Fix E2E tests.

* Disable tests for VPC connector and Cloud Functions, CFs are not supporrted in the default region * fix permissions to secrets for Cloud Run * add permissions admin permissions to any SA within project to `var.bucket` * add permissions to access the secret to any SA within project to secrets created by fixture * disable custom roles in E2E tests, as `var.organization_id` is not the same org, within which projects are created in E2E
2025-11-03 14:27:02 +00:00
parent 64632eb957
commit d5bc59a238
9 changed files with 22 additions and 25 deletions
--- a/tests/examples_e2e/setup_module/main.tf
+++ b/tests/examples_e2e/setup_module/main.tf
@@ -91,6 +91,14 @@ resource "google_storage_bucket" "bucket" {
  depends_on                  = [google_project_service.project_service]
 }

+resource "google_storage_bucket_iam_binding" "binding" {
+  bucket = google_storage_bucket.bucket.id
+  members = [
+    "principalSet://cloudresourcemanager.googleapis.com/projects/${google_project.project.number}/type/ServiceAccount"
+  ]
+  role = "roles/storage.admin"
+}
+
 resource "google_compute_network" "network" {
  name                    = "e2e-test"
  project                 = google_project.project.project_id
--- a/tests/fixtures/secret-credentials.tf
+++ b/tests/fixtures/secret-credentials.tf
@@ -23,6 +23,7 @@ module "secret-manager" {
        "roles/secretmanager.secretAccessor" = [
          "serviceAccount:${var.project_number}-compute@developer.gserviceaccount.com",
          "serviceAccount:${var.project_id}@appspot.gserviceaccount.com",
+          "principalSet://cloudresourcemanager.googleapis.com/projects/${var.project_number}/type/ServiceAccount",
        ]
      }
      versions = {
--- a/tests/modules/cloud_run_v2/examples/service-iam-env.yaml
+++ b/tests/modules/cloud_run_v2/examples/service-iam-env.yaml
@@ -99,6 +99,7 @@ values:
  ? module.secret-manager.google_secret_manager_secret_iam_binding.authoritative["credentials.roles/secretmanager.secretAccessor"]
  : condition: []
    members:
+    - principalSet://cloudresourcemanager.googleapis.com/projects/123/type/ServiceAccount
    - serviceAccount:123-compute@developer.gserviceaccount.com
    - serviceAccount:project-id@appspot.gserviceaccount.com
    role: roles/secretmanager.secretAccessor
--- a/tests/modules/project/examples/iam-authoritative.yaml
+++ b/tests/modules/project/examples/iam-authoritative.yaml
@@ -28,11 +28,12 @@ values:
    terraform_labels:
      goog-terraform-provisioned: 'true'
    timeouts: null
-  module.project.google_project_iam_binding.authoritative["$custom_roles:my_role"]:
+  module.project.google_project_iam_binding.authoritative["roles/cloudasset.owner"]:
    condition: []
    members:
    - group:organization-admins@example.org
    project: test-project
+    role: roles/cloudasset.owner

 counts:
  google_project: 1
--- a/tests/modules/project/examples/iam-group.yaml
+++ b/tests/modules/project/examples/iam-group.yaml
@@ -13,11 +13,6 @@
 # limitations under the License.

 values:
-  module.project.google_project_iam_binding.authoritative["$custom_roles:my_role"]:
-    condition: []
-    members:
-    - group:organization-admins@example.org
-    project: test-project
  module.project.google_project_iam_binding.authoritative["roles/cloudasset.owner"]:
    condition: []
    members:
@@ -51,6 +46,6 @@ values:

 counts:
  google_project: 1
-  google_project_iam_binding: 6
+  google_project_iam_binding: 5
  modules: 1
-  resources: 8
+  resources: 7