Merge branch 'master' into elia-gcve

tests/modules/cloud_run/examples/gen2.yaml

@@ -0,0 +1,40 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+  module.cloud_run.google_cloud_run_service.service:
+    autogenerate_revision_name: false
+    location: europe-west1
+    metadata:
+    - {}
+    name: hello
+    project: project-id
+    template:
+    - metadata:
+      - annotations:
+          run.googleapis.com/execution-environment: gen2
+      spec:
+      - containers:
+        - args: null
+          command: null
+          env: []
+          env_from: []
+          image: us-docker.pkg.dev/cloudrun/container/hello
+          liveness_probe: []
+          volume_mounts: []
+          working_dir: null
+        volumes: []
+
+counts:
+  google_cloud_run_service: 1

tests/modules/compute_mig/examples/stateful.yaml

@@ -13,25 +13,49 @@
 # limitations under the License.
 
 values:
+  module.nginx-mig.google_compute_instance_group_manager.default[0]:
+    all_instances_config: []
+    auto_healing_policies: []
+    base_instance_name: mig-test
+    description: Terraform managed.
+    list_managed_instances_results: PAGELESS
+    name: mig-test
+    named_port: []
+    project: my-prj
+    stateful_disk: []
+    stateful_external_ip: []
+    stateful_internal_ip: []
+    target_pools: null
+    timeouts: null
+    version:
+    - name: default
+      target_size: []
+    wait_for_instances: false
+    wait_for_instances_status: STABLE
+    zone: europe-west8-b
   module.nginx-mig.google_compute_per_instance_config.default["instance-1"]:
+    instance_group_manager: mig-test
     minimal_action: NONE
     most_disruptive_allowed_action: REPLACE
     name: instance-1
     preserved_state:
     - disk:
       - delete_rule: NEVER
-        device_name: persistent-disk-1
+        device_name: data-1
         mode: READ_WRITE
-        source: test-disk
+        source: projects/my-prj/zones/europe-west8-b/disks/test-data-1
       metadata:
         foo: bar
-    project: my-project
+    project: my-prj
     remove_instance_state_on_destroy: false
     timeouts: null
-    zone: europe-west1-b
+    zone: europe-west8-b
 
 counts:
-  google_compute_autoscaler: 1
   google_compute_instance_group_manager: 1
   google_compute_instance_template: 1
   google_compute_per_instance_config: 1
+  modules: 2
+  resources: 3
+
+outputs: {}

tests/modules/dataplex_datascan/examples/datascan_iam.yaml

@@ -11,6 +11,7 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
+
 values:
   module.dataplex-datascan.google_dataplex_datascan.datascan:
     data:
@@ -57,11 +58,19 @@ values:
     - group:user-group@example.com
     project: my-project-name
     role: roles/dataplex.dataScanViewer
+  module.dataplex-datascan.google_dataplex_datascan_iam_member.members["am1-viewer"]:
+    condition: []
+    data_scan_id: test-datascan
+    location: us-central1
+    member: user:am1@example.com
+    project: my-project-name
+    role: roles/dataplex.dataScanViewer
 
 counts:
   google_dataplex_datascan: 1
   google_dataplex_datascan_iam_binding: 3
+  google_dataplex_datascan_iam_member: 1
   modules: 1
-  resources: 4
+  resources: 5
 
-outputs: {}
+outputs: {}

tests/modules/folder/examples/iam.yaml

@@ -16,6 +16,7 @@ values:
   module.folder.google_folder.folder[0]:
     display_name: Folder name
     parent: organizations/1234567890
+    timeouts: null
   module.folder.google_folder_iam_binding.authoritative["roles/owner"]:
     condition: []
     members:
@@ -52,8 +53,16 @@ values:
     condition: []
     member: user:am2@example.org
     role: roles/storage.objectViewer
+  module.folder.google_folder_iam_member.members["am1-storage-admin"]:
+    condition: []
+    member: user:am1@example.org
+    role: roles/storage.admin
 
 counts:
   google_folder: 1
   google_folder_iam_binding: 3
-  google_folder_iam_member: 5
+  google_folder_iam_member: 6
+  modules: 1
+  resources: 10
+
+outputs: {}

