Merge remote-tracking branch 'origin/master' into fast-dev

tests/collectors.py

@@ -21,6 +21,7 @@ See FabricTestFile for details on the file structure.
 
 import fnmatch
 import json
+import os
 import re
 from pathlib import Path
 
@@ -61,7 +62,6 @@ class FabricTestFile(pytest.File):
     will be taken from the file test-name.yaml
 
     """
-
     try:
       raw = yaml.safe_load(self.path.open())
       module = raw.pop('module')
@@ -72,6 +72,8 @@ class FabricTestFile(pytest.File):
     common = raw.pop('common_tfvars', [])
     for test_name, spec in raw.get('tests', {}).items():
       spec = {} if spec is None else spec
+      if spec.get('skip_tofu') and os.environ.get('TERRAFORM') == 'tofu':
+        continue
       extra_dirs = spec.get('extra_dirs')
       extra_files = spec.get('extra_files')
       inventories = spec.get('inventory', [f'{test_name}.yaml'])

tests/fixtures/shared-vpc.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2023 Google LLC
+ * Copyright 2025 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -70,8 +70,8 @@ module "net-vpc-host" {
       name          = "fixture-subnet-24"
       region        = var.region
       secondary_ip_ranges = {
-        pods     = "172.16.0.0/20"
-        services = "192.168.0.0/24"
+        pods     = { ip_cidr_range = "172.16.0.0/20" }
+        services = { ip_cidr_range = "192.168.0.0/24" }
       }
     },
     {
@@ -79,8 +79,8 @@ module "net-vpc-host" {
       name          = "fixture-subnet-28"
       region        = var.region
       secondary_ip_ranges = {
-        pods     = "172.16.16.0/20"
-        services = "192.168.1.0/24"
+        pods     = { ip_cidr_range = "172.16.16.0/20" }
+        services = { ip_cidr_range = "192.168.1.0/24" }
       }
     }
 

tests/modules/apigee/examples/access-logging.yaml

@@ -0,0 +1,32 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+  module.apigee.google_apigee_instance.instances["europe-west1"]:
+    access_logging_config:
+    - enabled: true
+      filter: statusCode >= 200 && statusCode < 300
+    description: Terraform-managed
+    disk_encryption_key_name: null
+    display_name: null
+    ip_range: 10.0.4.0/22,10.1.1.0/28
+    location: europe-west1
+    name: instance-europe-west1
+    org_id: organizations/my-project
+    timeouts: null
+
+counts:
+  google_apigee_instance: 1
+  modules: 1
+  resources: 1

tests/modules/net_lb_app_ext/examples/classic-vs-non-classic.yaml

@@ -71,7 +71,7 @@ values:
     timeout_sec: 5
     timeouts: null
     unhealthy_threshold: 2
-  module.glb-0.google_compute_target_http_proxy.default[0]:
+  module.glb-0.google_compute_target_http_proxy.new[0]:
     description: Terraform managed.
     http_keep_alive_timeout_sec: null
     name: glb-test-0

