Add asset_feeds to resman modules (#3658)

* Add asset_feeds to resman modules * Add examples and update readmes * Extend pubsub_topic context to project and folder modules * Use pubsub_topic context for pubsub_destination * Update readmes and add project-factory asset_feed example * Update context tests * Update schemas
2026-01-20 15:37:35 +01:00
parent 558e552b5e
commit d9e1b924a1
43 changed files with 1935 additions and 126 deletions
--- a/tests/modules/folder/context.tfvars
+++ b/tests/modules/folder/context.tfvars
@@ -21,10 +21,23 @@ context = {
    mysa    = "serviceAccount:test@test-project.iam.gserviceaccount.com"
    myuser  = "user:test-user@example.com"
  }
+  pubsub_topics = {
+    test = "projects/test-prod-audit-logs-0/topics/audit-logs"
+  }
  tag_values = {
    "test/one" = "tagValues/1234567890"
  }
 }
+asset_feeds = {
+  test = {
+    billing_project = "test-project"
+    feed_output_config = {
+      pubsub_destination = {
+        topic = "$pubsub_topics:test"
+      }
+    }
+  }
+}
 contacts = {
  "$email_addresses:default" = ["ALL"]
 }
@@ -82,6 +95,13 @@ logging_data_access = {
    DATA_READ = {}
  }
 }
+logging_sinks = {
+  test-pubsub = {
+    destination = "$pubsub_topics:test"
+    filter      = "log_id('cloudaudit.googleapis.com/activity')"
+    type        = "pubsub"
+  }
+}
 pam_entitlements = {
  net-admins = {
    max_request_duration = "3600s"
--- a/tests/modules/folder/context.yaml
+++ b/tests/modules/folder/context.yaml
@@ -13,16 +13,29 @@
 # limitations under the License.

 values:
+  google_cloud_asset_folder_feed.default["test"]:
+    asset_names: null
+    asset_types: null
+    billing_project: test-project
+    condition: []
+    content_type: null
+    feed_id: test
+    feed_output_config:
+    - pubsub_destination:
+      - topic: projects/test-prod-audit-logs-0/topics/audit-logs
+    timeouts: null
  google_essential_contacts_contact.contact["$email_addresses:default"]:
    email: foo@example.com
    language_tag: en
    notification_category_subscriptions:
    - ALL
+    timeouts: null
  google_folder.folder[0]:
    deletion_protection: false
    display_name: Test Context
    parent: organizations/1234567890
    tags: null
+    timeouts: null
  google_folder_iam_audit_config.default["allServices"]:
    audit_log_config:
    - exempted_members:
@@ -83,6 +96,15 @@ values:
    condition: []
    member: user:test-user@example.com
    role: organizations/366118655033/roles/myRoleTwo
+  google_logging_folder_sink.sink["test-pubsub"]:
+    description: test-pubsub (Terraform-managed).
+    destination: pubsub.googleapis.com/projects/test-prod-audit-logs-0/topics/audit-logs
+    disabled: false
+    exclusions: []
+    filter: log_id('cloudaudit.googleapis.com/activity')
+    include_children: true
+    intercept_children: false
+    name: test-pubsub
  google_privileged_access_manager_entitlement.default["net-admins"]:
    additional_notification_targets: []
    approval_workflow:
@@ -114,16 +136,26 @@ values:
    - not_mandatory: []
      unstructured:
      - {}
+    timeouts: null
+  google_pubsub_topic_iam_member.pubsub-sinks-binding["test-pubsub"]:
+    condition: []
+    project: test-prod-audit-logs-0
+    role: roles/pubsub.publisher
+    topic: audit-logs
  google_tags_tag_binding.binding["foo"]:
    tag_value: tagValues/1234567890
+    timeouts: null

 counts:
+  google_cloud_asset_folder_feed: 1
  google_essential_contacts_contact: 1
  google_folder: 1
  google_folder_iam_audit_config: 1
  google_folder_iam_binding: 7
  google_folder_iam_member: 1
+  google_logging_folder_sink: 1
  google_privileged_access_manager_entitlement: 1
+  google_pubsub_topic_iam_member: 1
  google_tags_tag_binding: 1
  modules: 0
-  resources: 13
+  resources: 16
--- a/tests/modules/folder/examples/feeds.yaml
