Ensure that the networksecurity p4sa is permissioned in tests (#8222) (#5830)

modular-magician · shuyama1 · web-flow · commit d7f349bfcf60 · 2023-06-28T15:12:05.000-07:00
Signed-off-by: Modular Magician &lt;magic-modules@google.com&gt;
Co-authored-by: Shuya Ma &lt;87669292+shuyama1@users.noreply.github.com&gt;
diff --git a/.changelog/8222.txt b/.changelog/8222.txt
@@ -0,0 +1,2 @@
+```release-note:none
+```
diff --git a/google-beta/resource_network_security_gateway_security_policy_generated_test.go b/google-beta/resource_network_security_gateway_security_policy_generated_test.go
@@ -156,12 +156,26 @@ resource "google_privateca_certificate_authority" "default" {
   }
 }
 
+resource "google_project_service_identity" "ns_sa" {
+  provider = google-beta
+
+  service = "networksecurity.googleapis.com"
+}
+
+resource "google_privateca_ca_pool_iam_member" "tls_inspection_permission" {
+  provider = google-beta
+
+  ca_pool = google_privateca_ca_pool.default.id
+  role = "roles/privateca.certificateManager"
+  member = "serviceAccount:${google_project_service_identity.ns_sa.email}"
+}
+
 resource "google_network_security_tls_inspection_policy" "default" {
   provider = google-beta
   name     = "tf-test-my-tls-inspection-policy%{random_suffix}"
   location = "us-central1"
   ca_pool  = google_privateca_ca_pool.default.id
-  depends_on = [google_privateca_ca_pool.default, google_privateca_certificate_authority.default]
+  depends_on = [google_privateca_ca_pool.default, google_privateca_certificate_authority.default, google_privateca_ca_pool_iam_member.tls_inspection_permission]
 }
 
 resource "google_network_security_gateway_security_policy" "default" {
diff --git a/google-beta/resource_network_security_tls_inspection_policy_generated_test.go b/google-beta/resource_network_security_tls_inspection_policy_generated_test.go
@@ -120,13 +120,27 @@ resource "google_privateca_certificate_authority" "default" {
   }
 }
 
+resource "google_project_service_identity" "ns_sa" {
+  provider = google-beta
+
+  service = "networksecurity.googleapis.com"
+}
+
+resource "google_privateca_ca_pool_iam_member" "tls_inspection_permission" {
+  provider = google-beta
+
+  ca_pool = google_privateca_ca_pool.default.id
+  role = "roles/privateca.certificateManager"
+  member = "serviceAccount:${google_project_service_identity.ns_sa.email}"
+}
+
 resource "google_network_security_tls_inspection_policy" "default" {
   provider = google-beta
   name     = "tf-test-my-tls-inspection-policy%{random_suffix}"
   location = "us-central1"
   ca_pool  = google_privateca_ca_pool.default.id
   exclude_public_ca_set = false
-  depends_on = [google_privateca_ca_pool.default, google_privateca_certificate_authority.default]
+  depends_on = [google_privateca_ca_pool.default, google_privateca_certificate_authority.default, google_privateca_ca_pool_iam_member.tls_inspection_permission]
 }
 `, context)
 }
diff --git a/google-beta/resource_network_security_tls_inspection_policy_test.go b/google-beta/resource_network_security_tls_inspection_policy_test.go
@@ -104,11 +104,21 @@ resource "google_privateca_certificate_authority" "default" {
   }
 }
 
+resource "google_project_service_identity" "ns_sa" {
+  service = "networksecurity.googleapis.com"
+}
+
+resource "google_privateca_ca_pool_iam_member" "tls_inspection_permission" {
+  ca_pool = google_privateca_ca_pool.default.id
+  role = "roles/privateca.certificateManager"
+  member = "serviceAccount:${google_project_service_identity.ns_sa.email}"
+}
+
 resource "google_network_security_tls_inspection_policy" "foobar" {
   name     = "%s"
   location = "us-central1"
   ca_pool    = google_privateca_ca_pool.default.id
-  depends_on = [google_privateca_ca_pool.default, google_privateca_certificate_authority.default]
+  depends_on = [google_privateca_ca_pool.default, google_privateca_certificate_authority.default, google_privateca_ca_pool_iam_member.tls_inspection_permission]
 }
 `, caPoolName, certificateAuthorityName, tlsInspectionPolicyName)
 }
@@ -176,12 +186,22 @@ resource "google_privateca_certificate_authority" "default" {
   }
 }
 
+resource "google_project_service_identity" "ns_sa" {
+  service = "networksecurity.googleapis.com"
+}
+
+resource "google_privateca_ca_pool_iam_member" "tls_inspection_permission" {
+  ca_pool = google_privateca_ca_pool.default.id
+  role = "roles/privateca.certificateManager"
+  member = "serviceAccount:${google_project_service_identity.ns_sa.email}"
+}
+
 resource "google_network_security_tls_inspection_policy" "foobar" {
   name        = "%s"
   location    = "us-central1"
   description = "my tls inspection policy updated"
   ca_pool     = google_privateca_ca_pool.default.id
-  depends_on = [google_privateca_ca_pool.default, google_privateca_certificate_authority.default]
+  depends_on = [google_privateca_ca_pool.default, google_privateca_certificate_authority.default, google_privateca_ca_pool_iam_member.tls_inspection_permission]
 }
 `, caPoolName, certificateAuthorityName, tlsInspectionPolicyName)
 }
diff --git a/website/docs/r/network_security_gateway_security_policy.html.markdown b/website/docs/r/network_security_gateway_security_policy.html.markdown
@@ -116,12 +116,26 @@ resource "google_privateca_certificate_authority" "default" {
   }
 }
 
