chore: Per-module isolation for integration tests

Makefile

@@ -62,7 +62,7 @@ docker_test_integration:
 		-e SERVICE_ACCOUNT_JSON \
 		-v "$(CURDIR)":/workspace \
 		$(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \
-		/usr/local/bin/test_integration.sh
+		cft test run all
 
 # Execute lint tests within the docker container
 .PHONY: docker_test_lint

test/setup/iam.tf

@@ -46,32 +46,103 @@ locals {
     ]
   }
 
-  int_required_project_roles = tolist(toset(flatten(values(local.per_module_roles))))
-  int_required_folder_roles = [
+  extra_project_roles_for_tests = {}
+
+  // Applied to all service accounts.
+  extra_folder_roles_for_tests = toset([
     "roles/compute.xpnAdmin"
-  ]
+  ])
+
+  // A list of items like:
+  // { module_name = "x", project_role = "role1"}
+  // { module_name = "x", project_role = "role2"}
+  // { module_name = "y", project_role = "role3"}
+  module_role_combinations = flatten(
+    [for module_name, _ in module.project :
+      [for role in setunion(local.per_module_roles[module_name], lookup(local.extra_project_roles_for_tests, module_name, [])) : {
+        module_name  = module_name
+        project_role = role
+        }
+      ]
+    ]
+  )
+  combined_roles = toset([for entry in local.module_role_combinations: entry.project_role])
+
+  module_folder_role_combinations = flatten(
+    [for module_name, _ in module.project :
+      [for role in local.extra_folder_roles_for_tests : {
+        module_name = module_name
+        folder_role = role
+        }
+      ]
+    ]
+  )
 }
 
 resource "google_service_account" "int_test" {
-  project      = module.project-ci-regional-lb-http.project_id
-  account_id   = "ci-int-lb-http"
-  display_name = "ci-int-lb-http"
+  for_each = module.project
+
+  project      = each.value.project_id
+  account_id   = "ci-account"
+  display_name = "ci-account"
 }
 
 resource "google_folder_iam_member" "int_test" {
-  count  = length(local.int_required_folder_roles)
+  for_each = {
+    for combination in local.module_folder_role_combinations :
+    "${combination.module_name}.${combination.folder_role}" => {
+      service_account = google_service_account.int_test[combination.module_name]
+      folder_role     = combination.folder_role
+    }
+  }
+
   folder = "folders/${var.folder_id}"
-  role   = local.int_required_folder_roles[count.index]
-  member = "serviceAccount:${google_service_account.int_test.email}"
+  role   = each.value.folder_role
+  member = "serviceAccount:${each.value.service_account.email}"
 }
 
 resource "google_project_iam_member" "int_test" {
-  count   = length(local.int_required_project_roles)
-  project = module.project-ci-regional-lb-http.project_id
-  role    = local.int_required_project_roles[count.index]
-  member  = "serviceAccount:${google_service_account.int_test.email}"
+  for_each = {
+    for combination in local.module_role_combinations :
+    "${combination.module_name}.${combination.project_role}" => {
+      service_account = google_service_account.int_test[combination.module_name]
+      project_role    = combination.project_role
+    }
+  }
+
+  project = each.value.service_account.project
+  role    = each.value.project_role
+  member  = "serviceAccount:${each.value.service_account.email}"
 }
 
 resource "google_service_account_key" "int_test" {
-  service_account_id = google_service_account.int_test.id
+  for_each = module.project
+
+  service_account_id = google_service_account.int_test[each.key].id
+}
+
+resource "google_service_account" "int_test_combined" {
+  project      = module.combined_project.project_id
+  account_id   = "ci-account"
+  display_name = "ci-account"
+}
+
+resource "google_folder_iam_member" "int_test_combined" {
+  for_each = local.extra_folder_roles_for_tests
+
+  folder = "folders/${var.folder_id}"
+  role   = each.key
+  member = "serviceAccount:${google_service_account.int_test_combined.email}"
+}
+
+resource "google_project_iam_member" "int_test_combined" {
+  for_each = local.combined_roles
+
+  project = module.combined_project.project_id
+  role    = each.key
+  member  = "serviceAccount:${google_service_account.int_test_combined.email}"
+}
+
+resource "google_service_account_key" "int_test_combined" {
+  service_account_id = google_service_account.int_test_combined.id
 }

test/setup/main.tf

@@ -48,9 +48,35 @@ locals {
       "iap.googleapis.com",
     ]
   }
+  extra_services_for_tests = {}
+  per_module_test_services = {
+    for module, services in local.per_module_services :
+    module => setunion(services, lookup(local.extra_services_for_tests, module, []))
+  }
+  combined_test_services = tolist(toset(flatten(values(local.per_module_test_services))))
+}
+
+module "project" {
+  for_each = local.per_module_test_services
+
+  source  = "terraform-google-modules/project-factory/google"
+  version = "~> 18.0"
+
+  name                        = "ci-int-regional-lb-http"
+  random_project_id           = true
+  org_id                      = var.org_id
+  folder_id                   = var.folder_id
+  billing_account             = var.billing_account
+  default_service_account     = "keep"
+  disable_dependent_services  = false
+  disable_services_on_destroy = false
+  deletion_policy             = "DELETE"
+
+  activate_apis = each.value
 }
 
-module "project-ci-regional-lb-http" {
+// For the tests that use mutiple modules.
+module "combined_project" {
   source  = "terraform-google-modules/project-factory/google"
   version = "~> 18.0"
 
@@ -64,5 +90,6 @@ module "project-ci-regional-lb-http" {
   disable_services_on_destroy = false
   deletion_policy             = "DELETE"
 
-  activate_apis = tolist(toset(flatten(values(local.per_module_services))))
+  activate_apis = local.combined_test_services
 }
+

test/setup/outputs.tf

@@ -14,11 +14,26 @@
  * limitations under the License.
  */
 
+// project_ids_per_module is resolved to `project_id` by the tft test framework.
+output "project_ids_per_module" {
+  value = {
+    for module_name, v in module.project : module_name => v.project_id
+  }
+}
+
+// `sa_keys_per_module` is resolved to `sa_key` by the tft test framework.
+output "sa_keys_per_module" {
+  value = {
+    for module_name, v in google_service_account_key.int_test : module_name => v.private_key
+  }
+  sensitive = true
+}
+
 output "project_id" {
-  value = module.project-ci-regional-lb-http.project_id
+  value = module.combined_project.project_id
 }
 
 output "sa_key" {
-  value     = google_service_account_key.int_test.private_key
+  value     = google_service_account_key.int_test_combined.private_key
   sensitive = true
 }