revert #3704 (#3713)

2026-02-07 11:08:25 +01:00
parent d499dc6928
commit fda89827a2
8 changed files with 198 additions and 213 deletions
--- a/modules/project-factory/README.md
+++ b/modules/project-factory/README.md
@@ -916,7 +916,7 @@ module "project-factory" {
    projects = "data/projects"
  }
 }
-# tftest modules=5 resources=25 files=test-0,test-1,test-2 inventory=test-1.yaml
+# tftest modules=5 resources=29 files=test-0,test-1,test-2 inventory=test-1.yaml
 ```
 ```yaml
@@ -933,6 +933,15 @@ iam_bindings_additive:
    condition:
      title: Test context
      expression: resource.matchTag('${organization.id}/context', 'project-factory')
 tags:
  allow-key-creation:
    description: Allow key creation for automation service account
    values:
      allow:
        description: Allow key creation
        iam:
          roles/resourcemanager.tagUser:
            - $iam_principals:service_accounts/tags-iam-test/automation/rw
 # tftest-file id=test-0 path=data/projects/test-0.yaml
 ```
@@ -944,6 +953,8 @@ prefix: null
 services:
  - iam.googleapis.com
  - contactcenteraiplatform.googleapis.com
 tag_bindings:
  test: $tag_values/
 # tftest-file id=test-1 path=data/projects/test-1.yaml
 ```
@@ -956,47 +967,3 @@ services:
  - storage.googleapis.com
 # tftest-file id=test-2 path=data/projects/test-2.yaml
 ```
 This test validates that `$iam_principals:service_accounts/...` interpolation works correctly
 within tags IAM definitions when referencing automation service accounts created by the same
 project-factory.
 ```hcl
 module "project-factory" {
  source = "./fabric/modules/project-factory"
  data_defaults = {
    billing_account = "012345-67890A-ABCDEF"
    locations = {
      storage = "eu"
    }
  }
  data_overrides = {
    prefix = "test-pf"
  }
  factories_config = {
    projects = "data/projects"
  }
 }
 # tftest modules=5 resources=9 files=tags-iam-test inventory=tags_iam_principals_bug.yaml
 ```
 ```yaml
 parent: folders/1234567890
 services:
  - resourcemanager.googleapis.com
 automation:
  project: test-pf-teams-iac-0
  service_accounts:
    rw:
      description: Read/write automation service account.
 tags:
  allow-key-creation:
    description: Allow key creation for automation service account
    values:
      allow:
        description: Allow key creation
        iam:
          roles/resourcemanager.tagUser:
            - $iam_principals:service_accounts/tags-iam-test/automation/rw
 # tftest-file id=tags-iam-test path=data/projects/tags-iam-test.yaml
 ```
--- a/modules/project-factory/projects.tf
+++ b/modules/project-factory/projects.tf
@@ -133,10 +133,7 @@ module "projects" {
  tag_bindings = merge(
    each.value.tag_bindings, var.data_merges.tag_bindings
  )
-  tags = each.value.tags
+  tags                    = each.value.tags
  tags_config = {
    ignore_iam = true
  }
  universe                = each.value.universe
  vpc_sc                  = each.value.vpc_sc
  workload_identity_pools = each.value.workload_identity_pools
@@ -189,9 +186,5 @@ module "projects-iam" {
  )
  shared_vpc_host_config    = each.value.shared_vpc_host_config
  shared_vpc_service_config = each.value.shared_vpc_service_config
-  tags                      = each.value.tags
+  universe                  = each.value.universe
  tags_config = {
    force_context_ids = true
  }
  universe = each.value.universe
 }
--- a/tests/modules/project/tags_iam_principals.tfvars
+++ b/tests/modules/project/tags_iam_principals.tfvars
@@ -1,44 +0,0 @@
 # Copyright 2026 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #      http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 # Test for $iam_principals interpolation within tags
