Update CMEK usage in Bigquery tests (#11953) (#8488)

[upstream:561d8275871a2279c4cc85e1295adf211e2dad00]

Signed-off-by: Modular Magician <[email protected]>

Author: modular-magician

.changelog/11953.txt

@@ -0,0 +1,2 @@
+```release-note:none
+```

google-beta/services/bigquery/resource_bigquery_job_generated_test.go

@@ -495,12 +495,13 @@ locals {
 }
 
 resource "google_bigquery_table" "source" {
-  deletion_protection = false
   count = local.count
 
   dataset_id = google_bigquery_dataset.source[count.index].dataset_id
   table_id   = "tf_test_job_copy%{random_suffix}_${count.index}_table"
 
+  deletion_protection = false
+
   schema = <<EOF
 [
   {
@@ -560,7 +561,7 @@ EOF
     kms_key_name = google_kms_crypto_key.crypto_key.id
   }
 
-  depends_on = ["google_project_iam_member.encrypt_role"]
+  depends_on = ["google_kms_crypto_key_iam_member.encrypt_role"]
 }
 
 resource "google_bigquery_dataset" "dest" {
@@ -584,8 +585,8 @@ data "google_project" "project" {
   project_id = "%{project}"
 }
 
-resource "google_project_iam_member" "encrypt_role" {
-  project = data.google_project.project.project_id
+resource "google_kms_crypto_key_iam_member" "encrypt_role" {
+  crypto_key_id = google_kms_crypto_key.crypto_key.id
   role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
   member = "serviceAccount:bq-${data.google_project.project.number}@bigquery-encryption.iam.gserviceaccount.com"
 }
@@ -617,7 +618,7 @@ resource "google_bigquery_job" "job" {
     }
   }
 
-  depends_on = ["google_project_iam_member.encrypt_role"]
+  depends_on = ["google_kms_crypto_key_iam_member.encrypt_role"]
 }
 `, context)
 }
@@ -721,7 +722,7 @@ EOF
     kms_key_name = google_kms_crypto_key.crypto_key.id
   }
 
-  depends_on = ["google_project_iam_member.encrypt_role"]
+  depends_on = ["google_kms_crypto_key_iam_member.encrypt_role"]
 }
 
 resource "google_bigquery_dataset" "dest" {
@@ -745,8 +746,8 @@ data "google_project" "project" {
   project_id = "%{project}"
 }
 
-resource "google_project_iam_member" "encrypt_role" {
-  project = data.google_project.project.project_id
+resource "google_kms_crypto_key_iam_member" "encrypt_role" {
+  crypto_key_id = google_kms_crypto_key.crypto_key.id
   role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
   member = "serviceAccount:bq-${data.google_project.project.number}@bigquery-encryption.iam.gserviceaccount.com"
 }
@@ -772,7 +773,7 @@ resource "google_bigquery_job" "job" {
     }
   }
 
-  depends_on = ["google_project_iam_member.encrypt_role"]
+  depends_on = ["google_kms_crypto_key_iam_member.encrypt_role"]
 }
 `, context)
 }

google-beta/services/bigqueryconnection/resource_bigquery_connection_generated_test.go

@@ -468,13 +468,12 @@ resource "google_dataproc_cluster" "basic" {
 `, context)
 }
 
-func TestAccBigqueryConnectionConnection_bigqueryConnectionKmsExample(t *testing.T) {
+func TestAccBigqueryConnectionConnection_bigqueryConnectionSqlWithCmekExample(t *testing.T) {
 	t.Parallel()
 
 	context := map[string]interface{}{
 		"deletion_protection": false,
 		"kms_key_name":        acctest.BootstrapKMSKey(t).CryptoKey.Name,
-		"policyChanged":       acctest.BootstrapPSARole(t, "bq-", "bigquery-encryption", "roles/cloudkms.cryptoKeyEncrypterDecrypter"),
 		"random_suffix":       acctest.RandString(t, 10),
 	}
 
