integration test fix

Author: Deepraj1996

build/int.cloudbuild.yaml

@@ -163,22 +163,22 @@ steps:
   waitFor:
     - teardown internal-lb-http gce-mig
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'cft test run TestAll/examples/backend-with-iap --stage init --verbose']
+  args: ['/bin/bash', '-c', 'cft test run TestLbBackendServiceIap --stage init --verbose']
 - id: apply backend-with-iap
   waitFor:
     - init backend-with-iap
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'cft test run TestAll/examples/backend-with-iap --stage apply --verbose']
+  args: ['/bin/bash', '-c', 'cft test run TestLbBackendServiceIap --stage apply --verbose']
 - id: verify backend-with-iap
   waitFor:
     - apply backend-with-iap
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'cft test run TestAll/examples/backend-with-iap --stage verify --verbose']
+  args: ['/bin/bash', '-c', 'cft test run TestLbBackendServiceIap --stage verify --verbose']
 - id: teardown backend-with-iap
   waitFor:
     - verify backend-with-iap
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'cft test run TestAll/examples/backend-with-iap --stage teardown --verbose']
+  args: ['/bin/bash', '-c', 'cft test run TestLbBackendServiceIap --stage teardown --verbose']
 tags:
 - 'ci'
 - 'integration'

examples/backend-with-iap/outputs.tf

@@ -14,6 +14,13 @@
  * limitations under the License.
  */
 
-output "load-balancer-ip" {
-  value = module.lb-frontend.external_ip
+
+output "project_id" {
+  value       = module.lb-backend-iap.project_id
+  description = "Project ID of the service"
+}
+
+output "service_name" {
+  value       = module.lb-backend-iap.service_name
+  description = "Name of the created service"
 }

examples/lb-http-separate-frontend-and-backend/main.tf

@@ -106,7 +106,6 @@ module "lb-http-backend" {
 
   iap_config = {
     enable = false
-    iap_members = []
   }
 }
 

metadata.yaml

@@ -338,13 +338,13 @@ spec:
     roles:
       - level: Project
         roles:
+          - roles/iam.serviceAccountAdmin
           - roles/storage.admin
           - roles/compute.admin
           - roles/run.admin
           - roles/iam.serviceAccountUser
           - roles/certificatemanager.owner
           - roles/vpcaccess.admin
-          - roles/iam.serviceAccountAdmin
     services:
       - certificatemanager.googleapis.com
       - cloudresourcemanager.googleapis.com

modules/backend/README.md

@@ -22,7 +22,7 @@ This module creates `google_compute_backend_service` resource and its dependenci
 | groups | The list of backend instance group which serves the traffic. | <pre>list(object({<br>    group       = string<br>    description = optional(string)<br><br>    balancing_mode               = optional(string)<br>    capacity_scaler              = optional(number)<br>    max_connections              = optional(number)<br>    max_connections_per_instance = optional(number)<br>    max_connections_per_endpoint = optional(number)<br>    max_rate                     = optional(number)<br>    max_rate_per_instance        = optional(number)<br>    max_rate_per_endpoint        = optional(number)<br>    max_utilization              = optional(number)<br>  }))</pre> | `[]` | no |
 | health\_check | Input for creating HttpHealthCheck or HttpsHealthCheck resource for health checking this BackendService. A health check must be specified unless the backend service uses an internet or serverless NEG as a backend. | <pre>object({<br>    host                = optional(string, null)<br>    request_path        = optional(string, null)<br>    request             = optional(string, null)<br>    response            = optional(string, null)<br>    port                = optional(number, null)<br>    port_name           = optional(string, null)<br>    proxy_header        = optional(string, null)<br>    port_specification  = optional(string, null)<br>    protocol            = optional(string, null)<br>    check_interval_sec  = optional(number, 5)<br>    timeout_sec         = optional(number, 5)<br>    healthy_threshold   = optional(number, 2)<br>    unhealthy_threshold = optional(number, 2)<br>    logging             = optional(bool, false)<br>  })</pre> | `null` | no |
 | host\_path\_mappings | The list of host/path for which traffic could be sent to the backend service | <pre>list(object({<br>    host = string<br>    path = string<br>  }))</pre> | <pre>[<br>  {<br>    "host": "*",<br>    "path": "/*"<br>  }<br>]</pre> | no |
-| iap\_config | Settings for enabling Cloud Identity Aware Proxy and Users/SAs to be given IAP HttpResourceAccessor access to the service. | <pre>object({<br>    enable               = bool<br>    oauth2_client_id     = optional(string)<br>    oauth2_client_secret = optional(string)<br>    iap_members          = list(string)<br>  })</pre> | <pre>{<br>  "enable": false,<br>  "iap_members": []<br>}</pre> | no |
+| iap\_config | Settings for enabling Cloud Identity Aware Proxy and Users/SAs to be given IAP HttpResourceAccessor access to the service. | <pre>object({<br>    enable               = bool<br>    oauth2_client_id     = optional(string)<br>    oauth2_client_secret = optional(string)<br>    iap_members          = optional(list(string))<br>  })</pre> | <pre>{<br>  "enable": false<br>}</pre> | no |
 | load\_balancing\_scheme | Load balancing scheme type (EXTERNAL for classic external load balancer, EXTERNAL\_MANAGED for Envoy-based load balancer, INTERNAL\_MANAGED for internal load balancer and INTERNAL\_SELF\_MANAGED for traffic director) | `string` | `"EXTERNAL_MANAGED"` | no |
 | locality\_lb\_policy | The load balancing algorithm used within the scope of the locality. | `string` | `null` | no |
 | log\_config | This field denotes the logging options for the load balancer traffic served by this backend service. If logging is enabled, logs will be exported to Stackdriver. | <pre>object({<br>    enable      = bool<br>    sample_rate = number<br>  })</pre> | <pre>{<br>  "enable": true,<br>  "sample_rate": 1<br>}</pre> | no |
@@ -44,5 +44,7 @@ This module creates `google_compute_backend_service` resource and its dependenci
 |------|-------------|
 | apphub\_service\_uri | Service URI in CAIS style to be used by Apphub. |
 | backend\_service\_info | Host, path and backend service mapping |
+| project\_id | Project ID of the service |
+| service\_name | Name of the created service |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

