fix integration test

Author: renato-rudnicki

5-app-infra/business_unit_1/development/README.md

@@ -16,6 +16,7 @@
 | confidential\_instances\_names | List of names for confidential compute instances |
 | confidential\_instances\_zones | List of zone for confidential compute instances. |
 | confidential\_space\_project\_id | Project where confidential compute instance was created |
+| confidential\_space\_project\_number | Project number from confidential compute instance |
 | instances\_details | List of details for compute instances |
 | instances\_names | List of names for compute instances |
 | instances\_self\_links | List of self-links for compute instances |

5-app-infra/business_unit_1/development/outputs.tf

@@ -52,6 +52,11 @@ output "confidential_space_project_id" {
   value       = module.confidential_space.confidential_space_project_id
 }
 
+output "confidential_space_project_number" {
+  description = "Project number from confidential compute instance"
+  value       = module.confidential_space.confidential_space_project_number
+}
+
 output "region" {
   description = "Region where compute instance was created"
   value       = module.gce_instance.region

5-app-infra/business_unit_1/nonproduction/README.md

@@ -16,6 +16,7 @@
 | confidential\_instances\_names | List of names for confidential compute instances |
 | confidential\_instances\_zones | List of zone for confidential compute instances. |
 | confidential\_space\_project\_id | Project where confidential compute instance was created |
+| confidential\_space\_project\_number | Project number from confidential compute instance |
 | instances\_details | List of details for compute instances |
 | instances\_names | List of names for compute instances |
 | instances\_self\_links | List of self-links for compute instances |

5-app-infra/business_unit_1/nonproduction/outputs.tf

@@ -52,6 +52,11 @@ output "confidential_space_project_id" {
   value       = module.confidential_space.confidential_space_project_id
 }
 
+output "confidential_space_project_number" {
+  description = "Project number from confidential compute instance"
+  value       = module.confidential_space.confidential_space_project_number
+}
+
 output "region" {
   description = "Region where compute instance was created"
   value       = module.gce_instance.region

5-app-infra/business_unit_1/production/README.md

@@ -16,6 +16,7 @@
 | confidential\_instances\_names | List of names for confidential compute instances. |
 | confidential\_instances\_zones | List of zone for confidential compute instances. |
 | confidential\_space\_project\_id | Project where confidential compute instance was created |
+| confidential\_space\_project\_number | Project number from confidential compute instance |
 | instances\_details | List of details for compute instances |
 | instances\_names | List of names for compute instances |
 | instances\_self\_links | List of self-links for compute instances |

5-app-infra/business_unit_1/production/outputs.tf

@@ -52,6 +52,11 @@ output "confidential_space_project_id" {
   value       = module.confidential_space.confidential_space_project_id
 }
 
+output "confidential_space_project_number" {
+  description = "Project number from confidential compute instance"
+  value       = module.confidential_space.confidential_space_project_number
+}
+
 output "region" {
   description = "Region where compute instance was created"
   value       = module.gce_instance.region

5-app-infra/modules/confidential_space/README.md

@@ -24,6 +24,7 @@
 | available\_zones | List of available zones in region |
 | confidential\_image\_digest | SHA256 digest of the Docker image. |
 | confidential\_space\_project\_id | Project where confidential compute instance was created |
+| confidential\_space\_project\_number | Project number from confidential compute instance |
 | instances\_details | List of details for compute instances |
 | instances\_self\_links | List of self-links for compute instances |
 | project\_id | Project where compute instance was created |

5-app-infra/modules/confidential_space/outputs.tf

@@ -39,6 +39,11 @@ output "confidential_space_project_id" {
   value       = local.confidential_space_project_id
 }
 
+output "confidential_space_project_number" {
+  description = "Project number from confidential compute instance"
+  value       = local.confidential_space_project_number
+}
+
 output "confidential_image_digest" {
   description = "SHA256 digest of the Docker image."
   value       = var.confidential_image_digest

test/integration/app-infra/app_infra_test.go

@@ -83,33 +83,29 @@ func TestAppInfra(t *testing.T) {
 					confidentialProjectID := appInfra.GetStringOutput("confidential_space_project_id")
 					confidentialInstanceName := terraform.OutputList(t, appInfra.GetTFOptions(), "confidential_instances_names")[0]
 					confidentialInstanceZone := terraform.OutputList(t, appInfra.GetTFOptions(), "confidential_instances_zones")[0]
-
-					// gcPoolOps := gcloud.WithCommonArgs([]string{"--project", confidentialProjectID, "--format", "value(name.basename())"})
-					// workloadIdentityPoolName := gcloud.Runf(t, "iam workload-identity-pools describe %s --location=global", workloadIdentityPool, gcPoolOps)
-					// assert.Equal(workloadIdentityPool, workloadIdentityPoolName.String(), fmt.Sprintf("workload identity pool should have name equals to %s", workloadIdentityPool))
+					confidentialProjectNumber := appInfra.GetStringOutput("confidential_space_project_number")
 