tests/modules/net_lb_app_ext/examples/http-https-redirect.yaml

@@ -16,17 +16,195 @@ values:
   module.addresses.google_compute_global_address.global["glb-test-0"]:
     address_type: null
     description: Terraform managed.
+    effective_labels:
+      goog-terraform-provisioned: 'true'
     ip_version: null
+    labels: null
     name: glb-test-0
     network: null
     project: project-id
     purpose: null
+    terraform_labels:
+      goog-terraform-provisioned: 'true'
     timeouts: null
+  module.compute-vm-group-b.google_compute_instance.default[0]:
+    advanced_machine_features: []
+    allow_stopping_for_update: true
+    attached_disk: []
+    boot_disk:
+    - auto_delete: true
+      disk_encryption_key_raw: null
+      disk_encryption_key_rsa: null
+      disk_encryption_service_account: null
+      force_attach: null
+      initialize_params:
+      - enable_confidential_compute: null
+        image: cos-cloud/cos-stable
+        resource_manager_tags: null
+        size: 10
+        source_image_encryption_key: []
+        source_snapshot_encryption_key: []
+        storage_pool: null
+        type: pd-balanced
+      interface: null
+      mode: READ_WRITE
+    can_ip_forward: false
+    deletion_protection: false
+    description: Managed by the compute-vm Terraform module.
+    desired_status: null
+    effective_labels:
+      goog-terraform-provisioned: 'true'
+    enable_display: false
+    hostname: null
+    instance_encryption_key: []
+    key_revocation_action_type: null
+    labels: null
+    machine_type: f1-micro
+    metadata: null
+    metadata_startup_script: null
+    name: my-ig-b
+    network_interface:
+    - access_config: []
+      alias_ip_range: []
+      ipv6_access_config: []
+      network: projects/xxx/global/networks/aaa
+      nic_type: null
+      queue_count: null
+      security_policy: null
+      subnetwork: subnet_self_link
+    network_performance_config: []
+    params: []
+    partner_metadata: null
+    project: project-id
+    resource_policies: null
+    scheduling:
+    - automatic_restart: true
+      availability_domain: null
+      graceful_shutdown: []
+      host_error_timeout_seconds: null
+      instance_termination_action: null
+      local_ssd_recovery_timeout: []
+      maintenance_interval: null
+      max_run_duration: []
+      min_node_cpus: null
+      node_affinities: []
+      on_host_maintenance: MIGRATE
+      on_instance_stop_action: []
+      preemptible: false
+      provisioning_model: STANDARD
+      termination_time: null
+    scratch_disk: []
+    service_account:
+    - scopes:
+      - https://www.googleapis.com/auth/devstorage.read_only
+      - https://www.googleapis.com/auth/logging.write
+      - https://www.googleapis.com/auth/monitoring.write
+    shielded_instance_config: []
+    tags: null
+    terraform_labels:
+      goog-terraform-provisioned: 'true'
+    timeouts: null
+    zone: europe-west8-b
+  module.compute-vm-group-b.google_compute_instance_group.unmanaged[0]:
+    description: Managed by the compute-vm Terraform module.
+    name: my-ig-b
+    named_port: []
+    network: projects/xxx/global/networks/aaa
+    project: project-id
+    timeouts: null
+    zone: europe-west8-b
+  module.compute-vm-group-c.google_compute_instance.default[0]:
+    advanced_machine_features: []
+    allow_stopping_for_update: true
+    attached_disk: []
+    boot_disk:
+    - auto_delete: true
+      disk_encryption_key_raw: null
+      disk_encryption_key_rsa: null
+      disk_encryption_service_account: null
+      force_attach: null
+      initialize_params:
+      - enable_confidential_compute: null
+        image: cos-cloud/cos-stable
+        resource_manager_tags: null
+        size: 10
+        source_image_encryption_key: []
+        source_snapshot_encryption_key: []
+        storage_pool: null
+        type: pd-balanced
+      interface: null
+      mode: READ_WRITE
+    can_ip_forward: false
+    deletion_protection: false
+    description: Managed by the compute-vm Terraform module.
+    desired_status: null
+    effective_labels:
+      goog-terraform-provisioned: 'true'
+    enable_display: false
+    hostname: null
+    instance_encryption_key: []
+    key_revocation_action_type: null
+    labels: null
+    machine_type: f1-micro
+    metadata: null
+    metadata_startup_script: null
+    name: my-ig-c
+    network_interface:
+    - access_config: []
+      alias_ip_range: []
+      ipv6_access_config: []
+      network: projects/xxx/global/networks/aaa
