Skip to content

Commit 5043834

Browse files
melinathanoopkverma-google
melinath
authored and
anoopkverma-google
committed
Removed usage of bootstrap PSA role helpers (GoogleCloudPlatform#12822)
1 parent e86b067 commit 5043834

14 files changed

+137
-71
lines changed

mmv1/products/cloudfunctions2/Function.yaml

+12-4
Original file line numberDiff line numberDiff line change
@@ -111,6 +111,9 @@ examples:
111111
exclude_test: true
112112
- name: 'cloudfunctions2_basic_gcs'
113113
primary_resource_id: 'function'
114+
bootstrap_iam:
115+
- member: "serviceAccount:service-{project_number}@gcp-sa-pubsub.iam.gserviceaccount.com"
116+
role: "roles/cloudkms.cryptoKeyEncrypterDecrypter"
114117
vars:
115118
bucket_name_source: 'gcf-source-bucket'
116119
bucket_name_trigger: 'gcf-trigger-bucket'
@@ -122,13 +125,15 @@ examples:
122125
test_vars_overrides:
123126
'zip_path': '"./test-fixtures/function-source-eventarc-gcs.zip"'
124127
'primary_resource_id': '"terraform-test"'
125-
'policyChanged': 'acctest.BootstrapPSARole(t, "service-", "gcp-sa-pubsub", "roles/cloudkms.cryptoKeyEncrypterDecrypter")'
126128
# ignore these fields during import step
127129
ignore_read_extra:
128130
- 'build_config.0.source.0.storage_source.0.object'
129131
- 'build_config.0.source.0.storage_source.0.bucket'
130132
- name: 'cloudfunctions2_basic_auditlogs'
131133
primary_resource_id: 'function'
134+
bootstrap_iam:
135+
- member: "serviceAccount:service-{project_number}@gcp-sa-pubsub.iam.gserviceaccount.com"
136+
role: "roles/cloudkms.cryptoKeyEncrypterDecrypter"
132137
vars:
133138
bucket_name_source: 'gcf-source-bucket'
134139
bucket_name_auditlogs: 'gcf-auditlog-bucket'
@@ -140,7 +145,6 @@ examples:
140145
test_vars_overrides:
141146
'zip_path': '"./test-fixtures/function-source-eventarc-gcs.zip"'
142147
'primary_resource_id': '"terraform-test"'
143-
'policyChanged': 'acctest.BootstrapPSARole(t, "service-", "gcp-sa-pubsub", "roles/cloudkms.cryptoKeyEncrypterDecrypter")'
144148
# ignore these fields during import step
145149
ignore_read_extra:
146150
- 'build_config.0.source.0.storage_source.0.object'
@@ -165,6 +169,9 @@ examples:
165169
external_providers: ["random", "time"]
166170
- name: 'cloudfunctions2_secret_env'
167171
primary_resource_id: 'function'
172+
bootstrap_iam:
173+
- member: "serviceAccount:service-{project_number}@gcp-sa-pubsub.iam.gserviceaccount.com"
174+
role: "roles/cloudkms.cryptoKeyEncrypterDecrypter"
168175
vars:
169176
function: 'function-secret'
170177
bucket_name: 'gcf-source'
@@ -175,13 +182,15 @@ examples:
175182
test_vars_overrides:
176183
'location': '"us-central1"'
177184
'zip_path': '"./test-fixtures/function-source.zip"'
178-
'policyChanged': 'acctest.BootstrapPSARole(t, "service-", "gcp-sa-pubsub", "roles/cloudkms.cryptoKeyEncrypterDecrypter")'
179185
# ignore these fields during import step
180186
ignore_read_extra:
181187
- 'build_config.0.source.0.storage_source.0.object'
182188
- 'build_config.0.source.0.storage_source.0.bucket'
183189
- name: 'cloudfunctions2_secret_volume'
184190
primary_resource_id: 'function'
191+
bootstrap_iam:
192+
- member: "serviceAccount:service-{project_number}@gcp-sa-pubsub.iam.gserviceaccount.com"
193+
role: "roles/cloudkms.cryptoKeyEncrypterDecrypter"
185194
vars:
186195
function: 'function-secret'
187196
bucket_name: 'gcf-source'
@@ -192,7 +201,6 @@ examples:
192201
test_vars_overrides:
193202
'location': '"us-central1"'
194203
'zip_path': '"./test-fixtures/function-source.zip"'
195-
'policyChanged': 'acctest.BootstrapPSARole(t, "service-", "gcp-sa-pubsub", "roles/cloudkms.cryptoKeyEncrypterDecrypter")'
196204
# ignore these fields during import step
197205
ignore_read_extra:
198206
- 'build_config.0.source.0.storage_source.0.object'