+resource "google_project_service_identity" "ns_sa" {
+  provider = google-beta
+
+  service = "networksecurity.googleapis.com"
+}
+
+resource "google_privateca_ca_pool_iam_member" "tls_inspection_permission" {
+  provider = google-beta
+
+  ca_pool = google_privateca_ca_pool.default.id
+  role = "roles/privateca.certificateManager"
+  member = "serviceAccount:${google_project_service_identity.ns_sa.email}"
+}
+
 resource "google_network_security_tls_inspection_policy" "default" {
   provider = google-beta
   name     = "my-tls-inspection-policy"
   location = "us-central1"
   ca_pool  = google_privateca_ca_pool.default.id
-  depends_on = [google_privateca_ca_pool.default, google_privateca_certificate_authority.default]
+  depends_on = [google_privateca_ca_pool.default, google_privateca_certificate_authority.default, google_privateca_ca_pool_iam_member.tls_inspection_permission]
 }
 
 resource "google_network_security_gateway_security_policy" "default" {
diff --git a/website/docs/r/network_security_tls_inspection_policy.html.markdown b/website/docs/r/network_security_tls_inspection_policy.html.markdown
@@ -102,13 +102,27 @@ resource "google_privateca_certificate_authority" "default" {
   }
 }
 
+resource "google_project_service_identity" "ns_sa" {
+  provider = google-beta
+
+  service = "networksecurity.googleapis.com"
+}
+
+resource "google_privateca_ca_pool_iam_member" "tls_inspection_permission" {
+  provider = google-beta
+
+  ca_pool = google_privateca_ca_pool.default.id
+  role = "roles/privateca.certificateManager"
+  member = "serviceAccount:${google_project_service_identity.ns_sa.email}"
+}
+
 resource "google_network_security_tls_inspection_policy" "default" {
   provider = google-beta
   name     = "my-tls-inspection-policy"
   location = "us-central1"
   ca_pool  = google_privateca_ca_pool.default.id
   exclude_public_ca_set = false
-  depends_on = [google_privateca_ca_pool.default, google_privateca_certificate_authority.default]
+  depends_on = [google_privateca_ca_pool.default, google_privateca_certificate_authority.default, google_privateca_ca_pool_iam_member.tls_inspection_permission]
 }
 ```
 

Original file line number	Diff line number	Diff line change
`@@ -104,11 +104,21 @@ resource "google_privateca_certificate_authority" "default" {`
`104`	`104`	`}`
`105`	`105`	`}`
`106`	`106`
	`107`	`+resource "google_project_service_identity" "ns_sa" {`
	`108`	`+ service = "networksecurity.googleapis.com"`
	`109`	`+}`
	`110`	`+`
	`111`	`+resource "google_privateca_ca_pool_iam_member" "tls_inspection_permission" {`
	`112`	`+ ca_pool = google_privateca_ca_pool.default.id`
	`113`	`+ role = "roles/privateca.certificateManager"`
	`114`	`+ member = "serviceAccount:${google_project_service_identity.ns_sa.email}"`
	`115`	`+}`
	`116`	`+`
`107`	`117`	`resource "google_network_security_tls_inspection_policy" "foobar" {`
`108`	`118`	`name = "%s"`
`109`	`119`	`location = "us-central1"`
`110`	`120`	`ca_pool = google_privateca_ca_pool.default.id`
`111`		`- depends_on = [google_privateca_ca_pool.default, google_privateca_certificate_authority.default]`
	`121`	`+ depends_on = [google_privateca_ca_pool.default, google_privateca_certificate_authority.default, google_privateca_ca_pool_iam_member.tls_inspection_permission]`
`112`	`122`	`}`
`113`	`123`	`, caPoolName, certificateAuthorityName, tlsInspectionPolicyName)
`114`	`124`	`}`
`@@ -176,12 +186,22 @@ resource "google_privateca_certificate_authority" "default" {`
`176`	`186`	`}`
`177`	`187`	`}`
`178`	`188`
	`189`	`+resource "google_project_service_identity" "ns_sa" {`
	`190`	`+ service = "networksecurity.googleapis.com"`
	`191`	`+}`
	`192`	`+`
	`193`	`+resource "google_privateca_ca_pool_iam_member" "tls_inspection_permission" {`
	`194`	`+ ca_pool = google_privateca_ca_pool.default.id`
	`195`	`+ role = "roles/privateca.certificateManager"`
	`196`	`+ member = "serviceAccount:${google_project_service_identity.ns_sa.email}"`
	`197`	`+}`
	`198`	`+`
`179`	`199`	`resource "google_network_security_tls_inspection_policy" "foobar" {`
`180`	`200`	`name = "%s"`
`181`	`201`	`location = "us-central1"`
`182`	`202`	`description = "my tls inspection policy updated"`
`183`	`203`	`ca_pool = google_privateca_ca_pool.default.id`
`184`		`- depends_on = [google_privateca_ca_pool.default, google_privateca_certificate_authority.default]`
	`204`	`+ depends_on = [google_privateca_ca_pool.default, google_privateca_certificate_authority.default, google_privateca_ca_pool_iam_member.tls_inspection_permission]`
`185`	`205`	`}`
`186`	`206`	`, caPoolName, certificateAuthorityName, tlsInspectionPolicyName)
`187`	`207`	`}`