chore: Per-module isolation for integration tests

test/setup/iam.tf

@@ -25,23 +25,47 @@ locals {
     ]
   }
 
-  int_required_roles = tolist(toset(flatten(values(local.per_module_roles))))
+  extra_roles_for_tests = {}
+
+  // A list of items like:
+  // { module_name = "x", role = "role1"}
+  // { module_name = "x", role = "role2"}
+  // { module_name = "y", role = "role3"}
+  module_role_combinations = flatten(
+    [for module_name, _ in module.project :
+      [for role in setunion(local.per_module_roles[module_name], lookup(local.extra_roles_for_tests, module_name, [])) : {
+        module_name = module_name
+        role        = role
+        }
+      ]
+    ]
+  )
 }
 
 resource "google_service_account" "int_test" {
-  project      = module.project.project_id
+  for_each = module.project
+
+  project      = each.value.project_id
   account_id   = "ci-account"
   display_name = "ci-account"
 }
 
 resource "google_project_iam_member" "int_test" {
-  for_each = toset(local.int_required_roles)
+  for_each = {
+    for combination in local.module_role_combinations :
+    "${combination.module_name}.${combination.role}" => {
+      service_account = google_service_account.int_test[combination.module_name]
+      role            = combination.role
+    }
+  }
 
-  project = module.project.project_id
-  role    = each.value
-  member  = "serviceAccount:${google_service_account.int_test.email}"
+  project = each.value.service_account.project
+  role    = each.value.role
+  member  = "serviceAccount:${each.value.service_account.email}"
 }
 
 resource "google_service_account_key" "int_test" {
-  service_account_id = google_service_account.int_test.id
+  for_each = module.project
+
+  service_account_id = google_service_account.int_test[each.key].id
 }

test/setup/main.tf

@@ -24,17 +24,25 @@ locals {
       "bigtable.googleapis.com"
     ]
   }
+  extra_services_for_tests = {}
+  per_module_test_services = {
+    for module, services in local.per_module_services :
+    module => setunion(services, lookup(local.extra_services_for_tests, module, []))
+  }
 }
 
 module "project" {
+  for_each = local.per_module_test_services
+
   source  = "terraform-google-modules/project-factory/google"
   version = "~> 18.0"
 
-  name              = "ci-bigtable"
-  random_project_id = "true"
-  org_id            = var.org_id
-  folder_id         = var.folder_id
-  billing_account   = var.billing_account
+  name                     = "ci-bigtable"
+  random_project_id        = "true"
+  random_project_id_length = 8
+  org_id                   = var.org_id
+  folder_id                = var.folder_id
+  billing_account          = var.billing_account
 
-  activate_apis = tolist(toset(flatten(values(local.per_module_services))))
+  activate_apis = each.value
 }

test/setup/outputs.tf

@@ -14,11 +14,16 @@
  * limitations under the License.
  */
 
-output "project_id" {
-  value = module.project.project_id
+// project_ids_per_module is resolved to `project_id` by the tft test framework.
+output "project_ids_per_module" {
+  value = {
+    for module_name, v in module.project : module_name => v.project_id
+  }
 }
 
-output "sa_key" {
-  value     = google_service_account_key.int_test.private_key
-  sensitive = true
+// `sa_keys_per_module` is resolved to `sa_key` by the tft test framework.
+output "sa_keys_per_module" {
+  value = {
+    for module_name, v in google_service_account_key.int_test : module_name => v.private_key
+  }
 }