tests/modules/kms/examples/basic.yaml

@@ -19,12 +19,14 @@ values:
     purpose: ENCRYPT_DECRYPT
     rotation_period: null
     skip_initial_version_creation: null
+    timeouts: null
   module.kms.google_kms_crypto_key.default["key-b"]:
     labels: null
     name: key-b
     purpose: ENCRYPT_DECRYPT
     rotation_period: 604800s
     skip_initial_version_creation: null
+    timeouts: null
   module.kms.google_kms_crypto_key.default["key-c"]:
     labels:
       env: test
@@ -32,23 +34,29 @@ values:
     purpose: ENCRYPT_DECRYPT
     rotation_period: null
     skip_initial_version_creation: null
+    timeouts: null
   module.kms.google_kms_crypto_key_iam_binding.default["key-a.roles/cloudkms.admin"]:
     condition: []
     members:
     - user:user3@example.com
     role: roles/cloudkms.admin
-  module.kms.google_kms_crypto_key_iam_member.default["key-b.roles/cloudkms.cryptoKeyEncrypterDecrypteruser:user4@example.com"]:
-    condition: []
+  ? module.kms.google_kms_crypto_key_iam_member.default["key-b.roles/cloudkms.cryptoKeyEncrypterDecrypteruser:user4@example.com"]
+  : condition: []
     member: user:user4@example.com
     role: roles/cloudkms.cryptoKeyEncrypterDecrypter
-  module.kms.google_kms_crypto_key_iam_member.default["key-b.roles/cloudkms.cryptoKeyEncrypterDecrypteruser:user5@example.com"]:
-    condition: []
+  ? module.kms.google_kms_crypto_key_iam_member.default["key-b.roles/cloudkms.cryptoKeyEncrypterDecrypteruser:user5@example.com"]
+  : condition: []
     member: user:user5@example.com
     role: roles/cloudkms.cryptoKeyEncrypterDecrypter
+  module.kms.google_kms_crypto_key_iam_member.members["key-b-am1"]:
+    condition: []
+    member: user:am1@example.com
+    role: roles/cloudkms.cryptoKeyEncrypterDecrypter
   module.kms.google_kms_key_ring.default[0]:
     location: europe-west1
     name: test
     project: my-project
+    timeouts: null
   module.kms.google_kms_key_ring_iam_member.default["roles/cloudkms.cryptoKeyEncrypterDecrypteruser:user1@example.com"]:
     condition: []
     member: user:user1@example.com
@@ -61,6 +69,10 @@ values:
 counts:
   google_kms_crypto_key: 3
   google_kms_crypto_key_iam_binding: 1
-  google_kms_crypto_key_iam_member: 2
+  google_kms_crypto_key_iam_member: 3
   google_kms_key_ring: 1
   google_kms_key_ring_iam_member: 2
+  modules: 1
+  resources: 10
+
+outputs: {}

tests/modules/net_firewall_policy/examples/factory.yaml

@@ -18,7 +18,7 @@ values:
   module.firewall-policy.google_compute_firewall_policy_association.hierarchical["test"]:
     attachment_target: folders/4567890123
     name: test-1-test
-  module.firewall-policy.google_compute_firewall_policy_rule.hierarchical["egress/icmp"]:
+  module.firewall-policy.google_compute_firewall_policy_rule.hierarchical["ingress/icmp"]:
     action: allow
     direction: INGRESS
     disabled: false
@@ -41,7 +41,7 @@ values:
     priority: 1000
     target_resources: null
     target_service_accounts: null
-  module.firewall-policy.google_compute_firewall_policy_rule.hierarchical["ingress/smtp"]:
+  module.firewall-policy.google_compute_firewall_policy_rule.hierarchical["egress/smtp"]:
     action: deny
     direction: EGRESS
     disabled: false

