kovagoadi/hunfabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

revert #3704 (#3713)

Browse Source
This commit is contained in:
Ludovico Magnocavallo
2026-02-07 11:08:25 +01:00
committed by GitHub
parent d499dc6928
commit fda89827a2
8 changed files with 198 additions and 213 deletions
Download Patch File Download Diff File Expand all files Collapse all files

57
modules/project-factory/README.md
View File

@@ -916,7 +916,7 @@ module "project-factory" {
projects = "data/projects"
}
}
# tftest modules=5 resources=25 files=test-0,test-1,test-2 inventory=test-1.yaml
# tftest modules=5 resources=29 files=test-0,test-1,test-2 inventory=test-1.yaml
```
```yaml
@@ -933,6 +933,15 @@ iam_bindings_additive:
condition:
title: Test context
expression: resource.matchTag('${organization.id}/context', 'project-factory')
tags:
allow-key-creation:
description: Allow key creation for automation service account
values:
allow:
description: Allow key creation
iam:
roles/resourcemanager.tagUser:
- $iam_principals:service_accounts/tags-iam-test/automation/rw
# tftest-file id=test-0 path=data/projects/test-0.yaml
```
@@ -944,6 +953,8 @@ prefix: null
services:
- iam.googleapis.com
- contactcenteraiplatform.googleapis.com
tag_bindings:
test: $tag_values/
# tftest-file id=test-1 path=data/projects/test-1.yaml
```
@@ -956,47 +967,3 @@ services:
- storage.googleapis.com
# tftest-file id=test-2 path=data/projects/test-2.yaml
```
This test validates that `$iam_principals:service_accounts/...` interpolation works correctly
within tags IAM definitions when referencing automation service accounts created by the same
project-factory.
```hcl
module "project-factory" {
source = "./fabric/modules/project-factory"
data_defaults = {
billing_account = "012345-67890A-ABCDEF"
locations = {
storage = "eu"
}
}
data_overrides = {
prefix = "test-pf"
}
factories_config = {
projects = "data/projects"
}
}
# tftest modules=5 resources=9 files=tags-iam-test inventory=tags_iam_principals_bug.yaml
```
```yaml
parent: folders/1234567890
services:
- resourcemanager.googleapis.com
automation:
project: test-pf-teams-iac-0
service_accounts:
rw:
description: Read/write automation service account.
tags:
allow-key-creation:
description: Allow key creation for automation service account
values:
allow:
description: Allow key creation
iam:
roles/resourcemanager.tagUser:
- $iam_principals:service_accounts/tags-iam-test/automation/rw
# tftest-file id=tags-iam-test path=data/projects/tags-iam-test.yaml
```

11
modules/project-factory/projects.tf
View File

@@ -133,10 +133,7 @@ module "projects" {
tag_bindings = merge(
each.value.tag_bindings, var.data_merges.tag_bindings
)
tags = each.value.tags
tags_config = {
ignore_iam = true
}
tags = each.value.tags
universe = each.value.universe
vpc_sc = each.value.vpc_sc
workload_identity_pools = each.value.workload_identity_pools
@@ -189,9 +186,5 @@ module "projects-iam" {
)
shared_vpc_host_config = each.value.shared_vpc_host_config
shared_vpc_service_config = each.value.shared_vpc_service_config
tags = each.value.tags
tags_config = {
force_context_ids = true
}
universe = each.value.universe
universe = each.value.universe
}

44
tests/modules/project/tags_iam_principals.tfvars
View File

