fix confidential project ID for integration tests

Author: renato-rudnicki

5-app-infra/business_unit_1/development/README.md

@@ -12,6 +12,7 @@
 | Name | Description |
 |------|-------------|
 | available\_zones | List of available zones in region |
+| confidential\_space\_project\_id | Project where confidential compute instance was created |
 | instances\_details | List of details for compute instances |
 | instances\_names | List of names for compute instances |
 | instances\_self\_links | List of self-links for compute instances |

5-app-infra/business_unit_1/development/outputs.tf

@@ -47,6 +47,11 @@ output "project_id" {
   value       = module.gce_instance.project_id
 }
 
+output "confidential_space_project_id" {
+  description = "Project where confidential compute instance was created"
+  value       = module.confidential_space.confidential_space_project_id
+}
+
 output "region" {
   description = "Region where compute instance was created"
   value       = module.gce_instance.region

5-app-infra/business_unit_1/nonproduction/README.md

@@ -12,6 +12,7 @@
 | Name | Description |
 |------|-------------|
 | available\_zones | List of available zones in region |
+| confidential\_space\_project\_id | Project where confidential compute instance was created |
 | instances\_details | List of details for compute instances |
 | instances\_names | List of names for compute instances |
 | instances\_self\_links | List of self-links for compute instances |

5-app-infra/business_unit_1/nonproduction/outputs.tf

@@ -47,6 +47,11 @@ output "project_id" {
   value       = module.gce_instance.project_id
 }
 
+output "confidential_space_project_id" {
+  description = "Project where confidential compute instance was created"
+  value       = module.confidential_space.confidential_space_project_id
+}
+
 output "region" {
   description = "Region where compute instance was created"
   value       = module.gce_instance.region

5-app-infra/business_unit_1/production/README.md

@@ -12,6 +12,7 @@
 | Name | Description |
 |------|-------------|
 | available\_zones | List of available zones in region |
+| confidential\_space\_project\_id | Project where confidential compute instance was created |
 | instances\_details | List of details for compute instances |
 | instances\_names | List of names for compute instances |
 | instances\_self\_links | List of self-links for compute instances |

5-app-infra/business_unit_1/production/outputs.tf

@@ -47,6 +47,11 @@ output "project_id" {
   value       = module.gce_instance.project_id
 }
 
+output "confidential_space_project_id" {
+  description = "Project where confidential compute instance was created"
+  value       = module.confidential_space.confidential_space_project_id
+}
+
 output "region" {
   description = "Region where compute instance was created"
   value       = module.gce_instance.region

5-app-infra/modules/confidential_space/README.md

@@ -23,6 +23,7 @@
 |------|-------------|
 | available\_zones | List of available zones in region |
 | confidential\_image\_digest | SHA256 digest of the Docker image. |
+| confidential\_space\_project\_id | Project where confidential compute instance was created |
 | instances\_details | List of details for compute instances |
 | instances\_self\_links | List of self-links for compute instances |
 | project\_id | Project where compute instance was created |

5-app-infra/modules/confidential_space/main.tf

@@ -36,6 +36,7 @@ locals {
   subnetwork_project                = element(split("/", local.subnetwork_self_link), index(split("/", local.subnetwork_self_link), "projects") + 1, )
   resource_manager_tags             = local.env_project_resource_manager_tags[var.project_suffix]
   artifact_registry_repository      = "tf-runners"
+  confidential_space_project_id     = data.terraform_remote_state.projects_env.outputs.confidential_space_project
   confidential_space_project_number = data.terraform_remote_state.projects_env.outputs.confidential_space_project_number
   confidential_space_workload_sa    = data.terraform_remote_state.projects_env.outputs.confidential_space_workload_sa
 }

5-app-infra/modules/confidential_space/outputs.tf

@@ -34,6 +34,11 @@ output "project_id" {
   value       = local.env_project_id
 }
 
+output "confidential_space_project_id" {
+  description = "Project where confidential compute instance was created"
+  value       = local.confidential_space_project_id
+}
+
 output "confidential_image_digest" {
   description = "SHA256 digest of the Docker image."
   value       = var.confidential_image_digest

test/integration/app-infra/app_infra_test.go

@@ -80,7 +80,8 @@ func TestAppInfra(t *testing.T) {
 					instance := gcloud.Run(t, fmt.Sprintf("compute instances describe %s", instanceName), gcOps)
 					assert.Equal(machineType, instance.Get("machineType").String(), "should have machine_type f1-micro")
 
-					computeInstanceList := gcloud.Run(t, fmt.Sprintf("compute instances list --format=json --project %s --filter name=confidential-instance", projectID))
+					confidentialProjectID := appInfra.GetStringOutput("confidential_space_project_id")
+					computeInstanceList := gcloud.Run(t, fmt.Sprintf("compute instances list --format=json --project %s --filter name=confidential-instance", confidentialProjectID))
 					assert.Len(computeInstanceList.Array(), 1)
 					computeInstance := computeInstanceList.Array()[0]
 					confidentialInstanceConfig := computeInstance.Get("confidentialInstanceConfig")
@@ -89,10 +90,10 @@ func TestAppInfra(t *testing.T) {
 					assert.Equal("MIGRATE", computeInstance.Get("scheduling").Get("onHostMaintenance").String())
 					serviceAccounts := computeInstance.Get("serviceAccounts").Array()
 					assert.Len(serviceAccounts, 1)
-					assert.Equal(fmt.Sprintf("confidential-space-workload-sa@%s.iam.gserviceaccount.com", projectID), serviceAccounts[0].Get("email").String())
-					workloadIdentityPoolProviderID := gcloud.Runf(t, "iam workload-identity-pools providers describe %s --workload-identity-pool=confidential-space-pool --location=global --project %s", workloadPoolProvider, projectID)
+					assert.Equal(fmt.Sprintf("confidential-space-workload-sa@%s.iam.gserviceaccount.com", confidentialProjectID), serviceAccounts[0].Get("email").String())
+					workloadIdentityPoolProviderID := gcloud.Runf(t, "iam workload-identity-pools providers describe %s --workload-identity-pool=confidential-space-pool --location=global --project %s", workloadPoolProvider, confidentialProjectID)
 					assert.Equal(workloadPoolProvider, workloadIdentityPoolProviderID.Get("displayName").String(), fmt.Sprintf("workload identity pool provider should have name equals to %s", workloadIdentityPoolProviderID))
-					gcPoolOps := gcloud.WithCommonArgs([]string{"--project", projectID, "--format", "value(name.basename())"})
+					gcPoolOps := gcloud.WithCommonArgs([]string{"--project", confidentialProjectID, "--format", "value(name.basename())"})
 					workloadIdentityPoolName := gcloud.Runf(t, fmt.Sprintf("iam workload-identity-pools describe confidential-space-pool --location=global"), gcPoolOps)
 					assert.Equal(workloadIdentityPool, workloadIdentityPoolName.Get("name").String(), fmt.Sprintf("workload identity pool should have name equals to %s", workloadIdentityPoolName))
 				})