Skip to content

Commit 8ff36d3

Browse files
wyardleywyardley
authored
pubsub: additional test permissions fixes (#12311)
1 parent c17d907 commit 8ff36d3

File tree

2 files changed

+17
-25
lines changed

2 files changed

+17
-25
lines changed

mmv1/templates/terraform/examples/pubsub_subscription_push_bq_service_account.tf.tmpl

+8-5
Original file line numberDiff line numberDiff line change
@@ -11,24 +11,27 @@ resource "google_pubsub_subscription" "{{$.PrimaryResourceId}}" {
1111
service_account_email = google_service_account.bq_write_service_account.email
1212
}
1313

14-
depends_on = [google_service_account.bq_write_service_account, google_project_iam_member.viewer, google_project_iam_member.editor]
14+
depends_on = [
15+
google_service_account.bq_write_service_account,
16+
google_project_iam_member.bigquery_metadata_viewer,
17+
google_project_iam_member.bigquery_data_editor
18+
]
1519
}
1620

17-
data "google_project" "project" {
18-
}
21+
data "google_project" "project" {}
1922

2023
resource "google_service_account" "bq_write_service_account" {
2124
account_id = "{{index $.Vars "service_account_id"}}"
2225
display_name = "BQ Write Service Account"
2326
}
2427

25-
resource "google_project_iam_member" "viewer" {
28+
resource "google_project_iam_member" "bigquery_metadata_viewer" {
2629
project = data.google_project.project.project_id
2730
role = "roles/bigquery.metadataViewer"
2831
member = "serviceAccount:${google_service_account.bq_write_service_account.email}"
2932
}
3033

31-
resource "google_project_iam_member" "editor" {
34+
resource "google_project_iam_member" "bigquery_data_editor" {
3235
project = data.google_project.project.project_id
3336
role = "roles/bigquery.dataEditor"
3437
member = "serviceAccount:${google_service_account.bq_write_service_account.email}"

mmv1/third_party/terraform/services/pubsub/resource_pubsub_subscription_test.go

+9-20
Original file line numberDiff line numberDiff line change
@@ -683,41 +683,32 @@ resource "google_pubsub_subscription" "foo" {
683683
func testAccPubsubSubscriptionBigQuery_basic(dataset, table, topic, subscription string, useTableSchema bool, serviceAccountId string) string {
684684
serviceAccountEmailField := ""
685685
serviceAccountResource := ""
686+
tfDependencies := ""
686687
if serviceAccountId != "" {
687688
serviceAccountResource = fmt.Sprintf(`
688689
resource "google_service_account" "bq_write_service_account" {
689690
account_id = "%s"
690691
display_name = "BQ Write Service Account"
691692
}
692693
693-
resource "google_project_iam_member" "viewer" {
694+
resource "google_project_iam_member" "bigquery_metadata_viewer" {
694695
project = data.google_project.project.project_id
695696
role = "roles/bigquery.metadataViewer"
696697
member = "serviceAccount:${google_service_account.bq_write_service_account.email}"
697698
}
698699
699-
resource "google_project_iam_member" "editor" {
700+
resource "google_project_iam_member" "bigquery_data_editor" {
700701
project = data.google_project.project.project_id
701702
role = "roles/bigquery.dataEditor"
702703
member = "serviceAccount:${google_service_account.bq_write_service_account.email}"
703704
}`, serviceAccountId)
704705
serviceAccountEmailField = "service_account_email = google_service_account.bq_write_service_account.email"
706+
tfDependencies = ` google_project_iam_member.bigquery_metadata_viewer,
707+
google_project_iam_member.bigquery_data_editor,
708+
time_sleep.wait_30_seconds,`
705709
} else {
706-
serviceAccountResource = fmt.Sprintf(`
707-
resource "google_project_iam_member" "viewer" {
708-
project = data.google_project.project.project_id
709-
role = "roles/bigquery.metadataViewer"
710-
member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-pubsub.iam.gserviceaccount.com"
711-
}
712-
713-
resource "google_project_iam_member" "editor" {
714-
project = data.google_project.project.project_id
715-
role = "roles/bigquery.dataEditor"
716-
member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-pubsub.iam.gserviceaccount.com"
717-
}
718-
`)
710+
tfDependencies = " time_sleep.wait_30_seconds,"
719711
}
720-
721712
return fmt.Sprintf(`
722713
data "google_project" "project" {}
723714
@@ -763,12 +754,10 @@ resource "google_pubsub_subscription" "foo" {
763754
}
764755
765756
depends_on = [
766-
google_project_iam_member.viewer,
767-
google_project_iam_member.editor,
768-
time_sleep.wait_30_seconds,
757+
%s
769758
]
770759
}
771-
`, serviceAccountResource, dataset, table, topic, subscription, useTableSchema, serviceAccountEmailField)
760+
`, serviceAccountResource, dataset, table, topic, subscription, useTableSchema, serviceAccountEmailField, tfDependencies)
772761
}
773762

774763
func testAccPubsubSubscriptionCloudStorage_basic(bucket, topic, subscription, filenamePrefix, filenameSuffix, filenameDatetimeFormat string, maxBytes int, maxDuration string, maxMessages int, serviceAccountId, outputFormat string) string {

0 commit comments

Comments
 (0)