@@ -1,44 +0,0 @@
# Copyright 2026 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Test for $iam_principals interpolation within tags
# This test demonstrates the bug where if a service account created by the same
# project-factory is referenced via $iam_principals:service_accounts/... in tags,
# the interpolation fails because the context doesn't have the key at the time
# tags is processed (tags are processed in module "projects", but iam_principals
# for the project's own service accounts are only added in module "projects-iam").
# Case 1: iam_principals key IS present in context - should work
context = {
iam_principals = {
# Simulate service accounts created by project-factory with nested paths
"service_accounts/my-project/automation/rw" = "serviceAccount:my-project-rw@my-project.iam.gserviceaccount.com"
}
}
tags = {
allow-key-creation = {
description = "Allow key creation for automation service account"
values = {
allow = {
description = "Allow key creation"
iam = {
"roles/resourcemanager.tagUser" = [
"$iam_principals:service_accounts/my-project/automation/rw"
]
}
}
}
}
}

44
tests/modules/project/tags_iam_principals.yaml
View File

@@ -1,44 +0,0 @@
# Copyright 2026 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# This test verifies that $iam_principals interpolation works correctly
# in tags when using nested paths like service_accounts/project/automation/rw
#
# Expected: The member should resolve to the service account email from context
values:
google_project.project[0]:
name: my-project
google_tags_tag_key.default["allow-key-creation"]:
parent: projects/my-project
purpose: null
purpose_data: null
short_name: allow-key-creation
timeouts: null
google_tags_tag_value.default["allow-key-creation/allow"]:
short_name: allow
timeouts: null
google_tags_tag_value_iam_binding.default["allow-key-creation/allow:roles/resourcemanager.tagUser"]:
condition: []
members:
# This is the expected behavior - the interpolation should resolve
# to the actual service account email from context.iam_principals
- serviceAccount:my-project-rw@my-project.iam.gserviceaccount.com
role: roles/resourcemanager.tagUser
counts:
google_project: 1
google_tags_tag_key: 1
google_tags_tag_value: 1
google_tags_tag_value_iam_binding: 1

1
tests/modules/project/tftest.yaml
View File

@@ -31,5 +31,4 @@ tests:
service_encryption_keys:
service_agents:
service_agents_universe:
tags_iam_principals:
universe:

2
tests/modules/project_factory/examples/example.yaml
View File

@@ -496,7 +496,7 @@ values:
description: My value 3
short_name: my-value-2
timeouts: null
? module.project-factory.module.projects-iam["dev-ta-app0-be"].google_tags_tag_value_iam_binding.default["my-tag-key-1/my-value-2:roles/resourcemanager.tagUser"]
? module.project-factory.module.projects["dev-ta-app0-be"].google_tags_tag_value_iam_binding.default["my-tag-key-1/my-value-2:roles/resourcemanager.tagUser"]
: condition: []
members:
- user:user@example.com

61
tests/modules/project_factory/examples/tags_iam_principals_bug.yaml
View File