 					gcPoolOps := gcloud.WithCommonArgs([]string{"--project", confidentialProjectID, "--format", "json"})
-					poolDetails := gcloud.Runf(t, "iam workload-identity-pools describe %s --location=global", workloadIdentityPool, gcPoolOps)
+					poolDetails := gcloud.Run(t, fmt.Sprintf("iam workload-identity-pools describe %s --location=global", workloadIdentityPool), gcPoolOps)
 					name := poolDetails.Get("name").String()
-					expectedName := fmt.Sprintf("projects/%s/locations/global/workloadIdentityPools/%s", confidentialProjectID, workloadIdentityPool)
-					assert.Equal(expectedName, name, "Workload Identity Pool full name should match")
+					expectedName := fmt.Sprintf("projects/%s/locations/global/workloadIdentityPools/%s", confidentialProjectNumber, workloadIdentityPool)
+					assert.Equal(t, expectedName, name, "Workload Identity Pool full name should match")
 
-					gcPoolProviderOps := gcloud.WithCommonArgs([]string{fmt.Sprintf("--workload-identity-pool=%s", workloadIdentityPool), "--location=global", "--project", confidentialProjectID, "--format", "value(displayName())"})
-					workloadIdentityPoolProviderID := gcloud.Runf(t, "iam workload-identity-pools providers describe %s", workloadPoolProvider, gcPoolProviderOps)
-					assert.Equal(workloadPoolProvider, workloadIdentityPoolProviderID.String(), fmt.Sprintf("workload identity pool provider should have name equals to %s", workloadPoolProvider))
+					gcPoolProviderOps := gcloud.WithCommonArgs([]string{fmt.Sprintf("--workload-identity-pool=%s", workloadIdentityPool), "--location=global", "--project", confidentialProjectID, "--format", "json"})
+					workloadIdentityPoolProviderID := gcloud.Run(t, fmt.Sprintf("iam workload-identity-pools providers describe %s", workloadPoolProvider), gcPoolProviderOps)
+					assert.Equal(t, workloadPoolProvider, workloadIdentityPoolProviderID.Get("displayName").String(), fmt.Sprintf("workload identity pool provider should have name equals to %s", workloadPoolProvider))
 
 					gcInstanceOps := gcloud.WithCommonArgs([]string{"--project", confidentialProjectID, "--zone", confidentialInstanceZone, "--format", "json"})
 					computeInstanceList := gcloud.Run(t, fmt.Sprintf("compute instances describe %s", confidentialInstanceName), gcInstanceOps)
-					assert.NotEmpty(computeInstanceList.Array(), "Expected at least one confidential instance")
-					computeInstance := computeInstanceList.Array()[0]
-					assert.Equal(confidentialInstanceName, computeInstance.Get("name").String(), "Confidential instance name must match expected")
+					assert.NotEmpty(t, computeInstanceList, "Expected instance details to be present")
+					computeInstance := computeInstanceList
+					assert.Equal(t, confidentialInstanceName, computeInstance.Get("name").String(), "Confidential instance name must match expected")
 					confidentialInstanceConfig := computeInstance.Get("confidentialInstanceConfig")
-					assert.True(confidentialInstanceConfig.Get("enableConfidentialCompute").Bool())
-					assert.Equal("SEV", confidentialInstanceConfig.Get("confidentialInstanceType").String())
-					assert.Equal("MIGRATE", computeInstance.Get("scheduling").Get("onHostMaintenance").String())
-					//serviceAccounts := computeInstance.Get("serviceAccounts").Array()
-					//assert.Len(serviceAccounts, 1)
-					//assert.Equal(fmt.Sprintf("confidential-space-workload-sa@%s.iam.gserviceaccount.com", confidentialProjectID), serviceAccounts[0].Get("email").String())
+					assert.True(t, confidentialInstanceConfig.Get("enableConfidentialCompute").Bool())
+					assert.Equal(t, "SEV", confidentialInstanceConfig.Get("confidentialInstanceType").String())
+					assert.Equal(t, "MIGRATE", computeInstance.Get("scheduling").Get("onHostMaintenance").String())
+					serviceAccounts := computeInstance.Get("serviceAccounts").Array()
+					assert.Equal(t, fmt.Sprintf("confidential-space-workload-sa@%s.iam.gserviceaccount.com", confidentialProjectID), serviceAccounts[0].Get("email").String())
 				})
 
 			appInfra.Test()