E2E tests fixes
This commit is contained in:
parent
01bd0b7b01
commit
0d486fb34e
|
@ -182,6 +182,12 @@ resource "google_compute_subnetwork" "proxy_only" {
|
||||||
)
|
)
|
||||||
purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
|
purpose = each.value.global ? "GLOBAL_MANAGED_PROXY" : "REGIONAL_MANAGED_PROXY"
|
||||||
role = each.value.active ? "ACTIVE" : "BACKUP"
|
role = each.value.active ? "ACTIVE" : "BACKUP"
|
||||||
|
|
||||||
|
lifecycle {
|
||||||
|
# Until https://github.com/hashicorp/terraform-provider-google/issues/16804 is fixed
|
||||||
|
# ignore permadiff in ipv6_access_type for proxy_only subnets
|
||||||
|
ignore_changes = [ipv6_access_type]
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "google_compute_subnetwork" "psc" {
|
resource "google_compute_subnetwork" "psc" {
|
||||||
|
|
|
@ -354,7 +354,7 @@ module "service-project" {
|
||||||
]
|
]
|
||||||
shared_vpc_service_config = {
|
shared_vpc_service_config = {
|
||||||
host_project = module.host-project.project_id
|
host_project = module.host-project.project_id
|
||||||
network_users = ["group:team-1@example.com"]
|
network_users = ["group:${var.group_email}"]
|
||||||
# reuse the list of services from the module's outputs
|
# reuse the list of services from the module's outputs
|
||||||
service_iam_grants = module.service-project.services
|
service_iam_grants = module.service-project.services
|
||||||
}
|
}
|
||||||
|
@ -362,7 +362,7 @@ module "service-project" {
|
||||||
# tftest modules=2 resources=11 inventory=shared-vpc-host-project-iam.yaml e2e
|
# tftest modules=2 resources=11 inventory=shared-vpc-host-project-iam.yaml e2e
|
||||||
```
|
```
|
||||||
|
|
||||||
In specific cases it might make sense to selectively grant the `compute.networkUser` role for service identities at the subnet level, and while that is best done via org policies it's also supported by this module. In this example, Compute service identity and `team-1@example.com` Google Group will be granted compute.networkUser in the `gce` subnet defined in `europe-west1` region via the `service_identity_subnet_iam` and `network_subnet_users` attributes.
|
In specific cases it might make sense to selectively grant the `compute.networkUser` role for service identities at the subnet level, and while that is best done via org policies it's also supported by this module. In this example, Compute service identity and `team-1@example.com` Google Group will be granted compute.networkUser in the `gce` subnet defined in `europe-west1` region in the `host` project (not included in the example) via the `service_identity_subnet_iam` and `network_subnet_users` attributes.
|
||||||
|
|
||||||
```hcl
|
```hcl
|
||||||
module "host-project" {
|
module "host-project" {
|
||||||
|
|
|
@ -34,7 +34,7 @@ values:
|
||||||
condition: []
|
condition: []
|
||||||
project: test-host
|
project: test-host
|
||||||
role: roles/container.hostServiceAgentUser
|
role: roles/container.hostServiceAgentUser
|
||||||
module.service-project.google_project_iam_member.shared_vpc_host_iam["group:team-1@example.com"]:
|
module.service-project.google_project_iam_member.shared_vpc_host_iam["group:organization-admins@example.org"]:
|
||||||
condition: [ ]
|
condition: [ ]
|
||||||
project: test-host
|
project: test-host
|
||||||
role: roles/compute.networkUser
|
role: roles/compute.networkUser
|
||||||
|
|
Loading…
Reference in New Issue