@@ -1,61 +0,0 @@
# Copyright 2026 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Test for $iam_principals interpolation bug in tags
#
# BUG DESCRIPTION:
# When a project uses tags with IAM that references an automation service account
# via $iam_principals:service_accounts/PROJECT/automation/SA, the interpolation
# fails because:
#
# 1. In projects.tf, `module "projects"` (line ~78) processes `tags` but passes
# a context that does NOT include the project's own automation service accounts
#
# 2. In projects.tf, `module "projects-iam"` (line ~141) has the correct context
# with automation service accounts merged, but it does NOT process `tags`
#
# RESULT: The literal string "$iam_principals:service_accounts/..." is used
# as the member instead of being interpolated to the actual service account email.
#
# This test expects the CORRECT behavior (interpolated value).
# Currently, it will FAIL until the bug is fixed.
values:
module.project-factory.module.projects["tags-iam-test"].google_project.project[0]:
name: test-pf-tags-iam-test
module.project-factory.module.projects["tags-iam-test"].google_tags_tag_key.default["allow-key-creation"]:
description: Allow key creation for automation service account
short_name: allow-key-creation
module.project-factory.module.projects["tags-iam-test"].google_tags_tag_value.default["allow-key-creation/allow"]:
description: Allow key creation
short_name: allow
? module.project-factory.module.projects-iam["tags-iam-test"].google_tags_tag_value_iam_binding.default["allow-key-creation/allow:roles/resourcemanager.tagUser"]
: condition: []
members:
# EXPECTED: This should be the interpolated service account email
# BUG: Currently this is the literal "$iam_principals:service_accounts/tags-iam-test/automation/rw"
- serviceAccount:tags-iam-test-rw@test-pf-teams-iac-0.iam.gserviceaccount.com
role: roles/resourcemanager.tagUser
module.project-factory.module.automation-service-accounts["tags-iam-test/automation/rw"].google_service_account.service_account[0]:
account_id: tags-iam-test-rw
email: tags-iam-test-rw@test-pf-teams-iac-0.iam.gserviceaccount.com
project: test-pf-teams-iac-0
counts:
google_project: 1
google_service_account: 1
google_tags_tag_key: 1
google_tags_tag_value: 1
google_tags_tag_value_iam_binding: 1
modules: 5

191
tests/modules/project_factory/examples/test-1.yaml
View File

@@ -13,13 +13,6 @@
# limitations under the License.
values:
module.project-factory.module.projects["test-0"].google_project.project[0]:
project_id: foo-test-0
module.project-factory.module.projects["test-1"].google_project.project[0]:
name: Test Project 1
project_id: test-1
module.project-factory.module.projects["test-2"].google_project.project[0]:
project_id: bar-test-2
module.project-factory.module.projects-iam["test-0"].google_project_iam_member.bindings["test_context"]:
condition:
- description: null
@@ -28,12 +21,194 @@ values:
member: user:user1@example.com
project: foo-test-0
role: roles/viewer
module.project-factory.module.projects["test-0"].google_project.project[0]:
auto_create_network: false
billing_account: 012345-67890A-ABCDEF
deletion_policy: DELETE
effective_labels:
goog-terraform-provisioned: 'true'
owner: foo
folder_id: '1234567890'
labels:
owner: foo
name: foo-test-0
org_id: null
project_id: foo-test-0
tags: null
terraform_labels:
goog-terraform-provisioned: 'true'
owner: foo
timeouts: null
module.project-factory.module.projects["test-0"].google_project_iam_member.service_agents["compute-system"]:
condition: []
project: foo-test-0
role: roles/compute.serviceAgent
module.project-factory.module.projects["test-0"].google_project_iam_member.service_agents["container-engine-robot"]:
condition: []
project: foo-test-0
role: roles/container.serviceAgent
module.project-factory.module.projects["test-0"].google_project_iam_member.service_agents["gkenode"]:
condition: []
project: foo-test-0
role: roles/container.defaultNodeServiceAgent
module.project-factory.module.projects["test-0"].google_project_service.project_services["compute.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
project: foo-test-0
service: compute.googleapis.com
timeouts: null
? module.project-factory.module.projects["test-0"].google_project_service.project_services["contactcenteraiplatform.googleapis.com"]
: disable_dependent_services: false
disable_on_destroy: false
project: foo-test-0
service: contactcenteraiplatform.googleapis.com
timeouts: null
module.project-factory.module.projects["test-0"].google_project_service.project_services["container.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
project: foo-test-0
service: container.googleapis.com
timeouts: null
module.project-factory.module.projects["test-0"].google_project_service.project_services["iam.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