+      nic_type: null
+      queue_count: null
+      security_policy: null
+      subnetwork: subnet_self_link
+    network_performance_config: []
+    params: []
+    partner_metadata: null
+    project: project-id
+    resource_policies: null
+    scheduling:
+    - automatic_restart: true
+      availability_domain: null
+      graceful_shutdown: []
+      host_error_timeout_seconds: null
+      instance_termination_action: null
+      local_ssd_recovery_timeout: []
+      maintenance_interval: null
+      max_run_duration: []
+      min_node_cpus: null
+      node_affinities: []
+      on_host_maintenance: MIGRATE
+      on_instance_stop_action: []
+      preemptible: false
+      provisioning_model: STANDARD
+      termination_time: null
+    scratch_disk: []
+    service_account:
+    - scopes:
+      - https://www.googleapis.com/auth/devstorage.read_only
+      - https://www.googleapis.com/auth/logging.write
+      - https://www.googleapis.com/auth/monitoring.write
+    shielded_instance_config: []
+    tags: null
+    terraform_labels:
+      goog-terraform-provisioned: 'true'
+    timeouts: null
+    zone: europe-west8-c
+  module.compute-vm-group-c.google_compute_instance_group.unmanaged[0]:
+    description: Managed by the compute-vm Terraform module.
+    name: my-ig-c
+    named_port: []
+    network: projects/xxx/global/networks/aaa
+    project: project-id
+    timeouts: null
+    zone: europe-west8-c
   module.glb-test-0-redirect.google_compute_global_forwarding_rule.default[""]:
     allow_psc_global_access: null
     description: Terraform managed.
+    external_managed_backend_bucket_migration_state: null
+    external_managed_backend_bucket_migration_testing_percentage: null
     ip_protocol: TCP
-    ip_version: __missing__
     labels: null
     load_balancing_scheme: EXTERNAL
     metadata_filters: []
@@ -43,6 +221,7 @@ values:
     project: project-id
     timeouts: null
   module.glb-test-0-redirect.google_compute_url_map.default:
+    default_custom_error_response_policy: []
     default_route_action: []
     default_service: null
     default_url_redirect:
@@ -66,27 +245,39 @@ values:
     compression_mode: null
     connection_draining_timeout_sec: 300
     consistent_hash: []
+    custom_metrics: []
     custom_request_headers: null
     custom_response_headers: null
     description: Terraform managed.
+    dynamic_forwarding: []
     edge_security_policy: null
     enable_cdn: null
+    external_managed_migration_state: null
+    external_managed_migration_testing_percentage: null
+    ip_address_selection_policy: null
     load_balancing_scheme: EXTERNAL_MANAGED
     locality_lb_policies: []
     locality_lb_policy: null
+    max_stream_duration: []
     name: glb-test-0-default
+    network_pass_through_lb_traffic_policy: []
     outlier_detection: []
+    params: []
     port_name: http
     project: project-id
     protocol: HTTP
     security_policy: null
     security_settings: []
+    service_lb_policy: null
+    strong_session_affinity_cookie: []
     timeouts: null
+    tls_settings: []
   module.glb-test-0.google_compute_global_forwarding_rule.default[""]:
     allow_psc_global_access: null
     description: Terraform managed.
+    external_managed_backend_bucket_migration_state: null
+    external_managed_backend_bucket_migration_testing_percentage: null
     ip_protocol: TCP
-    ip_version: __missing__
     labels: null
     load_balancing_scheme: EXTERNAL_MANAGED
     metadata_filters: []
@@ -100,6 +291,7 @@ values:
     check_interval_sec: 5
     description: Terraform managed.
     grpc_health_check: []
+    grpc_tls_health_check: []
     healthy_threshold: 2
     http2_health_check: []
     http_health_check:
@@ -113,6 +305,7 @@ values:
     https_health_check: []
     name: glb-test-0-default
     project: project-id
+    source_regions: null
     ssl_health_check: []
     tcp_health_check: []
     timeout_sec: 5
@@ -127,7 +320,7 @@ values:
     project: project-id
     timeouts: null
     type: MANAGED
-  module.glb-test-0.google_compute_target_https_proxy.default[0]:
+  module.glb-test-0.google_compute_target_https_proxy.new[0]:
     certificate_manager_certificates: null
     certificate_map: null
     description: Terraform managed.
@@ -139,6 +332,7 @@ values:
     ssl_policy: null
     timeouts: null
   module.glb-test-0.google_compute_url_map.default:
+    default_custom_error_response_policy: []
     default_route_action: []
     default_url_redirect: []
     description: Terraform managed.

