zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

E2E tests fixes

This commit is contained in:
Wiktor Niesiobędzki 2023-12-18 08:01:32 +00:00 committed by Wiktor Niesiobędzki
parent 01bd0b7b01
commit 0d486fb34e
3 changed files with 9 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
modules/net-vpc/subnets.tf
View File

@ -182,6 +182,12 @@ resource "google_compute_subnetwork" "proxy_only" {
)
purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
role = each.value.active ? "ACTIVE" : "BACKUP"
lifecycle {
# Until https://github.com/hashicorp/terraform-provider-google/issues/16804 is fixed
# ignore permadiff in ipv6_access_type for proxy_only subnets
ignore_changes = [ipv6_access_type]
}
}
resource "google_compute_subnetwork" "psc" {

4
modules/project/README.md
View File

@ -354,7 +354,7 @@ module "service-project" {
]
shared_vpc_service_config = {
host_project = module.host-project.project_id
network_users = ["group:team-1@example.com"]
network_users = ["group:${var.group_email}"]
# reuse the list of services from the module's outputs
service_iam_grants = module.service-project.services
}
@ -362,7 +362,7 @@ module "service-project" {
# tftest modules=2 resources=11 inventory=shared-vpc-host-project-iam.yaml e2e
```
In specific cases it might make sense to selectively grant the `compute.networkUser` role for service identities at the subnet level, and while that is best done via org policies it's also supported by this module. In this example, Compute service identity and `team-1@example.com` Google Group will be granted compute.networkUser in the `gce` subnet defined in `europe-west1` region via the `service_identity_subnet_iam` and `network_subnet_users` attributes.
In specific cases it might make sense to selectively grant the `compute.networkUser` role for service identities at the subnet level, and while that is best done via org policies it's also supported by this module. In this example, Compute service identity and `team-1@example.com` Google Group will be granted compute.networkUser in the `gce` subnet defined in `europe-west1` region in the `host` project (not included in the example) via the `service_identity_subnet_iam` and `network_subnet_users` attributes.
```hcl
module "host-project" {

2
tests/modules/project/examples/shared-vpc-host-project-iam.yaml
View File

@ -34,7 +34,7 @@ values:
condition: []
project: test-host
role: roles/container.hostServiceAgentUser
module.service-project.google_project_iam_member.shared_vpc_host_iam["group:team-1@example.com"]:
module.service-project.google_project_iam_member.shared_vpc_host_iam["group:organization-admins@example.org"]:
condition: [ ]
project: test-host
role: roles/compute.networkUser