Remove Netsec Authz Service Agent (#3445)

* Remove Netsec Authz Service Agent * fix tests
2025-10-20 21:36:03 +02:00
parent 0faaba4e45
commit 792003ff97
16 changed files with 29 additions and 36 deletions
--- a/modules/apigee/recipe-apigee-swp/README.md
+++ b/modules/apigee/recipe-apigee-swp/README.md
@@ -54,4 +54,4 @@ module "recipe_apigee_swp" {
    subnet_proxy_only_ip_cidr_range = "10.16.2.0/24"
  }
 }
-# tftest modules=10 resources=44
+# tftest modules=10 resources=43
--- a/modules/project/service-agents.yaml
+++ b/modules/project/service-agents.yaml
@@ -1163,13 +1163,6 @@
  role: null
  is_primary: true
  aliases: []
- name: ns-authz
-  display_name: Google Cloud Network Security Authz Service Account
-  api: networksecurity.googleapis.com
-  identity: service-${project_number}@gcp-sa-ns-authz.${universe_domain}iam.gserviceaccount.com
-  role: roles/networksecurity.authzServiceAgent
-  is_primary: false
-  aliases: []
 - name: osconfig-rollout
  display_name: Google Cloud OS Config Rollout Service Agent
  api: osconfig.googleapis.com
--- a/tests/fast/stages/s0_org_setup/not-simple.yaml
+++ b/tests/fast/stages/s0_org_setup/not-simple.yaml
@@ -2776,7 +2776,7 @@ counts:
  google_organization_iam_custom_role: 7
  google_project: 3
  google_project_iam_binding: 16
-  google_project_iam_member: 18
+  google_project_iam_member: 17
  google_project_service: 33
  google_project_service_identity: 9
  google_service_account: 16
@@ -2793,5 +2793,5 @@ counts:
  google_tags_tag_value_iam_binding: 4
  local_file: 9
  modules: 46
-  resources: 311
+  resources: 310
  terraform_data: 2
--- a/tests/fast/stages/s2_networking_a_simple/ncc.yaml
+++ b/tests/fast/stages/s2_networking_a_simple/ncc.yaml
@@ -36,10 +36,10 @@ counts:
  google_network_connectivity_spoke: 2
  google_project: 3
  google_project_iam_binding: 2
-  google_project_iam_member: 24
+  google_project_iam_member: 22
  google_project_service: 28
  google_project_service_identity: 22
  google_storage_bucket_object: 2
  google_tags_tag_binding: 3
  modules: 23
-  resources: 191
+  resources: 189
--- a/tests/fast/stages/s2_networking_a_simple/simple.yaml
+++ b/tests/fast/stages/s2_networking_a_simple/simple.yaml
@@ -40,11 +40,11 @@ counts:
  google_monitoring_monitored_project: 2
  google_project: 3
  google_project_iam_binding: 2
-  google_project_iam_member: 24
+  google_project_iam_member: 22
  google_project_service: 28
  google_project_service_identity: 22
  google_storage_bucket_object: 2
  google_tags_tag_binding: 3
  modules: 28
  random_id: 3
-  resources: 208
+  resources: 206
--- a/tests/fast/stages/s2_networking_a_simple/vpn.yaml
+++ b/tests/fast/stages/s2_networking_a_simple/vpn.yaml
@@ -38,11 +38,11 @@ counts:
  google_monitoring_monitored_project: 2
  google_project: 3
  google_project_iam_binding: 2
-  google_project_iam_member: 24
+  google_project_iam_member: 22
  google_project_service: 28
  google_project_service_identity: 22
  google_storage_bucket_object: 2
  google_tags_tag_binding: 3
  modules: 30
  random_id: 17
-  resources: 255
+  resources: 253
--- a/tests/fast/stages/s2_networking_b_nva/ncc-ra.yaml
+++ b/tests/fast/stages/s2_networking_b_nva/ncc-ra.yaml
@@ -43,11 +43,11 @@ counts:
  google_network_connectivity_spoke: 4
  google_project: 3
  google_project_iam_binding: 2
-  google_project_iam_member: 24
+  google_project_iam_member: 22
  google_project_service: 28
  google_project_service_identity: 22
  google_storage_bucket_object: 2
  google_tags_tag_binding: 3
  modules: 38
  random_id: 6
-  resources: 275
+  resources: 273
--- a/tests/fast/stages/s2_networking_b_nva/regional.yaml
+++ b/tests/fast/stages/s2_networking_b_nva/regional.yaml
@@ -45,11 +45,11 @@ counts:
  google_monitoring_monitored_project: 2
  google_project: 3
  google_project_iam_binding: 2
-  google_project_iam_member: 24
+  google_project_iam_member: 22
  google_project_service: 28
  google_project_service_identity: 22
  google_storage_bucket_object: 2
  google_tags_tag_binding: 3
  modules: 46
  random_id: 6
-  resources: 285
+  resources: 283
--- a/tests/fast/stages/s2_networking_b_nva/simple.yaml
+++ b/tests/fast/stages/s2_networking_b_nva/simple.yaml
@@ -45,11 +45,11 @@ counts:
  google_monitoring_monitored_project: 2
  google_project: 3
  google_project_iam_binding: 2
-  google_project_iam_member: 24
+  google_project_iam_member: 22
  google_project_service: 28
  google_project_service_identity: 22
  google_storage_bucket_object: 2
  google_tags_tag_binding: 3
  modules: 42
  random_id: 6
-  resources: 261
+  resources: 259
--- a/tests/fast/stages/s2_networking_c_separate_envs/simple.yaml
+++ b/tests/fast/stages/s2_networking_c_separate_envs/simple.yaml
@@ -38,11 +38,11 @@ counts:
  google_monitoring_dashboard: 6
  google_project: 2
  google_project_iam_binding: 2
-  google_project_iam_member: 20
+  google_project_iam_member: 18
  google_project_service: 22
  google_project_service_identity: 18
  google_storage_bucket_object: 2
  google_tags_tag_binding: 2
  modules: 23
  random_id: 6
-  resources: 233
+  resources: 231
--- a/tests/modules/net_vpc_factory/ncc.yaml
+++ b/tests/modules/net_vpc_factory/ncc.yaml
@@ -32,9 +32,9 @@ counts:
  google_network_connectivity_hub: 1
  google_network_connectivity_spoke: 3
  google_project: 3
-  google_project_iam_member: 24
+  google_project_iam_member: 21
  google_project_service: 27
  google_project_service_identity: 21
  modules: 17
  random_id: 3
-  resources: 139
+  resources: 136
--- a/tests/modules/net_vpc_factory/only_projects.yaml
+++ b/tests/modules/net_vpc_factory/only_projects.yaml
@@ -14,8 +14,8 @@