project: foo-test-0
service: iam.googleapis.com
timeouts: null
? module.project-factory.module.projects["test-0"].google_project_service_identity.default["contactcenteraiplatform.googleapis.com"]
: project: foo-test-0
service: contactcenteraiplatform.googleapis.com
timeouts: null
module.project-factory.module.projects["test-0"].google_project_service_identity.default["container.googleapis.com"]:
project: foo-test-0
service: container.googleapis.com
timeouts: null
module.project-factory.module.projects["test-0"].google_tags_tag_key.default["allow-key-creation"]:
allowed_values_regex: null
description: Allow key creation for automation service account
parent: projects/foo-test-0
purpose: null
purpose_data: null
short_name: allow-key-creation
timeouts: null
module.project-factory.module.projects["test-0"].google_tags_tag_value.default["allow-key-creation/allow"]:
description: Allow key creation
short_name: allow
timeouts: null
? module.project-factory.module.projects["test-0"].google_tags_tag_value_iam_binding.default["allow-key-creation/allow:roles/resourcemanager.tagUser"]
: condition: []
members:
- $iam_principals:service_accounts/tags-iam-test/automation/rw
role: roles/resourcemanager.tagUser
module.project-factory.module.projects["test-1"].google_project.project[0]:
auto_create_network: false
billing_account: 012345-67890A-ABCDEF
deletion_policy: DELETE
effective_labels:
goog-terraform-provisioned: 'true'
owner: foo
folder_id: '1234567890'
labels:
owner: foo
name: Test Project 1
org_id: null
project_id: test-1
tags: null
terraform_labels:
goog-terraform-provisioned: 'true'
owner: foo
timeouts: null
module.project-factory.module.projects["test-1"].google_project_iam_member.service_agents["compute-system"]:
condition: []
project: test-1
role: roles/compute.serviceAgent
module.project-factory.module.projects["test-1"].google_project_service.project_services["compute.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
project: test-1
service: compute.googleapis.com
timeouts: null
? module.project-factory.module.projects["test-1"].google_project_service.project_services["contactcenteraiplatform.googleapis.com"]
: disable_dependent_services: false
disable_on_destroy: false
project: test-1
service: contactcenteraiplatform.googleapis.com
timeouts: null
module.project-factory.module.projects["test-1"].google_project_service.project_services["iam.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
project: test-1
service: iam.googleapis.com
timeouts: null
? module.project-factory.module.projects["test-1"].google_project_service_identity.default["contactcenteraiplatform.googleapis.com"]
: project: test-1
service: contactcenteraiplatform.googleapis.com
timeouts: null
module.project-factory.module.projects["test-1"].google_tags_tag_binding.binding["test"]:
tag_value: $tag_values/
timeouts: null
module.project-factory.module.projects["test-2"].data.google_storage_project_service_account.gcs_sa[0]:
project: bar-test-2
user_project: null
module.project-factory.module.projects["test-2"].google_project.project[0]:
auto_create_network: false
billing_account: 012345-67890A-ABCDEF
deletion_policy: DELETE
effective_labels:
goog-terraform-provisioned: 'true'
owner: foo
folder_id: '1234567890'
labels:
owner: foo
name: bar-test-2
org_id: null
project_id: bar-test-2
tags: null
terraform_labels:
goog-terraform-provisioned: 'true'
owner: foo
timeouts: null
module.project-factory.module.projects["test-2"].google_project_iam_member.service_agents["compute-system"]:
condition: []
project: bar-test-2
role: roles/compute.serviceAgent
module.project-factory.module.projects["test-2"].google_project_service.project_services["compute.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
project: bar-test-2
service: compute.googleapis.com
timeouts: null
module.project-factory.module.projects["test-2"].google_project_service.project_services["iam.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
project: bar-test-2
service: iam.googleapis.com
timeouts: null
module.project-factory.module.projects["test-2"].google_project_service.project_services["storage.googleapis.com"]:
disable_dependent_services: false
disable_on_destroy: false
project: bar-test-2
service: storage.googleapis.com
timeouts: null
module.project-factory.terraform_data.defaults_preconditions:
input: null
output: null
triggers_replace: null
module.project-factory.terraform_data.project-preconditions:
input: null
output: null
triggers_replace: null
counts:
google_project: 3
google_project_iam_member: 6
google_project_service: 10
google_project_service_identity: 3
google_storage_project_service_account: 1
google_tags_tag_binding: 1
google_tags_tag_key: 1
google_tags_tag_value: 1
google_tags_tag_value_iam_binding: 1
modules: 5
resources: 25
resources: 29
terraform_data: 2