googleapis.com
+    timeouts: null
+  module.projects["auto-team-b"].google_project_service_identity.default["container.googleapis.com"]:
+    project: test-pf-auto-team-b
+    service: container.googleapis.com
+    timeouts: null
   module.projects["project1"].data.google_storage_project_service_account.gcs_sa[0]:
     project: test-pf-project1
     user_project: null
@@ -174,6 +292,118 @@ values:
     project: test-pf-project2
     service: stackdriver.googleapis.com
     timeouts: null
+  module.projects["project3"].data.google_storage_project_service_account.gcs_sa[0]:
+    project: test-pf-project3
+    user_project: null
+  module.projects["project3"].google_essential_contacts_contact.contact["admin@example.org"]:
+    email: admin@example.org
+    language_tag: en
+    notification_category_subscriptions:
+    - ALL
+    parent: projects/test-pf-project3
+    timeouts: null
+  module.projects["project3"].google_project.project[0]:
+    auto_create_network: false
+    billing_account: 012345-67890A-BCDEF0
+    deletion_policy: DELETE
+    effective_labels:
+      environment: test
+      goog-terraform-provisioned: 'true'
+    labels:
+      environment: test
+    name: test-pf-project3
+    project_id: test-pf-project3
+    tags: null
+    terraform_labels:
+      environment: test
+      goog-terraform-provisioned: 'true'
+    timeouts: null
+  module.projects["project3"].google_project_iam_member.service_agents["container-engine-robot"]:
+    condition: []
+    project: test-pf-project3
+    role: roles/container.serviceAgent
+  module.projects["project3"].google_project_iam_member.service_agents["gkenode"]:
+    condition: []
+    project: test-pf-project3
+    role: roles/container.defaultNodeServiceAgent
+  module.projects["project3"].google_project_service.project_services["container.googleapis.com"]:
+    disable_dependent_services: false
+    disable_on_destroy: false
+    project: test-pf-project3
+    service: container.googleapis.com
+    timeouts: null
+  module.projects["project3"].google_project_service.project_services["stackdriver.googleapis.com"]:
+    disable_dependent_services: false
+    disable_on_destroy: false
+    project: test-pf-project3
+    service: stackdriver.googleapis.com
+    timeouts: null
+  module.projects["project3"].google_project_service.project_services["storage.googleapis.com"]:
+    disable_dependent_services: false
+    disable_on_destroy: false
+    project: test-pf-project3
+    service: storage.googleapis.com
+    timeouts: null
+  module.projects["project3"].google_project_service_identity.default["container.googleapis.com"]:
+    project: test-pf-project3
+    service: container.googleapis.com
+    timeouts: null
+  module.projects["top-project3"].data.google_storage_project_service_account.gcs_sa[0]:
+    project: test-pf-top-project3
+    user_project: null
+  module.projects["top-project3"].google_essential_contacts_contact.contact["admin@example.org"]:
+    email: admin@example.org
+    language_tag: en
+    notification_category_subscriptions:
+    - ALL
+    parent: projects/test-pf-top-project3
+    timeouts: null
+  module.projects["top-project3"].google_project.project[0]:
+    auto_create_network: false
+    billing_account: 012345-67890A-BCDEF0
+    deletion_policy: DELETE
+    effective_labels:
+      environment: test
+      goog-terraform-provisioned: 'true'
+    labels:
+      environment: test
+    name: test-pf-top-project3
+    project_id: test-pf-top-project3
+    tags: null
+    terraform_labels:
+      environment: test
+      goog-terraform-provisioned: 'true'
+    timeouts: null
+  module.projects["top-project3"].google_project_iam_member.service_agents["container-engine-robot"]:
+    condition: []
+    project: test-pf-top-project3
+    role: roles/container.serviceAgent
+  module.projects["top-project3"].google_project_iam_member.service_agents["gkenode"]:
+    condition: []
+    project: test-pf-top-project3
+    role: roles/container.defaultNodeServiceAgent
+  module.projects["top-project3"].google_project_service.project_services["container.googleapis.com"]:
+    disable_dependent_services: false
+    disable_on_destroy: false
+    project: test-pf-top-project3
+    service: container.googleapis.com
+    timeouts: null
+  module.projects["top-project3"].google_project_service.project_services["stackdriver.googleapis.com"]:
+    disable_dependent_services: false
+    disable_on_destroy: false
+    project: test-pf-top-project3
+    service: stackdriver.googleapis.com
+    timeouts: null
+  module.projects["top-project3"].google_project_service.project_services["storage.googleapis.com"]:
+    disable_dependent_services: false
+    disable_on_destroy: false
+    project: test-pf-top-project3
+    service: storage.googleapis.com
+    timeouts: null
+  module.projects["top-project3"].google_project_service_identity.default["container.googleapis.com"]:
+    project: test-pf-top-project3
+    service: container.googleapis.com
+    timeouts: null
   module.service-accounts["project1/app-be-0"].google_service_account.service_account[0]:
     account_id: app-be-0
     create_ignore_already_exists: null
@@ -252,19 +482,19 @@ values:
     timeouts: null
 