 # This test demonstrates the bug where if a service account created by the same
 # project-factory is referenced via $iam_principals:service_accounts/... in tags,
 # the interpolation fails because the context doesn't have the key at the time
 # tags is processed (tags are processed in module "projects", but iam_principals
 # for the project's own service accounts are only added in module "projects-iam").
 # Case 1: iam_principals key IS present in context - should work
 context = {
  iam_principals = {
    # Simulate service accounts created by project-factory with nested paths
    "service_accounts/my-project/automation/rw" = "serviceAccount:my-project-rw@my-project.iam.gserviceaccount.com"
  }
 }
 tags = {
  allow-key-creation = {
    description = "Allow key creation for automation service account"
    values = {
      allow = {
        description = "Allow key creation"
        iam = {
          "roles/resourcemanager.tagUser" = [
            "$iam_principals:service_accounts/my-project/automation/rw"
          ]
        }
      }
    }
  }
 }
--- a/tests/modules/project/tags_iam_principals.yaml
+++ b/tests/modules/project/tags_iam_principals.yaml
@@ -1,44 +0,0 @@
 # Copyright 2026 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #      http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 # This test verifies that $iam_principals interpolation works correctly
 # in tags when using nested paths like service_accounts/project/automation/rw
 #
 # Expected: The member should resolve to the service account email from context
 values:
  google_project.project[0]:
    name: my-project
  google_tags_tag_key.default["allow-key-creation"]:
    parent: projects/my-project
    purpose: null
    purpose_data: null
    short_name: allow-key-creation
    timeouts: null
  google_tags_tag_value.default["allow-key-creation/allow"]:
    short_name: allow
    timeouts: null
  google_tags_tag_value_iam_binding.default["allow-key-creation/allow:roles/resourcemanager.tagUser"]:
    condition: []
    members:
      # This is the expected behavior - the interpolation should resolve
      # to the actual service account email from context.iam_principals
      - serviceAccount:my-project-rw@my-project.iam.gserviceaccount.com
    role: roles/resourcemanager.tagUser
 counts:
  google_project: 1
  google_tags_tag_key: 1
  google_tags_tag_value: 1
  google_tags_tag_value_iam_binding: 1
--- a/tests/modules/project/tftest.yaml
+++ b/tests/modules/project/tftest.yaml
@@ -31,5 +31,4 @@ tests:
  service_encryption_keys:
  service_agents:
  service_agents_universe:
  tags_iam_principals:
  universe:
--- a/tests/modules/project_factory/examples/example.yaml
+++ b/tests/modules/project_factory/examples/example.yaml
@@ -496,7 +496,7 @@ values:
    description: My value 3
    short_name: my-value-2
    timeouts: null
-  ? module.project-factory.module.projects-iam["dev-ta-app0-be"].google_tags_tag_value_iam_binding.default["my-tag-key-1/my-value-2:roles/resourcemanager.tagUser"]
+  ? module.project-factory.module.projects["dev-ta-app0-be"].google_tags_tag_value_iam_binding.default["my-tag-key-1/my-value-2:roles/resourcemanager.tagUser"]
  : condition: []
    members:
    - user:user@example.com
--- a/tests/modules/project_factory/examples/tags_iam_principals_bug.yaml
+++ b/tests/modules/project_factory/examples/tags_iam_principals_bug.yaml
@@ -1,61 +0,0 @@
 # Copyright 2026 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #      http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 # Test for $iam_principals interpolation bug in tags