+++ b/tests/modules/folder/examples/feeds.yaml
@@ -0,0 +1,48 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+  module.folder.google_cloud_asset_folder_feed.default["compute-instances"]:
+    asset_names: null
+    asset_types:
+    - compute.googleapis.com/Instance
+    billing_project: project-id
+    condition: []
+    content_type: RESOURCE
+    feed_id: compute-instances
+    feed_output_config:
+    - pubsub_destination:
+      - topic: projects/project-id/topics/folder-asset-feed
+    timeouts: null
+  module.pubsub.google_pubsub_topic.default:
+    effective_labels:
+      goog-terraform-provisioned: 'true'
+    ingestion_data_source_settings: []
+    kms_key_name: null
+    labels: null
+    message_retention_duration: null
+    message_transforms: []
+    name: folder-asset-feed
+    project: project-id
+    schema_settings: []
+    tags: null
+    terraform_labels:
+      goog-terraform-provisioned: 'true'
+    timeouts: null
+
+counts:
+  google_cloud_asset_folder_feed: 1
+  google_pubsub_topic: 1
+  modules: 2
+  resources: 3
--- a/tests/modules/folder/examples/logging.yaml
+++ b/tests/modules/folder/examples/logging.yaml
@@ -1,4 +1,4 @@
-# Copyright 2025 Google LLC
+# Copyright 2026 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -29,33 +29,51 @@ values:
    default_table_expiration_ms: null
    delete_contents_on_destroy: false
    description: Terraform managed.
+    effective_labels:
+      goog-terraform-provisioned: 'true'
+    external_catalog_dataset_options: []
+    external_dataset_reference: []
    friendly_name: null
    labels: null
    location: EU
    max_time_travel_hours: '168'
    project: project-id
+    resource_tags: null
+    terraform_labels:
+      goog-terraform-provisioned: 'true'
+    timeouts: null
  module.destination-project.data.google_logging_project_settings.logging_sa[0]:
    project: test-dest-prj
  module.destination-project.google_project.project[0]:
    auto_create_network: false
    billing_account: 123456-123456-123456
-    deletion_policy: 'DELETE'
+    deletion_policy: DELETE
+    effective_labels:
+      goog-terraform-provisioned: 'true'
    folder_id: '1122334455'
    labels: null
    name: test-dest-prj
    org_id: null
    project_id: test-dest-prj
+    tags: null
+    terraform_labels:
+      goog-terraform-provisioned: 'true'
+    timeouts: null
  module.destination-project.google_project_service.project_services["logging.googleapis.com"]:
    disable_dependent_services: false
    disable_on_destroy: false
    project: test-dest-prj
    service: logging.googleapis.com
+    timeouts: null
  module.folder-sink.google_bigquery_dataset_iam_member.bq-sinks-binding["info"]:
    condition: []
    role: roles/bigquery.dataEditor
  module.folder-sink.google_folder.folder[0]:
+    deletion_protection: false
    display_name: Folder name
    parent: folders/1122334455
+    tags: null
+    timeouts: null
  module.folder-sink.google_logging_folder_exclusion.logging-exclusion["no-gce-instances"]:
    description: no-gce-instances (Terraform-managed).
    disabled: null
@@ -68,6 +86,7 @@ values:
    exclusions: []
    filter: severity=ALERT
    include_children: true
+    intercept_children: false
    name: alert
  module.folder-sink.google_logging_folder_sink.sink["debug"]:
    description: debug (Terraform-managed).
@@ -79,6 +98,7 @@ values:
      name: no-compute
    filter: severity=DEBUG
    include_children: true
+    intercept_children: false
    name: debug
  module.folder-sink.google_logging_folder_sink.sink["info"]:
    bigquery_options:
@@ -88,6 +108,7 @@ values:
    exclusions: []
    filter: severity=INFO
    include_children: true
+    intercept_children: false
    name: info
  module.folder-sink.google_logging_folder_sink.sink["notice"]:
    description: notice (Terraform-managed).