 counts:
-  google_essential_contacts_contact: 2
-  google_folder: 1
+  google_essential_contacts_contact: 6
+  google_folder: 2
   google_folder_iam_binding: 1
-  google_project: 2
-  google_project_iam_member: 6
-  google_project_service: 4
-  google_project_service_identity: 1
+  google_project: 6
+  google_project_iam_member: 14
+  google_project_service: 16
+  google_project_service_identity: 5
   google_service_account: 6
   google_storage_bucket: 2
   google_storage_bucket_iam_binding: 1
-  google_storage_project_service_account: 1
-  modules: 11
-  resources: 27
+  google_storage_project_service_account: 5
+  modules: 16
+  resources: 64
 
 outputs:
   buckets:

tests/modules/project_factory/data/bucket_iam/hierarchy/team-a/automation.yaml

@@ -0,0 +1,20 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+billing_account: 012345-67890A-BCDEF0
+services:
+  - container.googleapis.com
+  - storage.googleapis.com
+
+name: auto-team-a

tests/modules/project_factory/data/bucket_iam/hierarchy/team-b/_config.yaml

@@ -0,0 +1,15 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: Team B

tests/modules/project_factory/data/bucket_iam/hierarchy/team-b/automation.yaml

@@ -0,0 +1,20 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+billing_account: 012345-67890A-BCDEF0
+services:
+  - container.googleapis.com
+  - storage.googleapis.com
+
+name: auto-team-b

tests/modules/project_factory/data/bucket_iam/hierarchy/team-b/project3.yaml

@@ -0,0 +1,20 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+billing_account: 012345-67890A-BCDEF0
+services:
+  - container.googleapis.com
+  - storage.googleapis.com
+
+prefix: team-b

tests/modules/project_factory/data/bucket_iam/projects/project3.yaml

@@ -0,0 +1,21 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+billing_account: 012345-67890A-BCDEF0
+services:
+  - container.googleapis.com
+  - storage.googleapis.com
+
+name: top-project3
+parent: team-b

tests/modules/project_factory/data/data_overrides_defaults/projects/service1.yaml

@@ -0,0 +1,25 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+billing_account: 012345-67890A-BCDEF0
+
+contacts: # this should be overridden by value
+    admin-default@example.org:
+      - "ALL"
+
+tag_bindings: # this should be overridden with empty value
+  name1: project_id1
+
+services:
+  - run.googleapis.com

tests/modules/project_factory/data/data_overrides_defaults/projects/service2.yaml