mmv1/products/compute/MachineImage.yaml

+3-2
Original file line numberDiff line numberDiff line change
@@ -55,13 +55,14 @@ examples:
5555
- name: 'compute_machine_image_kms'
5656
primary_resource_id: 'image'
5757
primary_resource_name: 'fmt.Sprintf("tf-test-my-image%s", context["random_suffix"])'
58+
bootstrap_iam:
59+
- member: "serviceAccount:service-{project_number}@compute-system.iam.gserviceaccount.com"
60+
role: "roles/cloudkms.cryptoKeyEncrypterDecrypter"
5861
vars:
5962
vm_name: 'my-vm'
6063
image_name: 'my-image'
6164
key_name: 'key'
6265
keyring_name: 'keyring'
63-
test_vars_overrides:
64-
'policyChanged': 'acctest.BootstrapPSARole(t, "service-", "compute-system", "roles/cloudkms.cryptoKeyEncrypterDecrypter")'
6566
parameters:
6667
properties:
6768
- name: 'name'

mmv1/third_party/terraform/services/cloudfunctions2/resource_cloudfunctions2_function_test.go

+6-3
Original file line numberDiff line numberDiff line change
@@ -190,9 +190,12 @@ func TestAccCloudFunctions2Function_fullUpdate(t *testing.T) {
190190
"random_suffix": acctest.RandString(t, 10),
191191
}
192192

193-
if acctest.BootstrapPSARole(t, "service-", "gcp-sa-pubsub", "roles/cloudkms.cryptoKeyEncrypterDecrypter") {
194-
t.Fatal("Stopping the test because a binding was added.")
195-
}
193+
acctest.BootstrapIamMembers(t, []acctest.IamMember{
194+
{
195+
Member: "serviceAccount:service-{project_number}@gcp-sa-pubsub.iam.gserviceaccount.com",
196+
Role: "roles/cloudkms.cryptoKeyEncrypterDecrypter",
197+
},
198+
})
196199

197200
acctest.VcrTest(t, resource.TestCase{
198201
PreCheck: func() { acctest.AccTestPreCheck(t) },

mmv1/third_party/terraform/services/compute/resource_compute_disk_test.go.tmpl

+6-3
Original file line numberDiff line numberDiff line change
@@ -588,9 +588,12 @@ func TestAccComputeDisk_encryptionKMS(t *testing.T) {
588588
importID := fmt.Sprintf("%s/%s/%s", pid, "us-central1-a", diskName)
589589
var disk compute.Disk
590590

591-
if acctest.BootstrapPSARole(t, "service-", "compute-system", "roles/cloudkms.cryptoKeyEncrypterDecrypter") {
592-
t.Fatal("Stopping the test because a role was added to the policy.")
593-
}
591+
acctest.BootstrapIamMembers(t, []acctest.IamMember{
592+
{
593+
Member: "serviceAccount:service-{project_number}@compute-system.iam.gserviceaccount.com",
594+
Role: "roles/cloudkms.cryptoKeyEncrypterDecrypter",
595+
},
596+
})
594597

595598
acctest.VcrTest(t, resource.TestCase{
596599
PreCheck: func() { acctest.AccTestPreCheck(t) },

mmv1/third_party/terraform/services/compute/resource_compute_instance_test.go.tmpl

+6-3
Original file line numberDiff line numberDiff line change
@@ -743,9 +743,12 @@ func TestAccComputeInstance_kmsDiskEncryption(t *testing.T) {
743743
},
744744
}
745745