@@ -96,6 +117,7 @@ values:
    exclusions: []
    filter: severity=NOTICE
    include_children: true
+    intercept_children: false
    name: notice
  module.folder-sink.google_logging_folder_sink.sink["warnings"]:
    description: warnings (Terraform-managed).
@@ -104,6 +126,7 @@ values:
    exclusions: []
    filter: severity=WARNING
    include_children: true
+    intercept_children: false
    name: warnings
  module.folder-sink.google_project_iam_member.bucket-sinks-binding["debug"]:
    condition:
@@ -111,7 +134,7 @@ values:
    role: roles/logging.bucketWriter
  module.folder-sink.google_project_iam_member.project-sinks-binding["alert"]:
    condition: []
-    project: test-dest-prj
+    project: projects/test-dest-prj
    role: roles/logging.logWriter
  module.folder-sink.google_pubsub_topic_iam_member.pubsub-sinks-binding["notice"]:
    condition: []
@@ -122,14 +145,19 @@ values:
    bucket: test-gcs_sink
    condition: []
    role: roles/storage.objectCreator
+    timeouts: null
  module.gcs.google_storage_bucket.bucket[0]:
    autoclass: []
    cors: []
    custom_placement_config: []
    default_event_based_hold: null
+    effective_labels:
+      goog-terraform-provisioned: 'true'
    enable_object_retention: null
    encryption: []
    force_destroy: true
+    hierarchical_namespace: []
+    ip_filter: []
    labels: null
    lifecycle_rule: []
    location: EU
@@ -139,13 +167,25 @@ values:
    requester_pays: null
    retention_policy: []
    storage_class: STANDARD
+    terraform_labels:
+      goog-terraform-provisioned: 'true'
+    timeouts: null
    uniform_bucket_level_access: true
  module.pubsub.google_pubsub_topic.default:
+    effective_labels:
+      goog-terraform-provisioned: 'true'
+    ingestion_data_source_settings: []
    kms_key_name: null
    labels: null
    message_retention_duration: null
+    message_transforms: []
    name: pubsub_sink
    project: project-id
+    schema_settings: []
+    tags: null
+    terraform_labels:
+      goog-terraform-provisioned: 'true'
+    timeouts: null

 counts:
  google_bigquery_dataset: 1
--- a/tests/modules/organization/context.tfvars
+++ b/tests/modules/organization/context.tfvars
@@ -41,6 +41,16 @@ context = {
    "test/one" = "tagValues/1234567890"
  }
 }
+asset_feeds = {
+  test = {
+    billing_project = "test-project"
+    feed_output_config = {
+      pubsub_destination = {
+        topic = "$pubsub_topics:test"
+      }
+    }
+  }
+}
 contacts = {
  "$email_addresses:default" = ["ALL"]
 }
--- a/tests/modules/organization/context.yaml
+++ b/tests/modules/organization/context.yaml
@@ -18,15 +18,29 @@ values:
    dataset_id: logs
    project: test-prod-audit-logs-0
    role: roles/bigquery.dataEditor
+  google_cloud_asset_organization_feed.default["test"]:
+    asset_names: null
+    asset_types: null
+    billing_project: test-project
+    condition: []
+    content_type: null
+    feed_id: test
+    feed_output_config:
+    - pubsub_destination:
+      - topic: projects/test-prod-audit-logs-0/topics/audit-logs
+    org_id: organizations/1234567890
+    timeouts: null
  google_essential_contacts_contact.contact["$email_addresses:default"]:
    email: foo@example.com
    language_tag: en
    notification_category_subscriptions:
    - ALL
    parent: organizations/1234567890
+    timeouts: null
  google_logging_organization_settings.default[0]:
    organization: '1234567890'
    storage_location: europe-west8
+    timeouts: null
  google_logging_organization_sink.sink["test-bq"]:
    bigquery_options:
    - use_partitioned_tables: false
@@ -182,6 +196,7 @@ values:
    - not_mandatory: []
      unstructured:
      - {}
+    timeouts: null
  google_project_iam_member.bucket-sinks-binding["test-logging"]:
    condition:
    - expression: resource.name.endsWith('projects/test-prod-audit-logs-0/locations/europe-west8/buckets/audit-logs')
@@ -201,9 +216,11 @@ values:
    bucket: test-prod-logs-audit-0
    condition: []
    role: roles/storage.objectCreator
+    timeouts: null
  google_tags_tag_binding.binding["foo"]:
    parent: //cloudresourcemanager.googleapis.com/organizations/1234567890
    tag_value: tagValues/1234567890
+    timeouts: null
  google_tags_tag_key_iam_binding.bindings["test:tag_user"]:
    condition: []
    members:
@@ -241,6 +258,7 @@ values:

 counts:
  google_bigquery_dataset_iam_member: 1
+  google_cloud_asset_organization_feed: 1
  google_essential_contacts_contact: 1
  google_logging_organization_settings: 1
  google_logging_organization_sink: 5
@@ -257,4 +275,4 @@ counts:
  google_tags_tag_value_iam_binding: 2
  google_tags_tag_value_iam_member: 1
  modules: 0
-  resources: 29
+  resources: 30
--- a/tests/modules/organization/examples/feeds.yaml
+++ b/tests/modules/organization/examples/feeds.yaml
@@ -0,0 +1,50 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+  module.org.google_cloud_asset_organization_feed.default["security-monitoring"]:
+    asset_names: null
+    asset_types: null
+    billing_project: project-id
+    condition: []
+    content_type: IAM_POLICY
+    feed_id: security-monitoring
+    feed_output_config:
+    - pubsub_destination:
+      - topic: projects/project-id/topics/org-asset-feed
+    org_id: organizations/1122334455
+    timeouts: null
+  module.pubsub.google_pubsub_topic.default:
+    effective_labels:
+      goog-terraform-provisioned: 'true'
+    ingestion_data_source_settings: []
+    kms_key_name: null
+    labels: null
+    message_retention_duration: null
+    message_transforms: []
+    name: org-asset-feed
+    project: project-id
+    schema_settings: []
+    tags: null
+    terraform_labels:
+      goog-terraform-provisioned: 'true'
+    timeouts: null
+
+counts:
+  google_cloud_asset_organization_feed: 1
+  google_pubsub_topic: 1
+  modules: 2
+  resources: 2
+
+outputs: {}
--- a/tests/modules/project/context.tfvars
+++ b/tests/modules/project/context.tfvars
@@ -34,6 +34,19 @@ context = {
  vpc_sc_perimeters = {
    default = "accessPolicies/888933661165/servicePerimeters/default"
  }
+  pubsub_topics = {
+    test = "projects/test-prod-audit-logs-0/topics/audit-logs"
+  }
+}
+asset_feeds = {
+  test = {
+    billing_project = "test-project"
+    feed_output_config = {
+      pubsub_destination = {
+        topic = "$pubsub_topics:test"
+      }
+    }
+  }
 }
 contacts = {
  "$email_addresses:default" = ["ALL"]
@@ -82,6 +95,13 @@ logging_data_access = {
    DATA_READ = {}
  }
 }
+logging_sinks = {
+  test-pubsub = {
+    destination = "$pubsub_topics:test"
+    filter      = "log_id('cloudaudit.googleapis.com/activity')"
+    type        = "pubsub"
+  }
+}
 pam_entitlements = {
  net-admins = {
    max_request_duration = "3600s"
--- a/tests/modules/project/context.yaml
+++ b/tests/modules/project/context.yaml
@@ -15,20 +15,45 @@
 values:
  google_access_context_manager_service_perimeter_resource.default["$vpc_sc_perimeters:default"]:
    perimeter_name: accessPolicies/888933661165/servicePerimeters/default
+    timeouts: null
+  google_cloud_asset_project_feed.default["test"]:
+    asset_names: null
+    asset_types: null
+    billing_project: test-project
+    condition: []
+    content_type: null
+    feed_id: test
+    feed_output_config:
+    - pubsub_destination:
+      - topic: projects/test-prod-audit-logs-0/topics/audit-logs
+    project: my-project
+    timeouts: null
  google_compute_shared_vpc_service_project.shared_vpc_service[0]:
    deletion_policy: null
    host_project: test-vpc-host
    service_project: my-project
+    timeouts: null
  google_essential_contacts_contact.contact["$email_addresses:default"]:
    email: foo@example.com
    language_tag: en
    notification_category_subscriptions:
    - ALL
    parent: projects/my-project
+    timeouts: null
  google_kms_crypto_key_iam_member.service_agent_cmek["key-0.compute-system"]:
    condition: []
    crypto_key_id: projects/kms-central-prj/locations/europe-west1/keyRings/my-keyring/cryptoKeys/ew1-compute
    role: roles/cloudkms.cryptoKeyEncrypterDecrypter
+  google_logging_project_sink.sink["test-pubsub"]:
+    custom_writer_identity: null
+    description: test-pubsub (Terraform-managed).