 #
 # BUG DESCRIPTION:
 # When a project uses tags with IAM that references an automation service account
 # via $iam_principals:service_accounts/PROJECT/automation/SA, the interpolation
 # fails because:
 #
 # 1. In projects.tf, `module "projects"` (line ~78) processes `tags` but passes
 #    a context that does NOT include the project's own automation service accounts
 #
 # 2. In projects.tf, `module "projects-iam"` (line ~141) has the correct context
 #    with automation service accounts merged, but it does NOT process `tags`
 #
 # RESULT: The literal string "$iam_principals:service_accounts/..." is used
 # as the member instead of being interpolated to the actual service account email.
 #
 # This test expects the CORRECT behavior (interpolated value).
 # Currently, it will FAIL until the bug is fixed.
 values:
  module.project-factory.module.projects["tags-iam-test"].google_project.project[0]:
    name: test-pf-tags-iam-test
  module.project-factory.module.projects["tags-iam-test"].google_tags_tag_key.default["allow-key-creation"]:
    description: Allow key creation for automation service account
    short_name: allow-key-creation
  module.project-factory.module.projects["tags-iam-test"].google_tags_tag_value.default["allow-key-creation/allow"]:
    description: Allow key creation
    short_name: allow
  ? module.project-factory.module.projects-iam["tags-iam-test"].google_tags_tag_value_iam_binding.default["allow-key-creation/allow:roles/resourcemanager.tagUser"]
  : condition: []
    members:
      # EXPECTED: This should be the interpolated service account email
      # BUG: Currently this is the literal "$iam_principals:service_accounts/tags-iam-test/automation/rw"
      - serviceAccount:tags-iam-test-rw@test-pf-teams-iac-0.iam.gserviceaccount.com
    role: roles/resourcemanager.tagUser
  module.project-factory.module.automation-service-accounts["tags-iam-test/automation/rw"].google_service_account.service_account[0]:
    account_id: tags-iam-test-rw
    email: tags-iam-test-rw@test-pf-teams-iac-0.iam.gserviceaccount.com
    project: test-pf-teams-iac-0
 counts:
  google_project: 1
  google_service_account: 1
  google_tags_tag_key: 1
  google_tags_tag_value: 1
  google_tags_tag_value_iam_binding: 1
  modules: 5
--- a/tests/modules/project_factory/examples/test-1.yaml
+++ b/tests/modules/project_factory/examples/test-1.yaml
@@ -13,13 +13,6 @@
 # limitations under the License.
 values:
  module.project-factory.module.projects["test-0"].google_project.project[0]:
    project_id: foo-test-0
  module.project-factory.module.projects["test-1"].google_project.project[0]:
    name: Test Project 1
    project_id: test-1
  module.project-factory.module.projects["test-2"].google_project.project[0]:
    project_id: bar-test-2
  module.project-factory.module.projects-iam["test-0"].google_project_iam_member.bindings["test_context"]:
    condition:
    - description: null
@@ -28,12 +21,194 @@ values:
    member: user:user1@example.com
    project: foo-test-0
    role: roles/viewer
  module.project-factory.module.projects["test-0"].google_project.project[0]:
    auto_create_network: false
    billing_account: 012345-67890A-ABCDEF
    deletion_policy: DELETE
    effective_labels:
      goog-terraform-provisioned: 'true'
      owner: foo
    folder_id: '1234567890'
    labels:
      owner: foo
    name: foo-test-0
    org_id: null
    project_id: foo-test-0
    tags: null
    terraform_labels:
      goog-terraform-provisioned: 'true'
      owner: foo
    timeouts: null
  module.project-factory.module.projects["test-0"].google_project_iam_member.service_agents["compute-system"]:
    condition: []
    project: foo-test-0
    role: roles/compute.serviceAgent
  module.project-factory.module.projects["test-0"].google_project_iam_member.service_agents["container-engine-robot"]:
    condition: []
    project: foo-test-0
    role: roles/container.serviceAgent
  module.project-factory.module.projects["test-0"].google_project_iam_member.service_agents["gkenode"]:
    condition: []
    project: foo-test-0
    role: roles/container.defaultNodeServiceAgent
  module.project-factory.module.projects["test-0"].google_project_service.project_services["compute.googleapis.com"]:
    disable_dependent_services: false
    disable_on_destroy: false
    project: foo-test-0
    service: compute.googleapis.com
    timeouts: null
  ? module.project-factory.module.projects["test-0"].google_project_service.project_services["contactcenteraiplatform.googleapis.com"]
  : disable_dependent_services: false
    disable_on_destroy: false
    project: foo-test-0
    service: contactcenteraiplatform.googleapis.com
    timeouts: null
  module.project-factory.module.projects["test-0"].google_project_service.project_services["container.googleapis.com"]:
    disable_dependent_services: false
    disable_on_destroy: false
    project: foo-test-0
    service: container.googleapis.com
    timeouts: null
  module.project-factory.module.projects["test-0"].google_project_service.project_services["iam.googleapis.com"]:
    disable_dependent_services: false
    disable_on_destroy: false
    project: foo-test-0
    service: iam.googleapis.com
    timeouts: null
