Merge remote-tracking branch 'origin/master' into fast-dev

tests/examples_e2e/setup_module/main.tf

@@ -91,6 +91,14 @@ resource "google_storage_bucket" "bucket" {
   depends_on                  = [google_project_service.project_service]
 }
 
+resource "google_storage_bucket_iam_binding" "binding" {
+  bucket = google_storage_bucket.bucket.id
+  members = [
+    "principalSet://cloudresourcemanager.googleapis.com/projects/${google_project.project.number}/type/ServiceAccount"
+  ]
+  role = "roles/storage.admin"
+}
+
 resource "google_compute_network" "network" {
   name                    = "e2e-test"
   project                 = google_project.project.project_id

tests/fixtures/secret-credentials.tf

@@ -23,6 +23,7 @@ module "secret-manager" {
         "roles/secretmanager.secretAccessor" = [
           "serviceAccount:${var.project_number}-compute@developer.gserviceaccount.com",
           "serviceAccount:${var.project_id}@appspot.gserviceaccount.com",
+          "principalSet://cloudresourcemanager.googleapis.com/projects/${var.project_number}/type/ServiceAccount",
         ]
       }
       versions = {

tests/modules/cloud_run_v2/examples/service-iam-env.yaml

@@ -99,6 +99,7 @@ values:
   ? module.secret-manager.google_secret_manager_secret_iam_binding.authoritative["credentials.roles/secretmanager.secretAccessor"]
   : condition: []
     members:
+    - principalSet://cloudresourcemanager.googleapis.com/projects/123/type/ServiceAccount
     - serviceAccount:123-compute@developer.gserviceaccount.com
     - serviceAccount:project-id@appspot.gserviceaccount.com
     role: roles/secretmanager.secretAccessor