+    destination: pubsub.googleapis.com/projects/test-prod-audit-logs-0/topics/audit-logs
+    disabled: false
+    exclusions: []
+    filter: log_id('cloudaudit.googleapis.com/activity')
+    name: test-pubsub
+    project: my-project
+    unique_writer_identity: true
  google_privileged_access_manager_entitlement.default["net-admins"]:
    additional_notification_targets: []
    approval_workflow:
@@ -62,6 +87,7 @@ values:
    - not_mandatory: []
      unstructured:
      - {}
+    timeouts: null
  google_project.project[0]:
    auto_create_network: false
    billing_account: null
@@ -76,6 +102,7 @@ values:
    tags: null
    terraform_labels:
      goog-terraform-provisioned: 'true'
+    timeouts: null
  google_project_iam_audit_config.default["allServices"]:
    audit_log_config:
    - exempted_members:
@@ -176,8 +203,15 @@ values:
    disable_on_destroy: false
    project: my-project
    service: compute.googleapis.com
+    timeouts: null
+  google_pubsub_topic_iam_member.pubsub-sinks-binding["test-pubsub"]:
+    condition: []
+    project: test-prod-audit-logs-0
+    role: roles/pubsub.publisher
+    topic: audit-logs
  google_tags_tag_binding.binding["foo"]:
    tag_value: tagValues/1234567890
+    timeouts: null
  google_tags_tag_key_iam_binding.bindings["test:tag_user"]:
    condition: []
    members:
@@ -215,19 +249,22 @@ values:

 counts:
  google_access_context_manager_service_perimeter_resource: 1
+  google_cloud_asset_project_feed: 1
  google_compute_shared_vpc_service_project: 1
  google_essential_contacts_contact: 1
  google_kms_crypto_key_iam_member: 1
+  google_logging_project_sink: 1
  google_privileged_access_manager_entitlement: 1
  google_project: 1
  google_project_iam_audit_config: 1
  google_project_iam_binding: 7
  google_project_iam_member: 7
  google_project_service: 1
+  google_pubsub_topic_iam_member: 1
  google_tags_tag_binding: 1
  google_tags_tag_key_iam_binding: 2
  google_tags_tag_key_iam_member: 1
  google_tags_tag_value_iam_binding: 2
  google_tags_tag_value_iam_member: 1
  modules: 0
-  resources: 29
+  resources: 32
--- a/tests/modules/project/examples/feeds.yaml
+++ b/tests/modules/project/examples/feeds.yaml
@@ -0,0 +1,49 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+  module.project.google_cloud_asset_project_feed.default["compute-instances"]:
+    asset_names: null
+    asset_types:
+    - compute.googleapis.com/Instance
+    billing_project: test-project
+    condition: []
+    content_type: RESOURCE
+    feed_id: compute-instances
+    feed_output_config:
+    - pubsub_destination:
+      - topic: projects/project-id/topics/asset-feed
+    project: test-project
+    timeouts: null
+  module.pubsub.google_pubsub_topic.default:
+    effective_labels:
+      goog-terraform-provisioned: 'true'
+    ingestion_data_source_settings: []
+    kms_key_name: null
+    labels: null
+    message_retention_duration: null
+    message_transforms: []
+    name: asset-feed
+    project: project-id
+    schema_settings: []
+    tags: null
+    terraform_labels:
+      goog-terraform-provisioned: 'true'
+    timeouts: null
+
+counts:
+  google_cloud_asset_project_feed: 1
+  google_pubsub_topic: 1
+  modules: 2
+  resources: 6
--- a/tests/modules/project/examples/logging.yaml
+++ b/tests/modules/project/examples/logging.yaml
@@ -1,4 +1,4 @@
-# Copyright 2025 Google LLC
+# Copyright 2026 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -29,35 +29,54 @@ values:
    default_table_expiration_ms: null
    delete_contents_on_destroy: true
    description: Terraform managed.