@@ -0,0 +1,17 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+billing_account: 012345-67890A-BCDEF0
+
+# take defaults + overrides only

tests/modules/project_factory/data_overrides_defaults.tfvars

@@ -0,0 +1,51 @@
+data_defaults = {
+  billing_account  = "1245-5678-9012"
+  parent           = "folders/1234"
+  storage_location = "EU"
+  contacts = {
+    "admin-default@example.org" = ["ALL"] # should not surface, as overrides provide value
+  }
+  tag_bindings = { # should not surface, as overrides provide empty value
+    name1 = "default-id1"
+    name2 = "default-id2"
+  }
+  services = [
+    "default-service.googleapis.com"
+  ]
+}
+# make sure the environment label and stackdriver service are always added
+data_merges = {
+  labels = {
+    environment = "test"
+  }
+  services = [
+    "stackdriver.googleapis.com"
+  ]
+}
+# always use this contacts and prefix, regardless of what is in the yaml file
+data_overrides = {
+  contacts = {
+    "admin@example.org" = ["ALL"]
+  }
+  tag_bindings = {} # prevent setting any encryption keys
+  prefix       = "test-pf"
+}
+# location where the yaml files are read from
+factories_config = {
+  projects_data_path = "projects"
+  context = {
+    folder_ids = {
+      default = "folders/5678901234"
+      teams   = "folders/5678901234"
+    }
+    iam_principals = {
+      gcp-devops = "group:gcp-devops@example.org"
+    }
+    tag_values = {
+      "org-policies/drs-allow-all" = "tagValues/123456"
+    }
+    vpc_host_projects = {
+      dev-spoke-0 = "test-pf-dev-net-spoke-0"
+    }
+  }
+}

tests/modules/project_factory/data_overrides_defaults.yaml

@@ -0,0 +1,63 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+  module.projects["service1"].google_essential_contacts_contact.contact["admin@example.org"]:
+    email: admin@example.org
+    parent: projects/test-pf-service1
+  module.projects["service1"].google_project.project[0]:
+    billing_account: 012345-67890A-BCDEF0
+    folder_id: '1234'
+    labels:
+      environment: test
+    name: test-pf-service1
+    project_id: test-pf-service1
+  module.projects["service1"].google_project_service.project_services["run.googleapis.com"]:
+    project: test-pf-service1
+    service: run.googleapis.com
+  module.projects["service1"].google_project_service.project_services["stackdriver.googleapis.com"]:
+    project: test-pf-service1
+    service: stackdriver.googleapis.com
+  module.projects["service2"].google_essential_contacts_contact.contact["admin@example.org"]:
+    email: admin@example.org
+    parent: projects/test-pf-service2
+  module.projects["service2"].google_project.project[0]:
+    billing_account: 012345-67890A-BCDEF0
+    folder_id: '1234'
+    labels:
+      environment: test
+    name: test-pf-service2
+    project_id: test-pf-service2
+  module.projects["service2"].google_project_service.project_services["default-service.googleapis.com"]:
+    project: test-pf-service2
+    service: default-service.googleapis.com
+  module.projects["service2"].google_project_service.project_services["stackdriver.googleapis.com"]:
+    project: test-pf-service2
+    service: stackdriver.googleapis.com
+
+counts:
+  google_essential_contacts_contact: 2
+  google_project: 2
+  google_project_iam_member: 1
+  google_project_service: 4
+  google_project_service_identity: 1
+  google_tags_tag_binding: 0 # keep this, to ensure that tag_bindings are not created
+  modules: 2
+  resources: 10
+
+outputs:
+  buckets: {}
+  folders: {}
+  projects: __missing__
+  service_accounts: {}

tests/modules/project_factory/empty_vpc_defaults.tfvars

@@ -0,0 +1,42 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+data_defaults = {
+  billing_account           = "1245-5678-9012"
+  storage_location          = "EU"
+  prefix                    = "my-prefix"
+  parent                    = "folders/1234"
+  shared_vpc_service_config = null
+}
+data_merges = {
+  services = [
+    "stackdriver.googleapis.com"
+  ]
+}
+data_overrides = {
+  prefix = "myprefix"
+}
+# location where the yaml files are read from
+factories_config = {
+  projects_data_path = "projects"
+  context = {
+    folder_ids = {
+      default = "folders/5678901234"
+      teams   = "folders/4321056789"
+    }
+    vpc_host_projects = {
+      dev-spoke-0 = "test-pf-dev-net-spoke-0"
+    }
+  }
+}