tests/modules/net_lb_app_ext/examples/serverless-neg.yaml

@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2025 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -62,7 +62,6 @@ values:
       url_mask: null
     description: Terraform managed.
     name: glb-test-0-neg-0
-    network: null
     network_endpoint_type: SERVERLESS
     project: project-id
     psc_target_service: null

tests/modules/net_vpc/examples/internal-ranges.yaml

@@ -0,0 +1,76 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+  module.vpc.google_compute_network.network[0]:
+    auto_create_subnetworks: false
+    delete_default_routes_on_create: false
+    description: Terraform-managed.
+    enable_ula_internal_ipv6: null
+    name: my-network
+    network_firewall_policy_enforcement_order: AFTER_CLASSIC_FIREWALL
+    network_profile: null
+    params: []
+    project: project-id
+    routing_mode: GLOBAL
+    timeouts: null
+  module.vpc.google_network_connectivity_internal_range.internal_range["range1"]:
+    allocation_options: []
+    description: null
+    effective_labels:
+      goog-terraform-provisioned: 'true'
+    exclude_cidr_ranges: null
+    immutable: null
+    ip_cidr_range: 10.0.0.0/16
+    labels: null
+    migration: []
+    name: range1
+    overlaps: null
+    peering: FOR_SELF
+    prefix_length: null
+    project: project-id
+    target_cidr_range: null
+    terraform_labels:
+      goog-terraform-provisioned: 'true'
+    timeouts: null
+    usage: FOR_VPC
+  module.vpc.google_network_connectivity_internal_range.internal_range["range2"]:
+    allocation_options: []
+    description: Auto-allocated secondary range
+    effective_labels:
+      goog-terraform-provisioned: 'true'
+    exclude_cidr_ranges: null
+    immutable: null
+    labels: null
+    migration: []
+    name: range2
+    overlaps: null
+    peering: FOR_SELF
+    prefix_length: 24
+    project: project-id
+    target_cidr_range:
+    - 10.1.0.0/16
+    terraform_labels:
+      goog-terraform-provisioned: 'true'
+    timeouts: null
+    usage: FOR_VPC
+
+counts:
+  google_compute_network: 1
+  google_compute_route: 3
+  google_network_connectivity_internal_range: 2
+  modules: 1
+  resources: 6
+
+outputs: {}

tests/modules/net_vpc/examples/subnets-internal-ranges.yaml

@@ -0,0 +1,117 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+  module.vpc.google_compute_network.network[0]:
+    auto_create_subnetworks: false
+    delete_default_routes_on_create: false
+    description: Terraform-managed.
+    enable_ula_internal_ipv6: null
+    name: my-network
+    network_firewall_policy_enforcement_order: AFTER_CLASSIC_FIREWALL
+    network_profile: null
+    params: []
+    project: project-id
+    routing_mode: GLOBAL
+    timeouts: null
+  module.vpc.google_compute_subnetwork.subnetwork["europe-west1/production"]:
+    description: Terraform-managed.
+    ip_collection: null
+    ipv6_access_type: null
+    log_config: []
+    name: production
+    network: my-network
+    params: []
+    private_ip_google_access: true
+    project: project-id
+    region: europe-west1
+    role: null
+    secondary_ip_range:
+    - range_name: pods
+    - range_name: services
+    - ip_cidr_range: 192.168.0.0/24
+      range_name: traditional
+      reserved_internal_range: null
+    send_secondary_ip_range_if_empty: true
+    timeouts: null
+  module.vpc.google_network_connectivity_internal_range.internal_range["pods-range"]:
+    allocation_options: []
+    description: null
+    effective_labels:
+      goog-terraform-provisioned: 'true'
+    exclude_cidr_ranges: null
+    immutable: null
+    ip_cidr_range: 10.1.0.0/16
+    labels: null
+    migration: []
+    name: pods-range
+    overlaps: null
+    peering: FOR_SELF
+    prefix_length: null
+    project: project-id
+    target_cidr_range: null
+    terraform_labels:
+      goog-terraform-provisioned: 'true'
+    timeouts: null
+    usage: FOR_VPC
+  module.vpc.google_network_connectivity_internal_range.internal_range["services-range"]:
+    allocation_options: []
+    description: null
+    effective_labels:
+      goog-terraform-provisioned: 'true'
+    exclude_cidr_ranges: null
+    immutable: null
+    labels: null
+    migration: []
+    name: services-range
+    overlaps: null
+    peering: FOR_SELF
+    prefix_length: 20
+    project: project-id
+    target_cidr_range:
+    - 10.2.0.0/16
+    terraform_labels:
+      goog-terraform-provisioned: 'true'
+    timeouts: null
+    usage: FOR_VPC
+  module.vpc.google_network_connectivity_internal_range.internal_range["subnet-range"]:
+    allocation_options: []
+    description: null
+    effective_labels:
+      goog-terraform-provisioned: 'true'
+    exclude_cidr_ranges: null
+    immutable: null
+    ip_cidr_range: 10.0.1.0/24
+    labels: null
+    migration: []
+    name: subnet-range
+    overlaps: null
+    peering: FOR_SELF
+    prefix_length: null
+    project: project-id
+    target_cidr_range: null
+    terraform_labels:
+      goog-terraform-provisioned: 'true'
+    timeouts: null
+    usage: FOR_VPC
+
+counts:
+  google_compute_network: 1
+  google_compute_route: 3
+  google_compute_subnetwork: 1
+  google_network_connectivity_internal_range: 3
+  modules: 1
+  resources: 8
+
+outputs: {}