+    effective_labels:
+      goog-terraform-provisioned: 'true'
+    external_catalog_dataset_options: []
+    external_dataset_reference: []
    friendly_name: null
    labels: null
    location: EU
    max_time_travel_hours: '168'
    project: project-id
+    resource_tags: null
+    terraform_labels:
+      goog-terraform-provisioned: 'true'
+    timeouts: null
  module.destination-project.data.google_logging_project_settings.logging_sa[0]:
    project: test-dest-prj
  module.destination-project.google_project.project[0]:
    auto_create_network: false
    billing_account: 123456-123456-123456
-    deletion_policy: 'DELETE'
+    deletion_policy: DELETE
+    effective_labels:
+      goog-terraform-provisioned: 'true'
    folder_id: '1122334455'
    labels: null
    name: test-dest-prj
    org_id: null
    project_id: test-dest-prj
+    tags: null
+    terraform_labels:
+      goog-terraform-provisioned: 'true'
+    timeouts: null
  module.destination-project.google_project_service.project_services["logging.googleapis.com"]:
    disable_dependent_services: false
    disable_on_destroy: false
    project: test-dest-prj
    service: logging.googleapis.com
+    timeouts: null
  module.gcs.google_storage_bucket.bucket[0]:
    autoclass: []
    cors: []
    custom_placement_config: []
    default_event_based_hold: null
+    effective_labels:
+      goog-terraform-provisioned: 'true'
    enable_object_retention: null
    encryption: []
    force_destroy: true
+    hierarchical_namespace: []
+    ip_filter: []
    labels: null
    lifecycle_rule: []
    location: EU
@@ -67,6 +86,9 @@ values:
    requester_pays: null
    retention_policy: []
    storage_class: STANDARD
+    terraform_labels:
+      goog-terraform-provisioned: 'true'
+    timeouts: null
    uniform_bucket_level_access: true
  module.project-host.data.google_logging_project_settings.logging_sa[0]:
    project: test-project
@@ -136,25 +158,32 @@ values:
  module.project-host.google_project.project[0]:
    auto_create_network: false
    billing_account: 123456-123456-123456
-    deletion_policy: 'DELETE'
+    deletion_policy: DELETE
+    effective_labels:
+      goog-terraform-provisioned: 'true'
    folder_id: '1122334455'
    labels: null
    name: test-project
    org_id: null
    project_id: test-project
+    tags: null
+    terraform_labels:
+      goog-terraform-provisioned: 'true'
+    timeouts: null
  module.project-host.google_project_iam_member.bucket-sinks-binding["debug"]:
    condition:
    - title: debug bucket writer
    role: roles/logging.bucketWriter
  module.project-host.google_project_iam_member.project-sinks-binding["alert"]:
    condition: []
-    project: test-dest-prj
+    project: projects/test-dest-prj
    role: roles/logging.logWriter
  module.project-host.google_project_service.project_services["logging.googleapis.com"]:
    disable_dependent_services: false
    disable_on_destroy: false
    project: test-project
    service: logging.googleapis.com
+    timeouts: null
  module.project-host.google_pubsub_topic_iam_member.pubsub-sinks-binding["notice"]:
    condition: []
    project: project-id
@@ -164,12 +193,22 @@ values:
    bucket: test-gcs_sink
    condition: []
    role: roles/storage.objectCreator
+    timeouts: null
