Remove use of google_kms_crypto_key_iam_binding resources in accept…

…ance tests to reduce test failures related to missing permissions (#9590)

* Replace use of `google_kms_crypto_key_iam_binding` with `_member` equivalent

* Replace use of `google_kms_crypto_key_iam_binding` with `_member` equivalent in examples files

* Split `google_kms_crypto_key_iam_binding` with 2 members into two `_member` IAM resources in example file

* Replace `google_kms_crypto_key_iam_binding` with 5 members into `_member` IAM resources created via for_each loop

When this example is used to generate a test the crypto key used is a bootstrapped resource. By using an authoritative `_binding` IAM resource we allow conflict between tests using the same bootstrapped cypto key

* Fix mistyped argument name

* Remove use of for_each in acceptance test, create separate example files for test vs docs

* SKip `TestAccCloudfunctions2function_cloudfunctions2CmekExample` in VCR

* Skip `TestAccDataprocMetastoreService_dataprocMetastoreServiceCmekTestExample` in VCR

mmv1/products/cloudfunctions2/Function.yaml

@@ -218,6 +218,8 @@ examples:
       - 'build_config.0.source.0.storage_source.0.bucket'
   - !ruby/object:Provider::Terraform::Examples
     name: 'cloudfunctions2_cmek'
+    skip_docs: true # the example file is written in a repetitive way to help acc tests, so exclude
+    skip_vcr: true
     primary_resource_id: 'function'
     min_version: beta
     vars:
@@ -239,6 +241,20 @@ examples:
     ignore_read_extra:
       - 'build_config.0.source.0.storage_source.0.object'
       - 'build_config.0.source.0.storage_source.0.bucket'
+  - !ruby/object:Provider::Terraform::Examples
+    name: 'cloudfunctions2_cmek_docs'
+    skip_test: true # this example file will cause IAM conflicts between tests if used to make a test
+    primary_resource_id: 'function'
+    min_version: beta
+    vars:
+      function: 'function-cmek'
+      bucket_name: 'gcf-source'
+      zip_path: 'function-source.zip'
+      kms_service_name: 'cloudkms.googleapis.com'
+      cmek-repo: 'cmek-repo'
+      unencoded-ar-repo: 'ar-repo'
+      kms_key_name: 'cmek-key'
+      project: 'my-project-name'
 iam_policy: !ruby/object:Api::Resource::IamPolicy
   parent_resource_attribute: 'cloud_function'
   method_name_separator: ':'

mmv1/products/metastore/Service.yaml

@@ -66,6 +66,7 @@ examples:
   - !ruby/object:Provider::Terraform::Examples
     name: 'dataproc_metastore_service_cmek_test'
     skip_docs: true
+    skip_vcr: true
     primary_resource_id: 'default'
     vars:
       metastore_service_name: 'example-service'

mmv1/templates/terraform/examples/apigee_environment_type_test.tf.erb

@@ -86,15 +86,13 @@ resource "google_project_service_identity" "apigee_sa" {
   service = google_project_service.apigee.service
 }
 
-resource "google_kms_crypto_key_iam_binding" "apigee_sa_keyuser" {
+resource "google_kms_crypto_key_iam_member" "apigee_sa_keyuser" {
   provider = google-beta
 
   crypto_key_id = google_kms_crypto_key.apigee_key.id
   role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
 
-  members = [
-    "serviceAccount:${google_project_service_identity.apigee_sa.email}",
-  ]
+  member = "serviceAccount:${google_project_service_identity.apigee_sa.email}"
 }
 
 resource "google_apigee_organization" "apigee_org" {
@@ -109,7 +107,7 @@ resource "google_apigee_organization" "apigee_org" {
   depends_on = [
     google_service_networking_connection.apigee_vpc_connection,
     google_project_service.apigee,
-    google_kms_crypto_key_iam_binding.apigee_sa_keyuser,
+    google_kms_crypto_key_iam_member.apigee_sa_keyuser,
   ]
 }
 

mmv1/templates/terraform/examples/apigee_instance_full.tf.erb

@@ -38,13 +38,11 @@ resource "google_project_service_identity" "apigee_sa" {
   service  = google_project_service.apigee.service
 }
 
-resource "google_kms_crypto_key_iam_binding" "apigee_sa_keyuser" {
+resource "google_kms_crypto_key_iam_member" "apigee_sa_keyuser" {
   crypto_key_id = google_kms_crypto_key.apigee_key.id
   role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
 