@@ -484,7 +483,7 @@ func TestAccBigqueryConnectionConnection_bigqueryConnectionKmsExample(t *testing
 		CheckDestroy:             testAccCheckBigqueryConnectionConnectionDestroyProducer(t),
 		Steps: []resource.TestStep{
 			{
-				Config: testAccBigqueryConnectionConnection_bigqueryConnectionKmsExample(context),
+				Config: testAccBigqueryConnectionConnection_bigqueryConnectionSqlWithCmekExample(context),
 			},
 			{
 				ResourceName:            "google_bigquery_connection.bq-connection-cmek",
@@ -496,54 +495,55 @@ func TestAccBigqueryConnectionConnection_bigqueryConnectionKmsExample(t *testing
 	})
 }
 
-func testAccBigqueryConnectionConnection_bigqueryConnectionKmsExample(context map[string]interface{}) string {
+func testAccBigqueryConnectionConnection_bigqueryConnectionSqlWithCmekExample(context map[string]interface{}) string {
 	return acctest.Nprintf(`
 resource "google_sql_database_instance" "instance" {
-    name             = "tf-test-my-database-instance%{random_suffix}"
-    database_version = "POSTGRES_11"
-    region           = "us-central1"
-    settings {
-		tier = "db-f1-micro"
-	}
+  name             = "tf-test-my-database-instance%{random_suffix}"
+  region           = "us-central1"
 
-    deletion_protection  = "%{deletion_protection}"
+  database_version = "POSTGRES_11"
+  settings {
+    tier = "db-f1-micro"
+  }
+
+  deletion_protection  = "%{deletion_protection}"
 }
 
 resource "google_sql_database" "db" {
-    instance = google_sql_database_instance.instance.name
-    name     = "db"
+  instance = google_sql_database_instance.instance.name
+  name     = "db"
 }
 
 resource "google_sql_user" "user" {
-    name = "user%{random_suffix}"
-    instance = google_sql_database_instance.instance.name
-    password = "tf-test-my-password%{random_suffix}"
+  name = "user%{random_suffix}"
+  instance = google_sql_database_instance.instance.name
+  password = "tf-test-my-password%{random_suffix}"
 }
 
 data "google_bigquery_default_service_account" "bq_sa" {}
 
-data "google_project" "project" {}
-
-resource "google_project_iam_member" "key_sa_user" {
-  project       = data.google_project.project.project_id
+resource "google_kms_crypto_key_iam_member" "key_sa_user" {
+  crypto_key_id = "%{kms_key_name}"
   role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
   member        = "serviceAccount:${data.google_bigquery_default_service_account.bq_sa.email}"
 }
 
 resource "google_bigquery_connection" "bq-connection-cmek" {
-    friendly_name = "👋"
-    description   = "a riveting description"
-    location      = "US"
-    kms_key_name  = "%{kms_key_name}"
-    cloud_sql {
-        instance_id = google_sql_database_instance.instance.connection_name
-        database    = google_sql_database.db.name
-        type        = "POSTGRES"
-        credential {
-          username = google_sql_user.user.name
-          password = google_sql_user.user.password
-        }
+  friendly_name = "👋"
+  description   = "a riveting description"
+  location      = "US"
+  kms_key_name  = "%{kms_key_name}"
+  cloud_sql {
+    instance_id = google_sql_database_instance.instance.connection_name
+    database    = google_sql_database.db.name
+    type        = "POSTGRES"
+    credential {
+      username = google_sql_user.user.name
+      password = google_sql_user.user.password
     }
+  }
+
+  depends_on = [google_kms_crypto_key_iam_member.key_sa_user]
 }
 `, context)
 }

website/docs/r/bigquery_connection.html.markdown

@@ -279,60 +279,61 @@ resource "google_dataproc_cluster" "basic" {
  }
 ```
 <div class = "oics-button" style="float: right; margin: 0 0 -15px">
-  <a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_image=gcr.io%2Fcloudshell-images%2Fcloudshell%3Alatest&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md&cloudshell_working_dir=bigquery_connection_kms&open_in_editor=main.tf" target="_blank">
+  <a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_image=gcr.io%2Fcloudshell-images%2Fcloudshell%3Alatest&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md&cloudshell_working_dir=bigquery_connection_sql_with_cmek&open_in_editor=main.tf" target="_blank">
     <img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
   </a>
 </div>
-## Example Usage - Bigquery Connection Kms
+## Example Usage - Bigquery Connection Sql With Cmek
 
 
 ```hcl
 resource "google_sql_database_instance" "instance" {
-    name             = "my-database-instance"
-    database_version = "POSTGRES_11"
-    region           = "us-central1"
-    settings {
-		tier = "db-f1-micro"
-	}
+  name             = "my-database-instance"
+  region           = "us-central1"
 