  module.pubsub.google_pubsub_topic.default:
+    effective_labels:
+      goog-terraform-provisioned: 'true'
+    ingestion_data_source_settings: []
    kms_key_name: null
    labels: null
    message_retention_duration: null
+    message_transforms: []
    name: pubsub_sink
    project: project-id
+    schema_settings: []
+    tags: null
+    terraform_labels:
+      goog-terraform-provisioned: 'true'
+    timeouts: null

 counts:
  google_bigquery_dataset: 1
--- a/tests/modules/project_factory/examples/example.yaml
+++ b/tests/modules/project_factory/examples/example.yaml
@@ -1,4 +1,4 @@
-# Copyright 2025 Google LLC
+# Copyright 2026 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -213,6 +213,18 @@ values:
    display_name: Test
    tags: null
    timeouts: null
+  ? module.project-factory.module.folder-4["team-c/apps/test/app-x"].google_cloud_asset_folder_feed.default["compute-instances"]
+  : asset_names: null
+    asset_types:
+    - compute.googleapis.com/Instance
+    billing_project: $project_ids:feeds-project
+    condition: []
+    content_type: RESOURCE
+    feed_id: compute-instances
+    feed_output_config:
+    - pubsub_destination:
+      - topic: projects/my-cai-feeds-project/topics/feed
+    timeouts: null
  module.project-factory.module.folder-4["team-c/apps/test/app-x"].google_folder.folder[0]:
    deletion_protection: false
    display_name: App X
@@ -366,6 +378,10 @@ values:
    condition: []
    project: test-pf-dev-ta-app0-be
    role: roles/container.defaultNodeServiceAgent
+  module.project-factory.module.projects["dev-ta-app0-be"].google_project_iam_member.service_agents["pubsub"]:
+    condition: []
+    project: test-pf-dev-ta-app0-be
+    role: roles/pubsub.serviceAgent
  module.project-factory.module.projects["dev-ta-app0-be"].google_project_service.project_services["compute.googleapis.com"]:
    disable_dependent_services: false
    disable_on_destroy: false
@@ -378,6 +394,12 @@ values:
    project: test-pf-dev-ta-app0-be
    service: container.googleapis.com
    timeouts: null
+  module.project-factory.module.projects["dev-ta-app0-be"].google_project_service.project_services["pubsub.googleapis.com"]:
+    disable_dependent_services: false
+    disable_on_destroy: false
+    project: test-pf-dev-ta-app0-be
+    service: pubsub.googleapis.com
+    timeouts: null
  ? module.project-factory.module.projects["dev-ta-app0-be"].google_project_service.project_services["stackdriver.googleapis.com"]
  : disable_dependent_services: false
    disable_on_destroy: false
@@ -394,6 +416,10 @@ values:
  : project: test-pf-dev-ta-app0-be
    service: container.googleapis.com
    timeouts: null
+  module.project-factory.module.projects["dev-ta-app0-be"].google_project_service_identity.default["pubsub.googleapis.com"]:
+    project: test-pf-dev-ta-app0-be
+    service: pubsub.googleapis.com
+    timeouts: null
  module.project-factory.module.projects["dev-ta-app0-be"].google_tags_tag_binding.binding["context"]:
    tag_value: tagValues/654321
    timeouts: null
@@ -560,6 +586,7 @@ values:
      attribute.repository_owner: assertion.repository_owner
      attribute.sub: assertion.sub
      google.subject: assertion.sub
+    aws: []
    description: null
    disabled: false
    display_name: GitHub test provider.