 counts:
  google_project: 3
-  google_project_iam_member: 24
+  google_project_iam_member: 21
  google_project_service: 27
  google_project_service_identity: 21
  modules: 3
-  resources: 75
+  resources: 72
--- a/tests/modules/net_vpc_factory/peering.yaml
+++ b/tests/modules/net_vpc_factory/peering.yaml
@@ -30,9 +30,9 @@ counts:
  google_dns_policy: 4
  google_dns_record_set: 1
  google_project: 3
-  google_project_iam_member: 24
+  google_project_iam_member: 21
  google_project_service: 27
  google_project_service_identity: 21
  modules: 18
  random_id: 3
-  resources: 142
+  resources: 139
--- a/tests/modules/net_vpc_factory/separate_envs.yaml
+++ b/tests/modules/net_vpc_factory/separate_envs.yaml
@@ -27,9 +27,9 @@ counts:
  google_compute_vpn_tunnel: 2
  google_dns_policy: 2
  google_project: 3
-  google_project_iam_member: 24
+  google_project_iam_member: 21
  google_project_service: 27
  google_project_service_identity: 21
  modules: 11
  random_id: 4
-  resources: 117
+  resources: 114
--- a/tests/modules/net_vpc_factory/vpn.yaml
+++ b/tests/modules/net_vpc_factory/vpn.yaml
@@ -29,9 +29,9 @@ counts:
  google_dns_policy: 4
  google_dns_record_set: 1
  google_project: 3
-  google_project_iam_member: 24
+  google_project_iam_member: 21
  google_project_service: 27
  google_project_service_identity: 21
  modules: 22
  random_id: 15
-  resources: 178
+  resources: 175
--- a/tools/build_service_agents.py
+++ b/tools/build_service_agents.py
@@ -54,8 +54,8 @@ ALIASES = {
 }

 IGNORED_AGENTS = [
-    # Alloydb has two agents. Ignore the non-primary one
-    'c-PROJECT_NUMBER-IDENTIFIER@gcp-sa-alloydb.iam.gserviceaccount.com'
+    # gcp-sa-ns-authz agent gets created on first create op
+    'service-PROJECT_NUMBER@gcp-sa-ns-authz.iam.gserviceaccount.com'
 ]

 AGENT_NAME_OVERRIDE = {