From 0d486fb34e64c368f8a4cb8c58092486c2440b7c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Wiktor=20Niesiob=C4=99dzki?= Date: Mon, 18 Dec 2023 08:01:32 +0000 Subject: [PATCH] E2E tests fixes --- modules/net-vpc/subnets.tf | 6 ++++++ modules/project/README.md | 4 ++-- .../project/examples/shared-vpc-host-project-iam.yaml | 2 +- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/modules/net-vpc/subnets.tf b/modules/net-vpc/subnets.tf index fe5abea9..1604df9b 100644 --- a/modules/net-vpc/subnets.tf +++ b/modules/net-vpc/subnets.tf @@ -182,6 +182,12 @@ resource "google_compute_subnetwork" "proxy_only" { ) purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY" role = each.value.active ? "ACTIVE" : "BACKUP" + + lifecycle { + # Until https://github.com/hashicorp/terraform-provider-google/issues/16804 is fixed + # ignore permadiff in ipv6_access_type for proxy_only subnets + ignore_changes = [ipv6_access_type] + } } resource "google_compute_subnetwork" "psc" { diff --git a/modules/project/README.md b/modules/project/README.md index cd9999d6..b1a36720 100644 --- a/modules/project/README.md +++ b/modules/project/README.md @@ -354,7 +354,7 @@ module "service-project" { ] shared_vpc_service_config = { host_project = module.host-project.project_id - network_users = ["group:team-1@example.com"] + network_users = ["group:${var.group_email}"] # reuse the list of services from the module's outputs service_iam_grants = module.service-project.services } @@ -362,7 +362,7 @@ module "service-project" { # tftest modules=2 resources=11 inventory=shared-vpc-host-project-iam.yaml e2e ``` -In specific cases it might make sense to selectively grant the `compute.networkUser` role for service identities at the subnet level, and while that is best done via org policies it's also supported by this module. In this example, Compute service identity and `team-1@example.com` Google Group will be granted compute.networkUser in the `gce` subnet defined in `europe-west1` region via the `service_identity_subnet_iam` and `network_subnet_users` attributes. +In specific cases it might make sense to selectively grant the `compute.networkUser` role for service identities at the subnet level, and while that is best done via org policies it's also supported by this module. In this example, Compute service identity and `team-1@example.com` Google Group will be granted compute.networkUser in the `gce` subnet defined in `europe-west1` region in the `host` project (not included in the example) via the `service_identity_subnet_iam` and `network_subnet_users` attributes. ```hcl module "host-project" { diff --git a/tests/modules/project/examples/shared-vpc-host-project-iam.yaml b/tests/modules/project/examples/shared-vpc-host-project-iam.yaml index 7a864d94..741cf8a3 100644 --- a/tests/modules/project/examples/shared-vpc-host-project-iam.yaml +++ b/tests/modules/project/examples/shared-vpc-host-project-iam.yaml @@ -34,7 +34,7 @@ values: condition: [] project: test-host role: roles/container.hostServiceAgentUser - module.service-project.google_project_iam_member.shared_vpc_host_iam["group:team-1@example.com"]: + module.service-project.google_project_iam_member.shared_vpc_host_iam["group:organization-admins@example.org"]: condition: [ ] project: test-host role: roles/compute.networkUser