746-
if acctest.BootstrapPSARole(t, "service-", "compute-system", "roles/cloudkms.cryptoKeyEncrypterDecrypter") {
747-
t.Fatal("Stopping the test because a role was added to the policy.")
748-
}
746+
acctest.BootstrapIamMembers(t, []acctest.IamMember{
747+
{
748+
Member: "serviceAccount:service-{project_number}@compute-system.iam.gserviceaccount.com",
749+
Role: "roles/cloudkms.cryptoKeyEncrypterDecrypter",
750+
},
751+
})
749752

750753
acctest.VcrTest(t, resource.TestCase{
751754
PreCheck: func() { acctest.AccTestPreCheck(t) },

mmv1/third_party/terraform/services/container/resource_container_cluster_test.go.tmpl

+38-20
Original file line numberDiff line numberDiff line change
@@ -2367,9 +2367,12 @@ func TestAccContainerCluster_withBootDiskKmsKey(t *testing.T) {
23672367
networkName := acctest.BootstrapSharedTestNetwork(t, "gke-cluster")
23682368
subnetworkName := acctest.BootstrapSubnet(t, "gke-cluster", networkName)
23692369

2370-
if acctest.BootstrapPSARole(t, "service-", "compute-system", "roles/cloudkms.cryptoKeyEncrypterDecrypter") {
2371-
t.Fatal("Stopping the test because a role was added to the policy.")
2372-
}
2370+
acctest.BootstrapIamMembers(t, []acctest.IamMember{
2371+
{
2372+
Member: "serviceAccount:service-{project_number}@compute-system.iam.gserviceaccount.com",
2373+
Role: "roles/cloudkms.cryptoKeyEncrypterDecrypter",
2374+
},
2375+
})
23732376

23742377
acctest.VcrTest(t, resource.TestCase{
23752378
PreCheck: func() { acctest.AccTestPreCheck(t) },
@@ -4414,9 +4417,12 @@ func TestAccContainerCluster_nodeAutoprovisioningDefaultsBootDiskKmsKey(t *testi
44144417
networkName := acctest.BootstrapSharedTestNetwork(t, "gke-cluster")
44154418
subnetworkName := acctest.BootstrapSubnet(t, "gke-cluster", networkName)
44164419

4417-
if acctest.BootstrapPSARole(t, "service-", "compute-system", "roles/cloudkms.cryptoKeyEncrypterDecrypter") {
4418-
t.Fatal("Stopping the test because a role was added to the policy.")
4419-
}
4420+
acctest.BootstrapIamMembers(t, []acctest.IamMember{
4421+
{
4422+
Member: "serviceAccount:service-{project_number}@compute-system.iam.gserviceaccount.com",
4423+
Role: "roles/cloudkms.cryptoKeyEncrypterDecrypter",
4424+
},
4425+
})
44204426

44214427
acctest.VcrTest(t, resource.TestCase{
44224428
PreCheck: func() { acctest.AccTestPreCheck(t) },
@@ -5544,14 +5550,20 @@ func TestAccContainerCluster_WithCPAFeatures(t *testing.T) {
55445550
// *ALL* Cloud KMS keys in the project. A more realistic usage would be to
55455551
// grant the service agent the necessary roles only on the individual keys
55465552
// we have created.
5547-
roles := []string{
5548-
"roles/container.cloudKmsKeyUser",
5549-
"roles/privateca.certificateManager",
5550-
"roles/cloudkms.cryptoKeyEncrypterDecrypter",
5551-
}
5552-
if acctest.BootstrapPSARoles(t, "service-", "container-engine-robot", roles) {
5553-
t.Fatal("Stopping the test because a role was added to the policy.")
5554-
}
5553+
acctest.BootstrapIamMembers(t, []acctest.IamMember{
5554+
{
5555+
Member: "serviceAccount:service-{project_number}@container-engine-robot.iam.gserviceaccount.com",
5556+
Role: "roles/container.cloudKmsKeyUser",
5557+
},
5558+
{
5559+
Member: "serviceAccount:service-{project_number}@container-engine-robot.iam.gserviceaccount.com",
5560+
Role: "roles/privateca.certificateManager",
5561+
},
5562+
{
5563+
Member: "serviceAccount:service-{project_number}@container-engine-robot.iam.gserviceaccount.com",
5564+
Role: "roles/cloudkms.cryptoKeyEncrypterDecrypter",
5565+
},
5566+
})
55555567

