fix: remove alpha-documentai.googleapis.com from the list of VPC_SC restricted service (#188)

Author: daniel-cit

examples/secure_cloud_function_bigquery_trigger/main.tf

@@ -32,7 +32,7 @@ resource "random_id" "random_folder_suffix" {
 
 module "secure_harness" {
   source  = "GoogleCloudPlatform/cloud-run/google//modules/secure-serverless-harness"
-  version = "~> 0.17.2"
+  version = "~> 0.21.5"
 
   billing_account                             = var.billing_account
   security_project_name                       = "prj-scf-security"

examples/secure_cloud_function_internal_server/main.tf

@@ -33,7 +33,7 @@ resource "random_id" "random_folder_suffix" {
 
 module "secure_harness" {
   source  = "GoogleCloudPlatform/cloud-run/google//modules/secure-serverless-harness"
-  version = "~> 0.17.2"
+  version = "~> 0.21.5"
 
   billing_account                             = var.billing_account
   security_project_name                       = "prj-scf-security"

examples/secure_cloud_function_with_sql/main.tf

@@ -36,7 +36,7 @@ resource "random_id" "random_folder_suffix" {
 
 module "secure_harness" {
   source  = "GoogleCloudPlatform/cloud-run/google//modules/secure-serverless-harness"
-  version = "~> 0.17.2"
+  version = "~> 0.21.5"
 
   billing_account                             = var.billing_account
   security_project_name                       = "prj-scf-security"

modules/secure-cloud-function/main.tf

@@ -17,7 +17,7 @@
 
 module "cloud_serverless_network" {
   source  = "GoogleCloudPlatform/cloud-run/google//modules/secure-serverless-net"
-  version = "~> 0.17.2"
+  version = "~> 0.21.5"
 
   connector_name            = var.connector_name
   subnet_name               = var.subnet_name

test/integration/secure_cloud_function_bigquery_trigger/cloud_function2_bigquery_trigger_test.go

@@ -42,7 +42,11 @@ var (
 		".*Error 403.*Permission.*denied on resource.*": "Permission denied on resource.",
 
 		// Editing VPC Service Controls is eventually consistent.
-		".*Error 403.*Request is prohibited by organization's policy.*vpcServiceControlsUniqueIdentifier.*": "Request is prohibited by organization's policy.",
+		".*Error 403.*Request is prohibited by organization's policy.*vpcServiceControlsUniqueIdentifier.*":    "Request is prohibited by organization's policy.",
+		".*Error code 7.*Request is prohibited by organization's policy.*vpcServiceControlsUniqueIdentifier.*": "Request is prohibited by organization's policy.",
+
+		// Google Storage Service Agent propagation issue.
+		".*Error 400.*Service account service-.*@gs-project-accounts.iam.gserviceaccount.com does not exist.*": "Google Storage Service Agent propagation issue",
 	}
 )
 
@@ -96,7 +100,6 @@ func TestGCF2BigqueryTrigger(t *testing.T) {
 		"adsdatahub.googleapis.com",
 		"aiplatform.googleapis.com",
 		"alloydb.googleapis.com",
-		"alpha-documentai.googleapis.com",
 		"analyticshub.googleapis.com",
 		"apigee.googleapis.com",
 		"apigeeconnect.googleapis.com",
@@ -248,7 +251,7 @@ func TestGCF2BigqueryTrigger(t *testing.T) {
 
 		// Network test
 		opNet := gcloud.Runf(t, "compute networks describe %s --project=%s", networkName, networkProjectID)
-		assert.Equal("GLOBAL", opNet.Get("routingConfig.routingMode").String(), fmt.Sprint("Routing Mode should be GLOBAL."))
+		assert.Equal("GLOBAL", opNet.Get("routingConfig.routingMode").String(), "Routing Mode should be GLOBAL.")
 
 		// Sub-network test
 		subnetName := bqt.GetStringOutput("service_vpc_subnet_name")

test/integration/secure_cloud_function_internal_server/cloud_function_internal_server_test.go

@@ -42,7 +42,11 @@ var (
 		".*Error 403.*Permission.*denied on resource.*": "Permission denied on resource.",
 
 		// Editing VPC Service Controls is eventually consistent.
-		".*Error 403.*Request is prohibited by organization's policy.*vpcServiceControlsUniqueIdentifier.*": "Request is prohibited by organization's policy.",
+		".*Error 403.*Request is prohibited by organization's policy.*vpcServiceControlsUniqueIdentifier.*":    "Request is prohibited by organization's policy.",
+		".*Error code 7.*Request is prohibited by organization's policy.*vpcServiceControlsUniqueIdentifier.*": "Request is prohibited by organization's policy.",
+
+		// Google Storage Service Agent propagation issue.
+		".*Error 400.*Service account service-.*@gs-project-accounts.iam.gserviceaccount.com does not exist.*": "Google Storage Service Agent propagation issue",
 	}
 )
 

test/integration/secure_cloud_function_with_sql/secure_cloud_function_with_sql_test.go

@@ -41,7 +41,11 @@ var (
 		".*Error 403.*Permission.*denied on resource.*": "Permission denied on resource.",
 
 		// Editing VPC Service Controls is eventually consistent.
-		".*Error 403.*Request is prohibited by organization's policy.*vpcServiceControlsUniqueIdentifier.*": "Request is prohibited by organization's policy.",
+		".*Error 403.*Request is prohibited by organization's policy.*vpcServiceControlsUniqueIdentifier.*":    "Request is prohibited by organization's policy.",
+		".*Error code 7.*Request is prohibited by organization's policy.*vpcServiceControlsUniqueIdentifier.*": "Request is prohibited by organization's policy.",
+
+		// Google Storage Service Agent propagation issue.
+		".*Error 400.*Service account service-.*@gs-project-accounts.iam.gserviceaccount.com does not exist.*": "Google Storage Service Agent propagation issue",
 	}
 )