modules/backend/metadata.yaml

@@ -197,11 +197,10 @@ spec:
               enable               = bool
               oauth2_client_id     = optional(string)
               oauth2_client_secret = optional(string)
-              iap_members          = list(string)
+              iap_members          = optional(list(string))
             })
         defaultValue:
           enable: false
-          iap_members: []
       - name: cdn_policy
         description: Cloud CDN configuration for this BackendService.
         varType: |-
@@ -331,17 +330,21 @@ spec:
             - backend_service: string
               host: string
               path: string
+      - name: project_id
+        description: Project ID of the service
+      - name: service_name
+        description: Name of the created service
   requirements:
     roles:
       - level: Project
         roles:
+          - roles/iam.serviceAccountUser
           - roles/iam.serviceAccountAdmin
           - roles/compute.admin
           - roles/storage.admin
           - roles/run.admin
           - roles/compute.networkAdmin
           - roles/iap.admin
-          - roles/iam.serviceAccountUser
     services:
       - cloudresourcemanager.googleapis.com
       - compute.googleapis.com

modules/backend/outputs.tf

@@ -43,3 +43,13 @@ output "apphub_service_uri" {
   )
   description = "Service URI in CAIS style to be used by Apphub."
 }
+
+output "project_id" {
+  value       = var.project_id
+  description = "Project ID of the service"
+}
+
+output "service_name" {
+  value       = var.name
+  description = "Name of the created service"
+}

modules/backend/variables.tf

@@ -159,9 +159,9 @@ variable "iap_config" {
     enable               = bool
     oauth2_client_id     = optional(string)
     oauth2_client_secret = optional(string)
-    iap_members          = list(string)
+    iap_members          = optional(list(string))
   })
-  default = { enable = false, iap_members = [] }
+  default = { enable = false }
 }
 
 variable "cdn_policy" {

modules/dynamic_backends/metadata.yaml

@@ -330,13 +330,13 @@ spec:
     roles:
       - level: Project
         roles:
+          - roles/certificatemanager.owner
+          - roles/vpcaccess.admin
+          - roles/iam.serviceAccountAdmin
           - roles/storage.admin
           - roles/compute.admin
           - roles/run.admin
           - roles/iam.serviceAccountUser
-          - roles/certificatemanager.owner
-          - roles/vpcaccess.admin
-          - roles/iam.serviceAccountAdmin
     services:
       - certificatemanager.googleapis.com
       - cloudresourcemanager.googleapis.com

modules/frontend/metadata.yaml

@@ -246,11 +246,11 @@ spec:
     roles:
       - level: Project
         roles:
-          - roles/iam.serviceAccountUser
-          - roles/compute.admin
           - roles/storage.admin
           - roles/iap.admin
           - roles/certificatemanager.owner
+          - roles/iam.serviceAccountUser
+          - roles/compute.admin
     services:
       - certificatemanager.googleapis.com
       - compute.googleapis.com