-  members = [
-    "serviceAccount:${google_project_service_identity.apigee_sa.email}",
-  ]
+  member = "serviceAccount:${google_project_service_identity.apigee_sa.email}"
 }
 
 resource "google_apigee_organization" "apigee_org" {
@@ -57,7 +55,7 @@ resource "google_apigee_organization" "apigee_org" {
 
   depends_on = [
     google_service_networking_connection.apigee_vpc_connection,
-    google_kms_crypto_key_iam_binding.apigee_sa_keyuser,
+    google_kms_crypto_key_iam_member.apigee_sa_keyuser,
   ]
 }
 

mmv1/templates/terraform/examples/apigee_instance_full_test.tf.erb

@@ -86,15 +86,13 @@ resource "google_project_service_identity" "apigee_sa" {
   service = google_project_service.apigee.service
 }
 
-resource "google_kms_crypto_key_iam_binding" "apigee_sa_keyuser" {
+resource "google_kms_crypto_key_iam_member" "apigee_sa_keyuser" {
   provider = google-beta
 
   crypto_key_id = google_kms_crypto_key.apigee_key.id
   role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
 
-  members = [
-    "serviceAccount:${google_project_service_identity.apigee_sa.email}",
-  ]
+  member = "serviceAccount:${google_project_service_identity.apigee_sa.email}"
 }
 
 resource "google_apigee_organization" "apigee_org" {
@@ -109,7 +107,7 @@ resource "google_apigee_organization" "apigee_org" {
 
   depends_on = [
     google_service_networking_connection.apigee_vpc_connection,
-    google_kms_crypto_key_iam_binding.apigee_sa_keyuser,
+    google_kms_crypto_key_iam_member.apigee_sa_keyuser,
   ]
 }
 

mmv1/templates/terraform/examples/apigee_nat_address_basic.tf.erb

@@ -38,13 +38,11 @@ resource "google_project_service_identity" "apigee_sa" {
   service  = google_project_service.apigee.service
 }
 
-resource "google_kms_crypto_key_iam_binding" "apigee_sa_keyuser" {
+resource "google_kms_crypto_key_iam_member" "apigee_sa_keyuser" {
   crypto_key_id = google_kms_crypto_key.apigee_key.id
   role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
 
-  members = [
-    "serviceAccount:${google_project_service_identity.apigee_sa.email}",
-  ]
+  member = "serviceAccount:${google_project_service_identity.apigee_sa.email}"
 }
 
 resource "google_apigee_organization" "apigee_org" {
@@ -57,7 +55,7 @@ resource "google_apigee_organization" "apigee_org" {
 
   depends_on = [
     google_service_networking_connection.apigee_vpc_connection,
-    google_kms_crypto_key_iam_binding.apigee_sa_keyuser,
+    google_kms_crypto_key_iam_member.apigee_sa_keyuser,
   ]
 }
 

mmv1/templates/terraform/examples/apigee_organization_cloud_full.tf.erb

@@ -38,13 +38,11 @@ resource "google_project_service_identity" "apigee_sa" {
   service  = google_project_service.apigee.service
 }
 
-resource "google_kms_crypto_key_iam_binding" "apigee_sa_keyuser" {
+resource "google_kms_crypto_key_iam_member" "apigee_sa_keyuser" {
   crypto_key_id = google_kms_crypto_key.apigee_key.id
   role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
 
-  members = [
-    "serviceAccount:${google_project_service_identity.apigee_sa.email}",
-  ]
+  member = "serviceAccount:${google_project_service_identity.apigee_sa.email}"
 }
 
 resource "google_apigee_organization" "org" {
@@ -57,6 +55,6 @@ resource "google_apigee_organization" "org" {
 
   depends_on = [
     google_service_networking_connection.apigee_vpc_connection,
-    google_kms_crypto_key_iam_binding.apigee_sa_keyuser,
+    google_kms_crypto_key_iam_member.apigee_sa_keyuser,
   ]
 }

mmv1/templates/terraform/examples/apigee_organization_cloud_full_disable_vpc_peering.tf.erb

@@ -20,13 +20,11 @@ resource "google_project_service_identity" "apigee_sa" {
   service  = google_project_service.apigee.service
 }
 
-resource "google_kms_crypto_key_iam_binding" "apigee_sa_keyuser" {
+resource "google_kms_crypto_key_iam_member" "apigee_sa_keyuser" {
   crypto_key_id = google_kms_crypto_key.apigee_key.id
   role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
 