tests/modules/project_factory/empty_vpc_defaults.yaml

@@ -0,0 +1,173 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+  module.automation-service-accounts["service1/ro"].google_service_account.service_account[0]:
+    account_id: myprefix-service1-ro
+    create_ignore_already_exists: null
+    description: Service read-only automation sa.
+    disabled: false
+    display_name: Service account ro for service1.
+    email: myprefix-service1-ro@service-iac.iam.gserviceaccount.com
+    member: serviceAccount:myprefix-service1-ro@service-iac.iam.gserviceaccount.com
+    project: service-iac
+    timeouts: null
+  module.automation-service-accounts["service1/rw"].google_service_account.service_account[0]:
+    account_id: myprefix-service1-rw
+    create_ignore_already_exists: null
+    description: Service read/write automation sa.
+    disabled: false
+    display_name: Service account rw for service1.
+    email: myprefix-service1-rw@service-iac.iam.gserviceaccount.com
+    member: serviceAccount:myprefix-service1-rw@service-iac.iam.gserviceaccount.com
+    project: service-iac
+    timeouts: null
+  module.projects-iam["service1"].google_compute_shared_vpc_service_project.shared_vpc_service[0]:
+    deletion_policy: null
+    host_project: test-pf-dev-net-spoke-0
+    service_project: myprefix-service1
+    timeouts: null
+  ? module.projects-iam["service1"].google_project_iam_member.shared_vpc_host_iam["serviceAccount:myprefix-service1-ro@service-iac.iam.gserviceaccount.com"]
+  : condition: []
+    member: serviceAccount:myprefix-service1-ro@service-iac.iam.gserviceaccount.com
+    project: test-pf-dev-net-spoke-0
+    role: roles/compute.networkUser
+  ? module.projects-iam["service1"].google_project_iam_member.shared_vpc_host_iam["serviceAccount:myprefix-service1-rw@service-iac.iam.gserviceaccount.com"]
+  : condition: []
+    member: serviceAccount:myprefix-service1-rw@service-iac.iam.gserviceaccount.com
+    project: test-pf-dev-net-spoke-0
+    role: roles/compute.networkUser
+  ? module.projects-iam["service1"].google_project_iam_member.shared_vpc_host_iam["serviceAccount:terraform-rw@myprefix-service1.iam.gserviceaccount.com"]
+  : condition: []
+    member: serviceAccount:terraform-rw@myprefix-service1.iam.gserviceaccount.com
+    project: test-pf-dev-net-spoke-0
+    role: roles/compute.networkUser
+  module.projects["service1"].google_project.project[0]:
+    auto_create_network: false
+    billing_account: 012345-67890A-BCDEF0
+    deletion_policy: DELETE
+    effective_labels:
+      goog-terraform-provisioned: 'true'
+    folder_id: '1234'
+    labels: null
+    name: myprefix-service1
+    org_id: null
+    project_id: myprefix-service1
+    tags: null
+    terraform_labels:
+      goog-terraform-provisioned: 'true'
+    timeouts: null
+  module.projects["service1"].google_project_service.project_services["stackdriver.googleapis.com"]:
+    disable_dependent_services: false
+    disable_on_destroy: false
+    project: myprefix-service1
+    service: stackdriver.googleapis.com
+    timeouts: null
+  module.projects["service2"].data.google_storage_project_service_account.gcs_sa[0]:
+    project: myprefix-service2
+    user_project: null
+  module.projects["service2"].google_project.project[0]:
+    auto_create_network: false
+    billing_account: 012345-67890A-BCDEF0
+    deletion_policy: DELETE
+    effective_labels:
+      goog-terraform-provisioned: 'true'
+    folder_id: '1234'
+    labels: null
+    name: myprefix-service2
+    org_id: null
