Fix tests to use dedicated bootstrapped service accounts instead of one shared account (#10418) (#7244)

modular-magician · web-flow · commit f38e30fa57ce · 2024-04-16T14:09:15.000-07:00
[upstream:7041d8052bd61acf8a05feb51cdccf950ff072e6]

Signed-off-by: Modular Magician &lt;magic-modules@google.com&gt;
diff --git a/.changelog/10418.txt b/.changelog/10418.txt
@@ -0,0 +1,3 @@
+```release-note:none
+
+```
diff --git a/google-beta/acctest/bootstrap_test_utils.go b/google-beta/acctest/bootstrap_test_utils.go
@@ -145,13 +145,13 @@ func BootstrapKMSKeyWithPurposeInLocationAndName(t *testing.T, purpose, location
 	}
 }
 
-var serviceAccountEmail = "tf-bootstrap-service-account"
+var serviceAccountPrefix = "tf-bootstrap-sa-"
 var serviceAccountDisplay = "Bootstrapped Service Account for Terraform tests"
 
 // Some tests need a second service account, other than the test runner, to assert functionality on.
 // This provides a well-known service account that can be used when dynamically creating a service
 // account isn't an option.
-func getOrCreateServiceAccount(config *transport_tpg.Config, project string) (*iam.ServiceAccount, error) {
+func getOrCreateServiceAccount(config *transport_tpg.Config, project, serviceAccountEmail string) (*iam.ServiceAccount, error) {
 	name := fmt.Sprintf("projects/%s/serviceAccounts/%s@%s.iam.gserviceaccount.com", project, serviceAccountEmail, project)
 	log.Printf("[DEBUG] Verifying %s as bootstrapped service account.\n", name)
 
@@ -208,13 +208,19 @@ func impersonationServiceAccountPermissions(config *transport_tpg.Config, sa *ia
 	return nil
 }
 
-func BootstrapServiceAccount(t *testing.T, project, testRunner string) string {
+// A separate testId should be used for each test, to create separate service accounts for each,
+// and avoid race conditions where the policy of the same service account is being modified by 2
+// tests at once. This is needed as long as the function overwrites the policy on every run.
+func BootstrapServiceAccount(t *testing.T, testId, testRunner string) string {
+	project := envvar.GetTestProjectFromEnv()
+	serviceAccountEmail := serviceAccountPrefix + testId
+
 	config := BootstrapConfig(t)
 	if config == nil {
 		return ""
 	}
 
-	sa, err := getOrCreateServiceAccount(config, project)
+	sa, err := getOrCreateServiceAccount(config, project, serviceAccountEmail)
 	if err != nil {
 		t.Fatalf("Bootstrapping failed. Cannot retrieve service account, %s", err)
 	}
@@ -1230,7 +1236,8 @@ func SetupProjectsAndGetAccessToken(org, billing, pid, service string, config *t
 	}
 
 	// Create a service account for project-1
-	sa1, err := getOrCreateServiceAccount(config, pid)
+	serviceAccountEmail := serviceAccountPrefix + service
+	sa1, err := getOrCreateServiceAccount(config, pid, serviceAccountEmail)
 	if err != nil {
 		return "", err
 	}
diff --git a/google-beta/services/resourcemanager/data_source_google_service_account_access_token_test.go b/google-beta/services/resourcemanager/data_source_google_service_account_access_token_test.go
@@ -36,7 +36,7 @@ func TestAccDataSourceGoogleServiceAccountAccessToken_basic(t *testing.T) {
 
 	resourceName := "data.google_service_account_access_token.default"
 	serviceAccount := envvar.GetTestServiceAccountFromEnv(t)
-	targetServiceAccountEmail := acctest.BootstrapServiceAccount(t, envvar.GetTestProjectFromEnv(), serviceAccount)
+	targetServiceAccountEmail := acctest.BootstrapServiceAccount(t, "acctoken", serviceAccount)
 
 	acctest.VcrTest(t, resource.TestCase{
 		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
diff --git a/google-beta/services/resourcemanager/data_source_google_service_account_id_token_test.go b/google-beta/services/resourcemanager/data_source_google_service_account_id_token_test.go
@@ -75,7 +75,7 @@ func TestAccDataSourceGoogleServiceAccountIdToken_impersonation(t *testing.T) {
 
 	resourceName := "data.google_service_account_id_token.default"
 	serviceAccount := envvar.GetTestServiceAccountFromEnv(t)
-	targetServiceAccountEmail := acctest.BootstrapServiceAccount(t, envvar.GetTestProjectFromEnv(), serviceAccount)
+	targetServiceAccountEmail := acctest.BootstrapServiceAccount(t, "idtoken-imp", serviceAccount)
 
 	resource.Test(t, resource.TestCase{
 		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
diff --git a/google-beta/services/resourcemanager/data_source_google_service_account_jwt_test.go b/google-beta/services/resourcemanager/data_source_google_service_account_jwt_test.go
@@ -102,7 +102,7 @@ func TestAccDataSourceGoogleServiceAccountJwt(t *testing.T) {
 
 	resourceName := "data.google_service_account_jwt.default"
 	serviceAccount := envvar.GetTestServiceAccountFromEnv(t)
-	targetServiceAccountEmail := acctest.BootstrapServiceAccount(t, envvar.GetTestProjectFromEnv(), serviceAccount)
+	targetServiceAccountEmail := acctest.BootstrapServiceAccount(t, "jwt", serviceAccount)
 
 	staticTime := time.Now()
 