tests/modules/project_factory/examples/example.yaml

@@ -289,6 +289,9 @@ values:
   : project: test-pf-dev-ta-app0-be
     service: container.googleapis.com
     timeouts: null
+  module.project-factory.module.projects["dev-ta-app0-be"].google_tags_tag_binding.binding["context"]:
+    tag_value: tagValues/654321
+    timeouts: null
   module.project-factory.module.projects["dev-ta-app0-be"].google_tags_tag_key.default["my-tag-key-1"]:
     description: Managed by the Terraform project-factory module.
     parent: projects/test-pf-dev-ta-app0-be
@@ -594,10 +597,10 @@ counts:
   google_storage_bucket: 1
   google_storage_bucket_iam_binding: 2
   google_storage_project_service_account: 4
-  google_tags_tag_binding: 1
+  google_tags_tag_binding: 2
   google_tags_tag_key: 1
   google_tags_tag_value: 2
   google_tags_tag_value_iam_binding: 1
   modules: 23
-  resources: 85
+  resources: 86
   terraform_data: 1

tests/modules/secret_manager/context.tfvars

@@ -0,0 +1,99 @@
+context = {
+  condition_vars = {
+    organization = {
+      id = 1234567890
+    }
+  }
+  custom_roles = {
+    myrole_one = "organizations/366118655033/roles/myRoleOne"
+    myrole_two = "organizations/366118655033/roles/myRoleTwo"
+  }
+  kms_keys = {
+    compute-prod-ew1 = "projects/kms-central-prj/locations/europe-west1/keyRings/my-keyring/cryptoKeys/ew1-compute"
+  }
+  iam_principals = {
+    mygroup = "group:test-group@example.com"
+    mysa    = "serviceAccount:test@test-project.iam.gserviceaccount.com"
+    myuser  = "user:test-user@example.com"
+  }
+  locations = {
+    ew1 = "europe-west1"
+  }
+  project_ids = {
+    vpc-host = "test-vpc-host"
+  }
+  tag_keys = {
+    test = "tagKeys/1234567890"
+  }
+  tag_values = {
+    "test/one" = "tagValues/1234567890"
+  }
+}
+project_id = "test-0"
+secrets = {
+  test-global = {
+    kms_key = "$kms_keys:compute-prod-ew1"
+    iam = {
+      "$custom_roles:myrole_one" = [
+        "$iam_principals:myuser"
+      ]
+      "roles/viewer" = [
+        "$iam_principals:mysa",
+      ]
+    }
+    iam_bindings = {
+      myrole_two = {
+        role = "$custom_roles:myrole_two"
+        members = [
+          "$iam_principals:mysa"
+        ]
+        condition = {
+          title      = "Test"
+          expression = "resource.matchTag('$${organization.id}/environment', 'development')"
+        }
+      }
+    }
+    iam_bindings_additive = {
+      myrole_two = {
+        role   = "$custom_roles:myrole_two"
+        member = "$iam_principals:myuser"
+      }
+    }
+    tag_bindings = {
+      foo = "$tag_values:test/one"
+    }
+  }
+  test-regional = {
+    location = "$locations:ew1"
+    kms_key  = "$kms_keys:compute-prod-ew1"
+    iam = {
+      "$custom_roles:myrole_one" = [
+        "$iam_principals:myuser"
+      ]
+      "roles/viewer" = [
+        "$iam_principals:mysa",
+      ]
+    }
+    iam_bindings = {
+      myrole_two = {
+        role = "$custom_roles:myrole_two"
+        members = [
+          "$iam_principals:mysa"
+        ]
+        condition = {
+          title      = "Test"
+          expression = "resource.matchTag('$${organization.id}/environment', 'development')"
+        }
+      }
+    }
+    iam_bindings_additive = {
+      myrole_two = {
+        role   = "$custom_roles:myrole_two"
+        member = "$iam_principals:myuser"
+      }
+    }
+    tag_bindings = {
+      foo = "$tag_values:test/one"
+    }
+  }
+}