-  members = [
-    "serviceAccount:${google_project_service_identity.apigee_sa.email}",
-  ]
+  member = "serviceAccount:${google_project_service_identity.apigee_sa.email}"
 }
 
 resource "google_apigee_organization" "org" {
@@ -38,6 +36,6 @@ resource "google_apigee_organization" "org" {
   runtime_database_encryption_key_name = google_kms_crypto_key.apigee_key.id
 
   depends_on = [
-    google_kms_crypto_key_iam_binding.apigee_sa_keyuser,
+    google_kms_crypto_key_iam_member.apigee_sa_keyuser,
   ]
 }

mmv1/templates/terraform/examples/apigee_organization_cloud_full_disable_vpc_peering_test.tf.erb

@@ -51,15 +51,13 @@ resource "google_project_service_identity" "apigee_sa" {
   service = google_project_service.apigee.service
 }
 
-resource "google_kms_crypto_key_iam_binding" "apigee_sa_keyuser" {
+resource "google_kms_crypto_key_iam_member" "apigee_sa_keyuser" {
   provider = google-beta
 
   crypto_key_id = google_kms_crypto_key.apigee_key.id
   role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
 
-  members = [
-    "serviceAccount:${google_project_service_identity.apigee_sa.email}",
-  ]
+  member = "serviceAccount:${google_project_service_identity.apigee_sa.email}"
 }
 
 resource "google_apigee_organization" "<%= ctx[:primary_resource_id] %>" {
@@ -84,6 +82,6 @@ resource "google_apigee_organization" "<%= ctx[:primary_resource_id] %>" {
   }
 
   depends_on = [
-    google_kms_crypto_key_iam_binding.apigee_sa_keyuser,
+    google_kms_crypto_key_iam_member.apigee_sa_keyuser,
   ]
 }

mmv1/templates/terraform/examples/apigee_organization_cloud_full_test.tf.erb

@@ -86,15 +86,13 @@ resource "google_project_service_identity" "apigee_sa" {
   service = google_project_service.apigee.service
 }
 
-resource "google_kms_crypto_key_iam_binding" "apigee_sa_keyuser" {
+resource "google_kms_crypto_key_iam_member" "apigee_sa_keyuser" {
   provider = google-beta
 
   crypto_key_id = google_kms_crypto_key.apigee_key.id
   role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
 
-  members = [
-    "serviceAccount:${google_project_service_identity.apigee_sa.email}",
-  ]
+  member = "serviceAccount:${google_project_service_identity.apigee_sa.email}"
 }
 
 resource "google_apigee_organization" "<%= ctx[:primary_resource_id] %>" {
@@ -120,6 +118,6 @@ resource "google_apigee_organization" "<%= ctx[:primary_resource_id] %>" {
 
   depends_on = [
     google_service_networking_connection.apigee_vpc_connection,
-    google_kms_crypto_key_iam_binding.apigee_sa_keyuser,
+    google_kms_crypto_key_iam_member.apigee_sa_keyuser,
   ]
 }

mmv1/templates/terraform/examples/apigee_organization_retention_test.tf.erb

@@ -86,15 +86,13 @@ resource "google_project_service_identity" "apigee_sa" {
   service = google_project_service.apigee.service
 }
 
-resource "google_kms_crypto_key_iam_binding" "apigee_sa_keyuser" {
+resource "google_kms_crypto_key_iam_member" "apigee_sa_keyuser" {
   provider = google-beta
 
   crypto_key_id = google_kms_crypto_key.apigee_key.id
   role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
 
-  members = [
-    "serviceAccount:${google_project_service_identity.apigee_sa.email}",
-  ]
+  member = "serviceAccount:${google_project_service_identity.apigee_sa.email}"
 }
 
 resource "google_apigee_organization" "<%= ctx[:primary_resource_id] %>" {
@@ -110,7 +108,7 @@ resource "google_apigee_organization" "<%= ctx[:primary_resource_id] %>" {
   depends_on = [
     google_service_networking_connection.apigee_vpc_connection,
     google_project_service.apigee,
-    google_kms_crypto_key_iam_binding.apigee_sa_keyuser,
+    google_kms_crypto_key_iam_member.apigee_sa_keyuser,
   ]
 }
 

mmv1/templates/terraform/examples/cloudfunctions2_cmek.tf.erb

@@ -37,34 +37,58 @@ resource "google_artifact_registry_repository" "unencoded-ar-repo" {
   format = "DOCKER"
 }
 
