From c50bb0261cb52d890a824d226bf7532b4fac4b1d Mon Sep 17 00:00:00 2001 From: Martijn van Schaardenburg Date: Thu, 9 Oct 2025 17:31:30 +0000 Subject: [PATCH] chore: Per-module isolation for integration tests --- test/setup/iam.tf | 38 +++++++++++++++++++++++++++++++------- test/setup/main.tf | 20 ++++++++++++++------ test/setup/outputs.tf | 15 ++++++++++----- 3 files changed, 55 insertions(+), 18 deletions(-) diff --git a/test/setup/iam.tf b/test/setup/iam.tf index 06205b6..5720b9d 100644 --- a/test/setup/iam.tf +++ b/test/setup/iam.tf @@ -25,23 +25,47 @@ locals { ] } - int_required_roles = tolist(toset(flatten(values(local.per_module_roles)))) + extra_roles_for_tests = {} + + // A list of items like: + // { module_name = "x", role = "role1"} + // { module_name = "x", role = "role2"} + // { module_name = "y", role = "role3"} + module_role_combinations = flatten( + [for module_name, _ in module.project : + [for role in setunion(local.per_module_roles[module_name], lookup(local.extra_roles_for_tests, module_name, [])) : { + module_name = module_name + role = role + } + ] + ] + ) } resource "google_service_account" "int_test" { - project = module.project.project_id + for_each = module.project + + project = each.value.project_id account_id = "ci-account" display_name = "ci-account" } resource "google_project_iam_member" "int_test" { - for_each = toset(local.int_required_roles) + for_each = { + for combination in local.module_role_combinations : + "${combination.module_name}.${combination.role}" => { + service_account = google_service_account.int_test[combination.module_name] + role = combination.role + } + } - project = module.project.project_id - role = each.value - member = "serviceAccount:${google_service_account.int_test.email}" + project = each.value.service_account.project + role = each.value.role + member = "serviceAccount:${each.value.service_account.email}" } resource "google_service_account_key" "int_test" { - service_account_id = google_service_account.int_test.id + for_each = module.project + + service_account_id = google_service_account.int_test[each.key].id } diff --git a/test/setup/main.tf b/test/setup/main.tf index e8c55a1..83e885c 100644 --- a/test/setup/main.tf +++ b/test/setup/main.tf @@ -24,17 +24,25 @@ locals { "bigtable.googleapis.com" ] } + extra_services_for_tests = {} + per_module_test_services = { + for module, services in local.per_module_services : + module => setunion(services, lookup(local.extra_services_for_tests, module, [])) + } } module "project" { + for_each = local.per_module_test_services + source = "terraform-google-modules/project-factory/google" version = "~> 18.0" - name = "ci-bigtable" - random_project_id = "true" - org_id = var.org_id - folder_id = var.folder_id - billing_account = var.billing_account + name = "ci-bigtable" + random_project_id = "true" + random_project_id_length = 8 + org_id = var.org_id + folder_id = var.folder_id + billing_account = var.billing_account - activate_apis = tolist(toset(flatten(values(local.per_module_services)))) + activate_apis = each.value } diff --git a/test/setup/outputs.tf b/test/setup/outputs.tf index 9271663..bc1bc43 100644 --- a/test/setup/outputs.tf +++ b/test/setup/outputs.tf @@ -14,11 +14,16 @@ * limitations under the License. */ -output "project_id" { - value = module.project.project_id +// project_ids_per_module is resolved to `project_id` by the tft test framework. +output "project_ids_per_module" { + value = { + for module_name, v in module.project : module_name => v.project_id + } } -output "sa_key" { - value = google_service_account_key.int_test.private_key - sensitive = true +// `sa_keys_per_module` is resolved to `sa_key` by the tft test framework. +output "sa_keys_per_module" { + value = { + for module_name, v in google_service_account_key.int_test : module_name => v.private_key + } }