  ? module.project-factory.module.projects["test-0"].google_project_service_identity.default["contactcenteraiplatform.googleapis.com"]
  : project: foo-test-0
    service: contactcenteraiplatform.googleapis.com
    timeouts: null
  module.project-factory.module.projects["test-0"].google_project_service_identity.default["container.googleapis.com"]:
    project: foo-test-0
    service: container.googleapis.com
    timeouts: null
  module.project-factory.module.projects["test-0"].google_tags_tag_key.default["allow-key-creation"]:
    allowed_values_regex: null
    description: Allow key creation for automation service account
    parent: projects/foo-test-0
    purpose: null
    purpose_data: null
    short_name: allow-key-creation
    timeouts: null
  module.project-factory.module.projects["test-0"].google_tags_tag_value.default["allow-key-creation/allow"]:
    description: Allow key creation
    short_name: allow
    timeouts: null
  ? module.project-factory.module.projects["test-0"].google_tags_tag_value_iam_binding.default["allow-key-creation/allow:roles/resourcemanager.tagUser"]
  : condition: []
    members:
    - $iam_principals:service_accounts/tags-iam-test/automation/rw
    role: roles/resourcemanager.tagUser
  module.project-factory.module.projects["test-1"].google_project.project[0]:
    auto_create_network: false
    billing_account: 012345-67890A-ABCDEF
    deletion_policy: DELETE
    effective_labels:
      goog-terraform-provisioned: 'true'
      owner: foo
    folder_id: '1234567890'
    labels:
      owner: foo
    name: Test Project 1
    org_id: null
    project_id: test-1
    tags: null
    terraform_labels:
      goog-terraform-provisioned: 'true'
      owner: foo
    timeouts: null
  module.project-factory.module.projects["test-1"].google_project_iam_member.service_agents["compute-system"]:
    condition: []
    project: test-1
    role: roles/compute.serviceAgent
  module.project-factory.module.projects["test-1"].google_project_service.project_services["compute.googleapis.com"]:
    disable_dependent_services: false
    disable_on_destroy: false
    project: test-1
    service: compute.googleapis.com
    timeouts: null
  ? module.project-factory.module.projects["test-1"].google_project_service.project_services["contactcenteraiplatform.googleapis.com"]
  : disable_dependent_services: false
    disable_on_destroy: false
    project: test-1
    service: contactcenteraiplatform.googleapis.com
    timeouts: null
  module.project-factory.module.projects["test-1"].google_project_service.project_services["iam.googleapis.com"]:
    disable_dependent_services: false
    disable_on_destroy: false
    project: test-1
    service: iam.googleapis.com
    timeouts: null
  ? module.project-factory.module.projects["test-1"].google_project_service_identity.default["contactcenteraiplatform.googleapis.com"]
  : project: test-1
    service: contactcenteraiplatform.googleapis.com
    timeouts: null
  module.project-factory.module.projects["test-1"].google_tags_tag_binding.binding["test"]:
    tag_value: $tag_values/
    timeouts: null
  module.project-factory.module.projects["test-2"].data.google_storage_project_service_account.gcs_sa[0]:
    project: bar-test-2
    user_project: null
  module.project-factory.module.projects["test-2"].google_project.project[0]:
    auto_create_network: false
    billing_account: 012345-67890A-ABCDEF
    deletion_policy: DELETE
    effective_labels:
      goog-terraform-provisioned: 'true'
      owner: foo
    folder_id: '1234567890'
    labels:
      owner: foo
    name: bar-test-2
    org_id: null
    project_id: bar-test-2
    tags: null
    terraform_labels:
      goog-terraform-provisioned: 'true'
      owner: foo
    timeouts: null
  module.project-factory.module.projects["test-2"].google_project_iam_member.service_agents["compute-system"]:
    condition: []
    project: bar-test-2
    role: roles/compute.serviceAgent
  module.project-factory.module.projects["test-2"].google_project_service.project_services["compute.googleapis.com"]:
    disable_dependent_services: false
    disable_on_destroy: false
    project: bar-test-2
    service: compute.googleapis.com
    timeouts: null
  module.project-factory.module.projects["test-2"].google_project_service.project_services["iam.googleapis.com"]:
    disable_dependent_services: false
    disable_on_destroy: false
    project: bar-test-2
    service: iam.googleapis.com
    timeouts: null
  module.project-factory.module.projects["test-2"].google_project_service.project_services["storage.googleapis.com"]:
    disable_dependent_services: false
    disable_on_destroy: false
    project: bar-test-2
    service: storage.googleapis.com
    timeouts: null
  module.project-factory.terraform_data.defaults_preconditions:
    input: null
    output: null
    triggers_replace: null
  module.project-factory.terraform_data.project-preconditions:
    input: null
    output: null
    triggers_replace: null
 counts:
  google_project: 3
  google_project_iam_member: 6
  google_project_service: 10
  google_project_service_identity: 3
  google_storage_project_service_account: 1
  google_tags_tag_binding: 1
  google_tags_tag_key: 1
  google_tags_tag_value: 1
  google_tags_tag_value_iam_binding: 1
  modules: 5
-  resources: 25
+  resources: 29
  terraform_data: 2