tests/modules/net_vpc/examples/subnet-iam.yaml

@@ -14,17 +14,63 @@
 
 values:
   module.vpc.google_compute_network.network[0]:
+    auto_create_subnetworks: false
+    delete_default_routes_on_create: false
+    description: Terraform-managed.
+    enable_ula_internal_ipv6: null
     name: my-network
+    network_firewall_policy_enforcement_order: AFTER_CLASSIC_FIREWALL
     project: my-project
+    routing_mode: GLOBAL
+    timeouts: null
+  module.vpc.google_compute_route.gateway["private-googleapis"]:
+    description: Terraform-managed.
+    dest_range: 199.36.153.8/30
+    name: my-network-private-googleapis
+    next_hop_gateway: default-internet-gateway
+    next_hop_ilb: null
+    next_hop_instance: null
+    next_hop_vpn_tunnel: null
+    priority: 1000
+    project: my-project
+    tags: null
+    timeouts: null
+  module.vpc.google_compute_route.gateway["restricted-googleapis"]:
+    description: Terraform-managed.
+    dest_range: 199.36.153.4/30
+    name: my-network-restricted-googleapis
+    next_hop_gateway: default-internet-gateway
+    next_hop_ilb: null
+    next_hop_instance: null
+    next_hop_vpn_tunnel: null
+    priority: 1000
+    project: my-project
+    tags: null
+    timeouts: null
   module.vpc.google_compute_subnetwork.subnetwork["europe-west1/subnet-1"]:
+    description: Terraform-managed.
+    ip_cidr_range: 10.0.1.0/24
+    ipv6_access_type: null
+    log_config: []
     name: subnet-1
+    private_ip_google_access: true
     project: my-project
     region: europe-west1
+    role: null
+    secondary_ip_range: []
+    timeouts: null
   module.vpc.google_compute_subnetwork.subnetwork["europe-west1/subnet-2"]:
+    description: Terraform-managed.
+    ip_cidr_range: 10.0.1.0/24
+    ipv6_access_type: null
+    log_config: []
     name: subnet-2
     private_ip_google_access: true
     project: my-project
     region: europe-west1
+    role: null
+    secondary_ip_range: []
+    timeouts: null
   module.vpc.google_compute_subnetwork_iam_binding.binding["europe-west1/subnet-1.roles/compute.networkUser"]:
     condition: []
     members:
@@ -34,16 +80,23 @@ values:
     region: europe-west1
     role: roles/compute.networkUser
     subnetwork: subnet-1
-  module.vpc.google_compute_subnetwork_iam_member.binding["europe-west1/subnet-2.roles/compute.networkUser.user:user2@example.com"]:
-    condition: []
+  ? module.vpc.google_compute_subnetwork_iam_member.binding["europe-west1/subnet-2.roles/compute.networkUser.group:group2@example.com"]
+  : condition: []
+    member: group:group2@example.com
+    project: my-project
+    region: europe-west1
+    role: roles/compute.networkUser
+    subnetwork: subnet-2
+  ? module.vpc.google_compute_subnetwork_iam_member.binding["europe-west1/subnet-2.roles/compute.networkUser.user:user2@example.com"]
+  : condition: []
     member: user:user2@example.com
     project: my-project
     region: europe-west1
     role: roles/compute.networkUser
     subnetwork: subnet-2
-  module.vpc.google_compute_subnetwork_iam_member.binding["europe-west1/subnet-2.roles/compute.networkUser.group:group2@example.com"]:
+  module.vpc.google_compute_subnetwork_iam_member.members["subnet-2-am1"]:
     condition: []
-    member: group:group2@example.com
+    member: user:am1@example.com
     project: my-project
     region: europe-west1
     role: roles/compute.networkUser
@@ -51,7 +104,11 @@ values:
 
 counts:
   google_compute_network: 1
+  google_compute_route: 2
   google_compute_subnetwork: 2
   google_compute_subnetwork_iam_binding: 1
-  google_compute_subnetwork_iam_member: 2
-  google_compute_route: 2
+  google_compute_subnetwork_iam_member: 3
+  modules: 1
+  resources: 9
+
+outputs: {}