tests/modules/project/examples/bigqueryreservation.yaml

@@ -0,0 +1,142 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+  module.project-bq-billing.data.google_bigquery_default_service_account.bq_sa[0]:
+    project: test-project-billing
+  module.project-bq-billing.google_bigquery_reservation.default["ew8"]:
+    autoscale: []
+    concurrency: 0
+    edition: STANDARD
+    ignore_idle_slots: false
+    location: europe-west8
+    name: ew8
+    project: test-project-billing
+    secondary_location: null
+    slot_capacity: 0
+    timeouts: null
+  module.project-bq-billing.google_project.project[0]:
+    auto_create_network: false
+    billing_account: 123456-123456-123456
+    deletion_policy: DELETE
+    effective_labels:
+      goog-terraform-provisioned: 'true'
+    folder_id: '1122334455'
+    labels: null
+    name: test-project-billing
+    org_id: null
+    project_id: test-project-billing
+    tags: null
+    terraform_labels:
+      goog-terraform-provisioned: 'true'
+    timeouts: null
+  module.project-bq-billing.google_project_iam_member.service_agents["container-engine-robot"]:
+    condition: []
+    project: test-project-billing
+    role: roles/container.serviceAgent
+  module.project-bq-billing.google_project_iam_member.service_agents["gkenode"]:
+    condition: []
+    project: test-project-billing
+    role: roles/container.defaultNodeServiceAgent
+  module.project-bq-billing.google_project_service.project_services["bigquery.googleapis.com"]:
+    disable_dependent_services: false
+    disable_on_destroy: false
+    project: test-project-billing
+    service: bigquery.googleapis.com
+    timeouts: null
+  module.project-bq-billing.google_project_service.project_services["bigqueryreservation.googleapis.com"]:
+    disable_dependent_services: false
+    disable_on_destroy: false
+    project: test-project-billing
+    service: bigqueryreservation.googleapis.com
+    timeouts: null
+  module.project-bq-billing.google_project_service.project_services["container.googleapis.com"]:
+    disable_dependent_services: false
+    disable_on_destroy: false
+    project: test-project-billing
+    service: container.googleapis.com
+    timeouts: null
+  module.project-bq-billing.google_project_service.project_services["stackdriver.googleapis.com"]:
+    disable_dependent_services: false
+    disable_on_destroy: false
+    project: test-project-billing
+    service: stackdriver.googleapis.com
+    timeouts: null
+  module.project-bq-billing.google_project_service_identity.default["container.googleapis.com"]:
+    project: test-project-billing
+    service: container.googleapis.com
+    timeouts: null
+  module.project-bq-data.data.google_bigquery_default_service_account.bq_sa[0]:
+    project: test-project-data
+  module.project-bq-data.google_project.project[0]:
+    auto_create_network: false
+    billing_account: 123456-123456-123456
+    deletion_policy: DELETE
+    effective_labels:
+      goog-terraform-provisioned: 'true'
+    folder_id: '1122334455'
+    labels: null
+    name: test-project-data
+    org_id: null
+    project_id: test-project-data
+    tags: null
+    terraform_labels:
+      goog-terraform-provisioned: 'true'
+    timeouts: null
+  module.project-bq-data.google_project_iam_member.service_agents["container-engine-robot"]:
+    condition: []
+    project: test-project-data
+    role: roles/container.serviceAgent
+  module.project-bq-data.google_project_iam_member.service_agents["gkenode"]:
+    condition: []
+    project: test-project-data
+    role: roles/container.defaultNodeServiceAgent
+  module.project-bq-data.google_project_service.project_services["bigquery.googleapis.com"]:
+    disable_dependent_services: false
+    disable_on_destroy: false
+    project: test-project-data
+    service: bigquery.googleapis.com
+    timeouts: null
+  module.project-bq-data.google_project_service.project_services["bigqueryreservation.googleapis.com"]:
+    disable_dependent_services: false
+    disable_on_destroy: false
+    project: test-project-data
+    service: bigqueryreservation.googleapis.com
+    timeouts: null
+  module.project-bq-data.google_project_service.project_services["container.googleapis.com"]:
+    disable_dependent_services: false
+    disable_on_destroy: false
+    project: test-project-data
+    service: container.googleapis.com
+    timeouts: null
+  module.project-bq-data.google_project_service.project_services["stackdriver.googleapis.com"]:
+    disable_dependent_services: false
+    disable_on_destroy: false
+    project: test-project-data
+    service: stackdriver.googleapis.com
+    timeouts: null
+  module.project-bq-data.google_project_service_identity.default["container.googleapis.com"]:
+    project: test-project-data
+    service: container.googleapis.com
+    timeouts: null
+
+counts:
+  google_bigquery_default_service_account: 2
+  google_bigquery_reservation: 1
+  google_project: 2
+  google_project_iam_member: 4
+  google_project_service: 8
+  google_project_service_identity: 2
+  modules: 2
+  resources: 20

tests/modules/project/examples/iam-authoritative.yaml

@@ -28,11 +28,12 @@ values:
     terraform_labels:
       goog-terraform-provisioned: 'true'
     timeouts: null
-  module.project.google_project_iam_binding.authoritative["$custom_roles:my_role"]:
+  module.project.google_project_iam_binding.authoritative["roles/cloudasset.owner"]:
     condition: []
     members:
     - group:organization-admins@example.org
     project: test-project
+    role: roles/cloudasset.owner
 
 counts:
   google_project: 1

tests/modules/project/examples/iam-group.yaml

@@ -13,11 +13,6 @@
 # limitations under the License.
 
 values:
-  module.project.google_project_iam_binding.authoritative["$custom_roles:my_role"]:
-    condition: []
-    members:
-    - group:organization-admins@example.org
-    project: test-project
   module.project.google_project_iam_binding.authoritative["roles/cloudasset.owner"]:
     condition: []
     members:
@@ -51,6 +46,6 @@ values:
 
 counts:
   google_project: 1
-  google_project_iam_binding: 6
+  google_project_iam_binding: 5
   modules: 1
-  resources: 8
+  resources: 7