-resource "google_artifact_registry_repository_iam_binding" "binding" {
+resource "google_artifact_registry_repository_iam_member" "member" {
   provider = google-beta
 
   location = google_artifact_registry_repository.encoded-ar-repo.location
   repository = google_artifact_registry_repository.encoded-ar-repo.name
   role = "roles/artifactregistry.admin"
-  members = [
-    "serviceAccount:service-${data.google_project.project.number}@gcf-admin-robot.iam.gserviceaccount.com",
-  ]
+  member = "serviceAccount:service-${data.google_project.project.number}@gcf-admin-robot.iam.gserviceaccount.com"
 }
 
-resource "google_kms_crypto_key_iam_binding" "gcf_cmek_keyuser" {
+resource "google_kms_crypto_key_iam_member" "gcf_cmek_keyuser_1" {
   provider = google-beta
 
   crypto_key_id = "<%= ctx[:vars]['kms_key_name'] %>"
   role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
 
-  members = [
-    "serviceAccount:service-${data.google_project.project.number}@gcf-admin-robot.iam.gserviceaccount.com",
-    "serviceAccount:service-${data.google_project.project.number}@gcp-sa-artifactregistry.iam.gserviceaccount.com",
-    "serviceAccount:service-${data.google_project.project.number}@gs-project-accounts.iam.gserviceaccount.com",
-    "serviceAccount:service-${data.google_project.project.number}@serverless-robot-prod.iam.gserviceaccount.com",
-    "serviceAccount:${google_project_service_identity.ea_sa.email}",
-  ]
+  member = "serviceAccount:service-${data.google_project.project.number}@gcf-admin-robot.iam.gserviceaccount.com"
+}
 
-  depends_on = [
-    google_project_service_identity.ea_sa
-  ]
+resource "google_kms_crypto_key_iam_member" "gcf_cmek_keyuser_2" {
+  provider = google-beta
+
+  crypto_key_id = "<%= ctx[:vars]['kms_key_name'] %>"
+  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
+
+  member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-artifactregistry.iam.gserviceaccount.com"
+}
+
+resource "google_kms_crypto_key_iam_member" "gcf_cmek_keyuser_3" {
+  provider = google-beta
+
+  crypto_key_id = "<%= ctx[:vars]['kms_key_name'] %>"
+  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
+
+  member = "serviceAccount:service-${data.google_project.project.number}@gs-project-accounts.iam.gserviceaccount.com"
+}
+
+resource "google_kms_crypto_key_iam_member" "gcf_cmek_keyuser_4" {
+  provider = google-beta
+
+  crypto_key_id = "<%= ctx[:vars]['kms_key_name'] %>"
+  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
+
+  member = "serviceAccount:service-${data.google_project.project.number}@serverless-robot-prod.iam.gserviceaccount.com"
+}
+
+resource "google_kms_crypto_key_iam_member" "gcf_cmek_keyuser_5" {
+  provider = google-beta
+
+  crypto_key_id = "<%= ctx[:vars]['kms_key_name'] %>"
+  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
+
+  member = "serviceAccount:${google_project_service_identity.ea_sa.email}"
 }
 
 resource "google_artifact_registry_repository" "encoded-ar-repo" {
@@ -74,8 +98,13 @@ resource "google_artifact_registry_repository" "encoded-ar-repo" {
   repository_id = "<%= ctx[:vars]['cmek-repo'] %>"
   format = "DOCKER"
   kms_key_name = "<%= ctx[:vars]['kms_key_name'] %>"
+
   depends_on = [
-    google_kms_crypto_key_iam_binding.gcf_cmek_keyuser
+    google_kms_crypto_key_iam_member.gcf_cmek_keyuser_1,
+    google_kms_crypto_key_iam_member.gcf_cmek_keyuser_2,
+    google_kms_crypto_key_iam_member.gcf_cmek_keyuser_3,
+    google_kms_crypto_key_iam_member.gcf_cmek_keyuser_4,
+    google_kms_crypto_key_iam_member.gcf_cmek_keyuser_5,
   ]
 }
 
@@ -107,7 +136,10 @@ resource "google_cloudfunctions2_function" "<%= ctx[:primary_resource_id] %>" {
   }
 
   depends_on = [
-    google_kms_crypto_key_iam_binding.gcf_cmek_keyuser
+    google_kms_crypto_key_iam_member.gcf_cmek_keyuser_1,
+    google_kms_crypto_key_iam_member.gcf_cmek_keyuser_2,
+    google_kms_crypto_key_iam_member.gcf_cmek_keyuser_3,
+    google_kms_crypto_key_iam_member.gcf_cmek_keyuser_4,
+    google_kms_crypto_key_iam_member.gcf_cmek_keyuser_5,
   ]
-
 }