@@ -568,9 +595,11 @@ values:
      issuer_uri: https://token.actions.githubusercontent.com
      jwks_json: null
    project: test-pf-teams-iac-0
+    saml: []
    timeouts: null
    workload_identity_pool_id: test-0
    workload_identity_pool_provider_id: github-test
+    x509: []
  module.project-factory.module.projects["teams-iac-0"].google_org_policy_policy.default["compute.disableSerialPortAccess"]:
    dry_run_spec: []
    name: projects/test-pf-teams-iac-0/policies/compute.disableSerialPortAccess
@@ -586,6 +615,22 @@ values:
        parameters: null
        values: []
    timeouts: null
+  ? module.project-factory.module.projects["teams-iac-0"].google_org_policy_policy.default["gcp.restrictCmekCryptoKeyProjects"]
+  : dry_run_spec: []
+    name: projects/test-pf-teams-iac-0/policies/gcp.restrictCmekCryptoKeyProjects
+    parent: projects/test-pf-teams-iac-0
+    spec:
+    - inherit_from_parent: null
+      reset: null
+      rules:
+      - allow_all: null
+        condition: []
+        deny_all: null
+        enforce: null
+        parameters: null
+        values:
+        - denied_values: null
+    timeouts: null
  module.project-factory.module.projects["teams-iac-0"].google_project.project[0]:
    auto_create_network: false
    billing_account: 012345-67890A-BCDEF0
@@ -635,11 +680,19 @@ values:
    service: container.googleapis.com
    timeouts: null
  module.project-factory.module.pubsub["dev-ta-app0-be/app-0-topic-a"].google_pubsub_topic.default:
+    effective_labels:
+      goog-terraform-provisioned: 'true'
+    ingestion_data_source_settings: []
    kms_key_name: null
+    labels: null
    message_retention_duration: null
+    message_transforms: []
    name: app-0-topic-a
    project: test-pf-dev-ta-app0-be
    schema_settings: []
+    tags: null
+    terraform_labels:
+      goog-terraform-provisioned: 'true'
    timeouts: null
  ? module.project-factory.module.pubsub["dev-ta-app0-be/app-0-topic-a"].google_pubsub_topic_iam_binding.authoritative["roles/pubsub.subscriber"]
  : condition: []
@@ -648,28 +701,43 @@ values:
    project: test-pf-dev-ta-app0-be
    role: roles/pubsub.subscriber
    topic: app-0-topic-a
-  module.project-factory.module.pubsub["dev-ta-app0-be/app-0-topic-b"].google_pubsub_topic.default:
-    kms_key_name: null
-    message_retention_duration: null
-    name: app-0-topic-b
-    project: test-pf-dev-ta-app0-be
-    schema_settings: []
-    timeouts: null
-  module.project-factory.module.pubsub["dev-ta-app0-be/app-0-topic-b"].google_pubsub_subscription.default["app-0-topic-b-sub"]:
-    bigquery_config: []
+  ? module.project-factory.module.pubsub["dev-ta-app0-be/app-0-topic-b"].google_pubsub_subscription.default["app-0-topic-b-sub"]
+  : bigquery_config: []
    cloud_storage_config: []
    dead_letter_policy: []
+    effective_labels:
+      goog-terraform-provisioned: 'true'
    enable_exactly_once_delivery: false
    enable_message_ordering: false
    filter: null
+    labels: null
    message_retention_duration: 604800s
+    message_transforms: []
    name: app-0-topic-b-sub
    project: test-pf-dev-ta-app0-be
    push_config: []
    retain_acked_messages: false
    retry_policy: []
+    tags: null
+    terraform_labels:
+      goog-terraform-provisioned: 'true'
    timeouts: null
    topic: app-0-topic-b
+  module.project-factory.module.pubsub["dev-ta-app0-be/app-0-topic-b"].google_pubsub_topic.default:
+    effective_labels:
+      goog-terraform-provisioned: 'true'
+    ingestion_data_source_settings: []
+    kms_key_name: null
+    labels: null
+    message_retention_duration: null
+    message_transforms: []
+    name: app-0-topic-b
+    project: test-pf-dev-ta-app0-be
+    schema_settings: []
+    tags: null
+    terraform_labels:
+      goog-terraform-provisioned: 'true'
+    timeouts: null
  ? module.project-factory.module.service-accounts["dev-ta-app0-be/app-0-be"].google_project_iam_member.project-roles["$project_ids:dev-spoke-0-roles/compute.networkUser"]
  : condition: []
    project: $project_ids:dev-spoke-0
@@ -776,6 +844,7 @@ values:

 counts:
  google_billing_budget: 1
+  google_cloud_asset_folder_feed: 1
  google_compute_shared_vpc_host_project: 1
  google_compute_shared_vpc_service_project: 1
  google_essential_contacts_contact: 4
@@ -808,5 +877,5 @@ counts:
  google_tags_tag_value: 2
  google_tags_tag_value_iam_binding: 1
  modules: 29
-  resources: 107
+  resources: 108
  terraform_data: 2