tests/modules/organization/examples/basic.yaml

@@ -25,6 +25,7 @@ values:
         deny_all: null
         enforce: 'TRUE'
         values: []
+    timeouts: null
   module.org.google_org_policy_policy.default["compute.skipDefaultNetworkCreation"]:
     name: organizations/1234567890/policies/compute.skipDefaultNetworkCreation
     parent: organizations/1234567890
@@ -37,6 +38,7 @@ values:
         deny_all: null
         enforce: 'TRUE'
         values: []
+    timeouts: null
   module.org.google_org_policy_policy.default["compute.trustedImageProjects"]:
     name: organizations/1234567890/policies/compute.trustedImageProjects
     parent: organizations/1234567890
@@ -52,6 +54,7 @@ values:
         - allowed_values:
           - projects/my-project
           denied_values: null
+    timeouts: null
   module.org.google_org_policy_policy.default["compute.vmExternalIpAccess"]:
     name: organizations/1234567890/policies/compute.vmExternalIpAccess
     parent: organizations/1234567890
@@ -64,6 +67,20 @@ values:
         deny_all: 'TRUE'
         enforce: null
         values: []
+    timeouts: null
+  module.org.google_org_policy_policy.default["custom.gkeEnableAutoUpgrade"]:
+    name: organizations/1234567890/policies/custom.gkeEnableAutoUpgrade
+    parent: organizations/1234567890
+    spec:
+    - inherit_from_parent: null
+      reset: null
+      rules:
+      - allow_all: null
+        condition: []
+        deny_all: null
+        enforce: 'TRUE'
+        values: []
+    timeouts: null
   module.org.google_org_policy_policy.default["iam.allowedPolicyMemberDomains"]:
     name: organizations/1234567890/policies/iam.allowedPolicyMemberDomains
     parent: organizations/1234567890
@@ -95,6 +112,7 @@ values:
           - C0xxxxxxx
           - C0yyyyyyy
           denied_values: null
+    timeouts: null
   module.org.google_org_policy_policy.default["iam.disableServiceAccountKeyCreation"]:
     name: organizations/1234567890/policies/iam.disableServiceAccountKeyCreation
     parent: organizations/1234567890
@@ -107,6 +125,7 @@ values:
         deny_all: null
         enforce: 'TRUE'
         values: []
+    timeouts: null
   module.org.google_org_policy_policy.default["iam.disableServiceAccountKeyUpload"]:
     name: organizations/1234567890/policies/iam.disableServiceAccountKeyUpload
     parent: organizations/1234567890
@@ -128,6 +147,7 @@ values:
         deny_all: null
         enforce: 'FALSE'
         values: []
+    timeouts: null
   module.org.google_organization_iam_binding.authoritative["roles/owner"]:
     condition: []
     members:
@@ -156,20 +176,34 @@ values:
     member: user:compute@example.org
     org_id: '1234567890'
     role: roles/container.viewer
+  module.org.google_organization_iam_member.members["am1-storage-admin"]:
+    condition: []
+    member: user:am1@example.org
+    org_id: '1234567890'
+    role: roles/storage.admin
   module.org.google_tags_tag_key.default["allowexternal"]:
     description: Allow external identities.
     parent: organizations/1234567890
     purpose: null
     purpose_data: null
     short_name: allowexternal
+    timeouts: null
   module.org.google_tags_tag_value.default["allowexternal/false"]:
+    description: Managed by the Terraform organization module.
     short_name: 'false'
+    timeouts: null
   module.org.google_tags_tag_value.default["allowexternal/true"]:
+    description: Managed by the Terraform organization module.
     short_name: 'true'
+    timeouts: null
 
 counts:
   google_org_policy_policy: 8
   google_organization_iam_binding: 3
-  google_organization_iam_member: 2
+  google_organization_iam_member: 3
   google_tags_tag_key: 1
   google_tags_tag_value: 2
+  modules: 1
+  resources: 17
+
+outputs: {}

