Adding delay and creating a iam_member for service agent

anshukaira · anshukaira · commit 07bd36ab2e57 · 2025-11-10T10:15:37.000Z
diff --git a/examples/gcs_event_arc_trigger_workflow/main.tf b/examples/gcs_event_arc_trigger_workflow/main.tf
@@ -55,7 +55,7 @@ resource "google_project_iam_binding" "project" {
 }
 
 resource "random_string" "string" {
-  length  = 8
+  length  = 4
   lower   = true
   upper   = false
   special = false
@@ -66,7 +66,7 @@ module "service_account" {
   source     = "terraform-google-modules/service-accounts/google"
   version    = "~> 4.1.1"
   project_id = var.project_id
-  prefix     = "gcs-eventarc-workflow"
+  prefix     = "eventarc-wf-${random_string.string.result}"
   names      = ["simple"]
   project_roles = ["${var.project_id}=>roles/workflows.invoker",
   "${var.project_id}=>roles/eventarc.serviceAgent",
diff --git a/test/setup/main.tf b/test/setup/main.tf
@@ -41,22 +41,42 @@ locals {
 }
 
 module "project" {
-  source  = "terraform-google-modules/project-factory/google"
-  version = "~> 13.0"
-
+  source                  = "terraform-google-modules/project-factory/google"
+  version                 = "~> 13.0"
   name                    = "ci-cloud-workflow"
   random_project_id       = "true"
   org_id                  = var.org_id
   folder_id               = var.folder_id
   billing_account         = var.billing_account
   default_service_account = "keep"
+  activate_apis           = flatten(values(local.per_module_services))
+}
+
+resource "google_project_service_identity" "eventarc_sa" {
+  provider = google-beta
+  project  = module.project.project_id
+  service  = "eventarc.googleapis.com"
+
+  depends_on = [module.project]
+}
+
+# Wait after service identity is created to allow for propagation.
+resource "time_sleep" "wait_after_eventarc_sa_creation" {
+  create_duration = "60s"
 
-  activate_apis = flatten(values(local.per_module_services))
+  depends_on = [google_project_service_identity.eventarc_sa]
 }
 
+resource "google_project_iam_member" "eventarc_service_agent" {
+  project = module.project.project_id
+  role    = "roles/eventarc.serviceAgent"
+  member  = "serviceAccount:${google_project_service_identity.eventarc_sa.email}"
+
+  depends_on = [time_sleep.wait_after_eventarc_sa_creation]
+}
 
 # Wait after APIs are enabled to give time for them to spin up
 resource "time_sleep" "wait_after_apis" {
-  create_duration = "120s"
+  create_duration = "240s"
   depends_on      = [module.project]
 }