+    project_id: myprefix-service2
+    tags: null
+    terraform_labels:
+      goog-terraform-provisioned: 'true'
+    timeouts: null
+  module.projects["service2"].google_project_iam_member.service_agents["compute-system"]:
+    condition: []
+    project: myprefix-service2
+    role: roles/compute.serviceAgent
+  module.projects["service2"].google_project_service.project_services["compute.googleapis.com"]:
+    disable_dependent_services: false
+    disable_on_destroy: false
+    project: myprefix-service2
+    service: compute.googleapis.com
+    timeouts: null
+  module.projects["service2"].google_project_service.project_services["stackdriver.googleapis.com"]:
+    disable_dependent_services: false
+    disable_on_destroy: false
+    project: myprefix-service2
+    service: stackdriver.googleapis.com
+    timeouts: null
+  module.projects["service2"].google_project_service.project_services["storage.googleapis.com"]:
+    disable_dependent_services: false
+    disable_on_destroy: false
+    project: myprefix-service2
+    service: storage.googleapis.com
+    timeouts: null
+  module.service-accounts["service1/app-be-0"].google_service_account.service_account[0]:
+    account_id: app-be-0
+    create_ignore_already_exists: null
+    description: null
+    disabled: false
+    display_name: Terraform-managed.
+    email: app-be-0@myprefix-service1.iam.gserviceaccount.com
+    member: serviceAccount:app-be-0@myprefix-service1.iam.gserviceaccount.com
+    project: myprefix-service1
+    timeouts: null
+  module.service-accounts["service1/terraform-rw"].google_service_account.service_account[0]:
+    account_id: terraform-rw
+    create_ignore_already_exists: null
+    description: null
+    disabled: false
+    display_name: Terraform-managed.
+    email: terraform-rw@myprefix-service1.iam.gserviceaccount.com
+    member: serviceAccount:terraform-rw@myprefix-service1.iam.gserviceaccount.com
+    project: myprefix-service1
+    timeouts: null
+  module.service-accounts["service2/app-be-0"].google_service_account.service_account[0]:
+    account_id: app-be-0
+    create_ignore_already_exists: null
+    description: null
+    disabled: false
+    display_name: Terraform-managed.
+    email: app-be-0@myprefix-service2.iam.gserviceaccount.com
+    member: serviceAccount:app-be-0@myprefix-service2.iam.gserviceaccount.com
+    project: myprefix-service2
+    timeouts: null
+  module.service-accounts["service2/terraform-rw"].google_service_account.service_account[0]:
+    account_id: terraform-rw
+    create_ignore_already_exists: null
+    description: null
+    disabled: false
+    display_name: Terraform-managed.
+    email: terraform-rw@myprefix-service2.iam.gserviceaccount.com
+    member: serviceAccount:terraform-rw@myprefix-service2.iam.gserviceaccount.com
+    project: myprefix-service2
+    timeouts: null
+
+counts:
+  google_compute_shared_vpc_service_project: 1
+  google_project: 2
+  google_project_iam_member: 4
+  google_project_service: 4
+  google_service_account: 6
+  google_storage_project_service_account: 1
+  modules: 9
+  resources: 18
+
+outputs:
+  buckets: {}
+  folders: {}
+  foo: {}
+  projects: __missing__
+  service_accounts: __missing__

tests/modules/project_factory/tftest.yaml

@@ -21,3 +21,6 @@ tests:
   shared_vpc_network_user:
     extra_dirs:
       - ../../tests/modules/project_factory/data/shared_vpc_network_user/projects
+  data_overrides_defaults:
+    extra_dirs:
+      - ../../tests/modules/project_factory/data/data_overrides_defaults/projects