-    deletion_protection  = "true"
+  database_version = "POSTGRES_11"
+  settings {
+    tier = "db-f1-micro"
+  }
+
+  deletion_protection  = "true"
 }
 
 resource "google_sql_database" "db" {
-    instance = google_sql_database_instance.instance.name
-    name     = "db"
+  instance = google_sql_database_instance.instance.name
+  name     = "db"
 }
 
 resource "google_sql_user" "user" {
-    name = "user"
-    instance = google_sql_database_instance.instance.name
-    password = "tf-test-my-password%{random_suffix}"
+  name = "user"
+  instance = google_sql_database_instance.instance.name
+  password = "tf-test-my-password%{random_suffix}"
 }
 
 data "google_bigquery_default_service_account" "bq_sa" {}
 
-data "google_project" "project" {}
-
-resource "google_project_iam_member" "key_sa_user" {
-  project       = data.google_project.project.project_id
+resource "google_kms_crypto_key_iam_member" "key_sa_user" {
+  crypto_key_id = "projects/project/locations/us-central1/keyRings/us-central1/cryptoKeys/bq-key"
   role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
   member        = "serviceAccount:${data.google_bigquery_default_service_account.bq_sa.email}"
 }
 
 resource "google_bigquery_connection" "bq-connection-cmek" {
-    friendly_name = "👋"
-    description   = "a riveting description"
-    location      = "US"
-    kms_key_name  = "projects/project/locations/us-central1/keyRings/us-central1/cryptoKeys/bq-key"
-    cloud_sql {
-        instance_id = google_sql_database_instance.instance.connection_name
-        database    = google_sql_database.db.name
-        type        = "POSTGRES"
-        credential {
-          username = google_sql_user.user.name
-          password = google_sql_user.user.password
-        }
+  friendly_name = "👋"
+  description   = "a riveting description"
+  location      = "US"
+  kms_key_name  = "projects/project/locations/us-central1/keyRings/us-central1/cryptoKeys/bq-key"
+  cloud_sql {
+    instance_id = google_sql_database_instance.instance.connection_name
+    database    = google_sql_database.db.name
+    type        = "POSTGRES"
+    credential {
+      username = google_sql_user.user.name
+      password = google_sql_user.user.password
     }
+  }
+
+  depends_on = [google_kms_crypto_key_iam_member.key_sa_user]
 }
 ```
 

website/docs/r/bigquery_job.html.markdown

@@ -309,12 +309,13 @@ locals {
 }
 
 resource "google_bigquery_table" "source" {
-  deletion_protection = false
   count = local.count
 
   dataset_id = google_bigquery_dataset.source[count.index].dataset_id
   table_id   = "job_copy_${count.index}_table"
 
+  deletion_protection = false
+
   schema = <<EOF
 [
   {
@@ -374,7 +375,7 @@ EOF
     kms_key_name = google_kms_crypto_key.crypto_key.id
   }
 
-  depends_on = ["google_project_iam_member.encrypt_role"]
+  depends_on = ["google_kms_crypto_key_iam_member.encrypt_role"]
 }
 
 resource "google_bigquery_dataset" "dest" {
@@ -398,8 +399,8 @@ data "google_project" "project" {
   project_id = "my-project-name"
 }
 
-resource "google_project_iam_member" "encrypt_role" {
-  project = data.google_project.project.project_id
+resource "google_kms_crypto_key_iam_member" "encrypt_role" {
+  crypto_key_id = google_kms_crypto_key.crypto_key.id
   role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
   member = "serviceAccount:bq-${data.google_project.project.number}@bigquery-encryption.iam.gserviceaccount.com"
 }
@@ -431,7 +432,7 @@ resource "google_bigquery_job" "job" {
     }
   }
 
-  depends_on = ["google_project_iam_member.encrypt_role"]
+  depends_on = ["google_kms_crypto_key_iam_member.encrypt_role"]
 }
 ```
 <div class = "oics-button" style="float: right; margin: 0 0 -15px">