tests/modules/secret_manager/context.yaml

@@ -0,0 +1,125 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+  google_secret_manager_regional_secret.default["test-regional"]:
+    annotations: null
+    customer_managed_encryption:
+    - kms_key_name: projects/kms-central-prj/locations/europe-west1/keyRings/my-keyring/cryptoKeys/ew1-compute
+    deletion_protection: false
+    effective_labels:
+      goog-terraform-provisioned: 'true'
+    labels: null
+    location: europe-west1
+    project: test-0
+    rotation: []
+    secret_id: test-regional
+    tags: null
+    terraform_labels:
+      goog-terraform-provisioned: 'true'
+    timeouts: null
+    topics: []
+    ttl: null
+    version_aliases: null
+    version_destroy_ttl: null
+  google_secret_manager_regional_secret_iam_binding.authoritative["test-regional.$custom_roles:myrole_one"]:
+    condition: []
+    location: europe-west1
+    members:
+    - user:test-user@example.com
+    role: organizations/366118655033/roles/myRoleOne
+  google_secret_manager_regional_secret_iam_binding.authoritative["test-regional.roles/viewer"]:
+    condition: []
+    location: europe-west1
+    members:
+    - serviceAccount:test@test-project.iam.gserviceaccount.com
+    role: roles/viewer
+  google_secret_manager_regional_secret_iam_binding.bindings["test-regional-myrole_two"]:
+    condition:
+    - description: null
+      expression: resource.matchTag('1234567890/environment', 'development')
+      title: Test
+    location: europe-west1
+    members:
+    - serviceAccount:test@test-project.iam.gserviceaccount.com
+    role: organizations/366118655033/roles/myRoleTwo
+  google_secret_manager_regional_secret_iam_member.members["test-regional-myrole_two"]:
+    condition: []
+    location: europe-west1
+    member: user:test-user@example.com
+    role: organizations/366118655033/roles/myRoleTwo
+  google_secret_manager_secret.default["test-global"]:
+    annotations: null
+    deletion_protection: false
+    effective_labels:
+      goog-terraform-provisioned: 'true'
+    labels: null
+    project: test-0
+    replication:
+    - auto:
+      - customer_managed_encryption:
+        - kms_key_name: projects/kms-central-prj/locations/europe-west1/keyRings/my-keyring/cryptoKeys/ew1-compute
+      user_managed: []
+    rotation: []
+    secret_id: test-global
+    tags: null
+    terraform_labels:
+      goog-terraform-provisioned: 'true'
+    timeouts: null
+    topics: []
+    ttl: null
+    version_aliases: null
+    version_destroy_ttl: null
+  google_secret_manager_secret_iam_binding.authoritative["test-global.$custom_roles:myrole_one"]:
+    condition: []
+    members:
+    - user:test-user@example.com
+    role: organizations/366118655033/roles/myRoleOne
+  google_secret_manager_secret_iam_binding.authoritative["test-global.roles/viewer"]:
+    condition: []
+    members:
+    - serviceAccount:test@test-project.iam.gserviceaccount.com
+    role: roles/viewer
+  google_secret_manager_secret_iam_binding.bindings["test-global-myrole_two"]:
+    condition:
+    - description: null
+      expression: resource.matchTag('1234567890/environment', 'development')
+      title: Test
+    members:
+    - serviceAccount:test@test-project.iam.gserviceaccount.com
+    role: organizations/366118655033/roles/myRoleTwo
+  google_secret_manager_secret_iam_member.members["test-global-myrole_two"]:
+    condition: []
+    member: user:test-user@example.com
+    role: organizations/366118655033/roles/myRoleTwo
+  google_tags_location_tag_binding.binding["test-regional/foo"]:
+    location: europe-west1
+    parent: //secretmanager.googleapis.com/projects/test-0/locations/europe-west1/secrets/test-regional
+    tag_value: tagValues/1234567890
+    timeouts: null
+  google_tags_tag_binding.binding["test-global/foo"]:
+    parent: //secretmanager.googleapis.com/projects/test-0/secrets/test-global
+    tag_value: tagValues/1234567890
+    timeouts: null
+counts:
+  google_secret_manager_regional_secret: 1
+  google_secret_manager_regional_secret_iam_binding: 3
+  google_secret_manager_regional_secret_iam_member: 1
+  google_secret_manager_secret: 1
+  google_secret_manager_secret_iam_binding: 3
+  google_secret_manager_secret_iam_member: 1
+  google_tags_location_tag_binding: 1
+  google_tags_tag_binding: 1
+  modules: 0
+  resources: 12

tests/modules/secret_manager/tftest.yaml

@@ -0,0 +1,19 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module: modules/secret-manager
+
+tests:
+  context:
+    skip_tofu: True