tests/modules/organization/firewall_policies_factory_combined.tfvars

@@ -1,51 +0,0 @@
-firewall_policies = {
-  policy1 = {
-    allow-ingress = {
-      description = ""
-      direction   = "INGRESS"
-      action      = "allow"
-      priority    = 100
-      ranges      = ["10.0.0.0/8"]
-      ports = {
-        tcp = ["22"]
-      }
-      target_service_accounts = null
-      target_resources        = null
-      logging                 = false
-    }
-    deny-egress = {
-      description = ""
-      direction   = "EGRESS"
-      action      = "deny"
-      priority    = 200
-      ranges      = ["192.168.0.0/24"]
-      ports = {
-        tcp = ["443"]
-      }
-      target_service_accounts = null
-      target_resources        = null
-      logging                 = false
-    }
-  }
-  policy2 = {
-    allow-ingress = {
-      description = ""
-      direction   = "INGRESS"
-      action      = "allow"
-      priority    = 100
-      ranges      = ["10.0.0.0/8"]
-      ports = {
-        tcp = ["22"]
-      }
-      target_service_accounts = null
-      target_resources        = null
-      logging                 = false
-    }
-  }
-}
-
-firewall_policy_factory = {
-  cidr_file   = "../../tests/modules/organization/data/firewall-cidrs.yaml"
-  policy_name = "factory-1"
-  rules_file  = "../../tests/modules/organization/data/firewall-rules.yaml"
-}

tests/modules/organization/firewall_policies_factory_combined.yaml

@@ -1,27 +0,0 @@
-# Copyright 2022 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-values:
-  google_compute_firewall_policy.policy["factory-1"]: {}
-  google_compute_firewall_policy.policy["policy1"]: {}
-  google_compute_firewall_policy.policy["policy2"]: {}
-  google_compute_firewall_policy_rule.rule["factory-1-allow-admins"]: {}
-  google_compute_firewall_policy_rule.rule["factory-1-allow-ssh-from-iap"]: {}
-  google_compute_firewall_policy_rule.rule["policy1-allow-ingress"]: {}
-  google_compute_firewall_policy_rule.rule["policy1-deny-egress"]: {}
-  google_compute_firewall_policy_rule.rule["policy2-allow-ingress"]: {}
-
-counts:
-  google_compute_firewall_policy: 3
-  google_compute_firewall_policy_rule: 5

tests/modules/organization/tftest.yaml

@@ -21,5 +21,4 @@ tests:
   org_policies_list:
   org_policies_boolean:
   org_policies_custom_constraints:
-  firewall_policies_factory_combined:
   tags:

tests/modules/project/examples/iam-members.yaml

@@ -0,0 +1,48 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+  module.project.google_project.project[0]:
+    auto_create_network: false
+    billing_account: null
+    folder_id: null
+    labels: null
+    name: project-example
+    org_id: null
+    project_id: project-example
+    skip_delete: false
+    timeouts: null
+  module.project.google_project_iam_member.members["one-owner"]:
+    condition: []
+    member: user:one@example.org
+    project: project-example
+    role: roles/owner
+  module.project.google_project_iam_member.members["two-compute-admin"]:
+    condition: []
+    member: user:two@example.org
+    project: project-example
+    role: roles/compute.admin
+  module.project.google_project_iam_member.members["two-viewer"]:
+    condition: []
+    member: user:two@example.org
+    project: project-example
+    role: roles/viewer
+
+counts:
+  google_project: 1
+  google_project_iam_member: 3
+  modules: 1
+  resources: 4
+
+outputs: {}

tests/modules/source_repository/examples/simple.yaml

@@ -17,6 +17,7 @@ values:
     name: my-repo
     project: my-project
     pubsub_configs: []
+    timeouts: null
   module.repo.google_sourcerepo_repository_iam_binding.authoritative["roles/source.reader"]:
     condition: []
     members:
@@ -24,7 +25,18 @@ values:
     project: my-project
     repository: my-repo
     role: roles/source.reader
+  module.repo.google_sourcerepo_repository_iam_member.members["am1-reader"]:
+    condition: []
+    member: user:am1@example.com
+    project: my-project
+    repository: my-repo
+    role: roles/source.reader
 
 counts:
   google_sourcerepo_repository: 1
   google_sourcerepo_repository_iam_binding: 1
+  google_sourcerepo_repository_iam_member: 1
+  modules: 1
+  resources: 3
+
+outputs: {}