validate sa creation

Author: q2w

build/int.cloudbuild.yaml

@@ -21,7 +21,7 @@ See the [simple](../../examples/instance_template/simple) for a usage example.
 | automatic\_restart | (Optional) Specifies whether the instance should be automatically restarted if it is terminated by Compute Engine (not terminated by a user). | `bool` | `true` | no |
 | can\_ip\_forward | Enable IP forwarding, for NAT instances for example | `string` | `"false"` | no |
 | confidential\_instance\_type | Defines the confidential computing technology the instance uses. If this is set to "SEV\_SNP", var.min\_cpu\_platform will be automatically set to "AMD Milan". See https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance#confidential_instance_type. | `string` | `null` | no |
-| create\_service\_account | Create a new service account to attach to the instance. This is alternate to providing the service\_account input variable. Please provide the service\_account input if setting this to false! | `bool` | `true` | no |
+| create\_service\_account | Create a new service account to attach to the instance. This is alternate to providing the service\_account input variable. Please provide the service\_account input if setting this to false. | `bool` | `true` | no |
 | description | The template's description | `string` | `""` | no |
 | disk\_encryption\_key | The id of the encryption key that is stored in Google Cloud KMS to use to encrypt all the disks on this instance | `string` | `null` | no |
 | disk\_labels | Labels to be assigned to boot disk, provided as a map | `map(string)` | `{}` | no |

modules/instance_template/README.md

@@ -85,13 +85,16 @@ locals {
 
 # Service account
 resource "google_service_account" "sa" {
-  count        = local.create_service_account ? 1 : 0
+  provider = google-beta
+  count    = local.create_service_account ? 1 : 0
+
   project      = var.project_id
   account_id   = "${local.service_account_prefix}-sa"
   display_name = "Service account for ${var.name_prefix} in ${var.region}"
 }
 
 resource "google_project_iam_member" "roles" {
+  provider = google-beta
   for_each = toset(distinct(var.service_account_project_roles))
 
   project = var.project_id

modules/instance_template/main.tf

@@ -302,7 +302,7 @@ spec:
               outputExpr: email
               inputPath: email
       - name: create_service_account
-        description: Create a new service account to attach to the instance. This is alternate to providing the service_account input variable. Please provide the service_account input if setting this to false!
+        description: Create a new service account to attach to the instance. This is alternate to providing the service_account input variable. Please provide the service_account input if setting this to false.
         varType: bool
         defaultValue: true
       - name: service_account_project_roles
@@ -424,7 +424,5 @@ spec:
       - compute.googleapis.com
       - iam.googleapis.com
     providerVersions:
-      - source: hashicorp/google
-        version: ">= 5.36, < 7"
       - source: hashicorp/google-beta
         version: ">= 5.36, < 7"

modules/instance_template/metadata.yaml

@@ -333,7 +333,7 @@ variable "service_account" {
 
 variable "create_service_account" {
   type        = bool
-  description = "Create a new service account to attach to the instance. This is alternate to providing the service_account input variable. Please provide the service_account input if setting this to false!"
+  description = "Create a new service account to attach to the instance. This is alternate to providing the service_account input variable. Please provide the service_account input if setting this to false."
   default     = true
 }
 

modules/instance_template/variables.tf

@@ -17,11 +17,6 @@
 terraform {
   required_version = ">=1.3"
   required_providers {
-    google = {
-      source  = "hashicorp/google"
-      version = ">= 5.36, < 7"
-    }
-
     google-beta = {
       source  = "hashicorp/google-beta"
       version = ">= 5.36, < 7"

modules/instance_template/versions.tf

@@ -26,14 +26,25 @@ import (
 func TestInstanceTemplateSimpleSAModule(t *testing.T) {
 
 	const instanceNamePrefix = "it-simple-sa"
-	const expected_templates = 1
+	const expectedTemplates = 1
+	const expectedServiceAccounts = 1
 
-	insSimpleT := tft.NewTFBlueprintTest(t)
-	insSimpleT.DefineVerify(func(assert *assert.Assertions) {
-		insSimpleT.DefaultVerify(assert)
+	instanceSimpleTest := tft.NewTFBlueprintTest(t)
+	instanceSimpleTest.DefineVerify(func(assert *assert.Assertions) {
+		instanceSimpleTest.DefaultVerify(assert)
 
-		instance_templates := gcloud.Run(t, fmt.Sprintf("compute instance-templates list --project %s --filter name~%s", insSimpleT.GetStringOutput("project_id"), instanceNamePrefix))
-		assert.Equal(expected_templates, len(instance_templates.Array()), fmt.Sprintf("should have %d instance_templates", expected_templates))
+		projectID := instanceSimpleTest.GetStringOutput("project_id")
+		instanceTemplates := gcloud.Run(t, fmt.Sprintf("compute instance-templates list --project %s --filter name~%s", projectID, instanceNamePrefix))
+		assert.Equal(expectedTemplates, len(instanceTemplates.Array()), fmt.Sprintf("should have %d instance templates", expectedTemplates))
+
+		serviceAccounts := gcloud.Run(t, fmt.Sprintf("iam service-accounts list --project %s --filter email~%s", projectID, instanceNamePrefix))
+		assert.Equal(expectedServiceAccounts, len(serviceAccounts.Array()), fmt.Sprintf("should have %d service accounts", expectedServiceAccounts))
+
+		for _, it := range instanceTemplates.Array() {
+			instanceTemplateName := it.Get("name").String()
+			instanceTemplateServiceAccount := gcloud.Run(t, fmt.Sprintf("compute instance-templates describe %s --project %s", instanceTemplateName, projectID), gcloud.WithCommonArgs([]string{"--format", "get(properties.serviceAccounts)"}))
+			assert.Contains(instanceTemplateServiceAccount.Get("email").String(), instanceNamePrefix, fmt.Sprintf("Instance template service account %s should start with %s", instanceTemplateServiceAccount, instanceNamePrefix))
+		}
 	})
-	insSimpleT.Test()
+	instanceSimpleTest.Test()
 }