55565568
// Find an active cryptoKeyVersion on the signing key.
55575569
var signingCryptoKeyVersion *cloudkms.CryptoKeyVersion
@@ -11464,9 +11476,12 @@ func TestAccContainerCluster_withConfidentialBootDisk(t *testing.T) {
1146411476
networkName := acctest.BootstrapSharedTestNetwork(t, "gke-cluster")
1146511477
subnetworkName := acctest.BootstrapSubnet(t, "gke-cluster", networkName)
1146611478

11467-
if acctest.BootstrapPSARole(t, "service-", "compute-system", "roles/cloudkms.cryptoKeyEncrypterDecrypter") {
11468-
t.Fatal("Stopping the test because a role was added to the policy.")
11469-
}
11479+
acctest.BootstrapIamMembers(t, []acctest.IamMember{
11480+
{
11481+
Member: "serviceAccount:service-{project_number}@compute-system.iam.gserviceaccount.com",
11482+
Role: "roles/cloudkms.cryptoKeyEncrypterDecrypter",
11483+
},
11484+
})
1147011485

1147111486
acctest.VcrTest(t, resource.TestCase{
1147211487
PreCheck: func() { acctest.AccTestPreCheck(t) },
@@ -11527,9 +11542,12 @@ func TestAccContainerCluster_withConfidentialBootDiskNodeConfig(t *testing.T) {
1152711542
networkName := acctest.BootstrapSharedTestNetwork(t, "gke-cluster")
1152811543
subnetworkName := acctest.BootstrapSubnet(t, "gke-cluster", networkName)
1152911544

11530-
if acctest.BootstrapPSARole(t, "service-", "compute-system", "roles/cloudkms.cryptoKeyEncrypterDecrypter") {
11531-
t.Fatal("Stopping the test because a role was added to the policy.")
11532-
}
11545+
acctest.BootstrapIamMembers(t, []acctest.IamMember{
11546+
{
11547+
Member: "serviceAccount:service-{project_number}@compute-system.iam.gserviceaccount.com",
11548+
Role: "roles/cloudkms.cryptoKeyEncrypterDecrypter",
11549+
},
11550+
})
1153311551

1153411552
acctest.VcrTest(t, resource.TestCase{
1153511553
PreCheck: func() { acctest.AccTestPreCheck(t) },

mmv1/third_party/terraform/services/container/resource_container_node_pool_test.go.tmpl

+12-6
Original file line numberDiff line numberDiff line change
@@ -881,9 +881,12 @@ func TestAccContainerNodePool_withBootDiskKmsKey(t *testing.T) {
881881
networkName := acctest.BootstrapSharedTestNetwork(t, "gke-cluster")
882882
subnetworkName := acctest.BootstrapSubnet(t, "gke-cluster", networkName)
883883

884-
if acctest.BootstrapPSARole(t, "service-", "compute-system", "roles/cloudkms.cryptoKeyEncrypterDecrypter") {
885-
t.Fatal("Stopping the test because a role was added to the policy.")
886-
}
884+
acctest.BootstrapIamMembers(t, []acctest.IamMember{
885+
{
886+
Member: "serviceAccount:service-{project_number}@compute-system.iam.gserviceaccount.com",
887+
Role: "roles/cloudkms.cryptoKeyEncrypterDecrypter",
888+
},
889+
})
887890

888891
acctest.VcrTest(t, resource.TestCase{
889892
PreCheck: func() { acctest.AccTestPreCheck(t) },
@@ -4355,9 +4358,12 @@ func TestAccContainerNodePool_withConfidentialBootDisk(t *testing.T) {
43554358
networkName := acctest.BootstrapSharedTestNetwork(t, "gke-cluster")
43564359
subnetworkName := acctest.BootstrapSubnet(t, "gke-cluster", networkName)
43574360

4358-
if acctest.BootstrapPSARole(t, "service-", "compute-system", "roles/cloudkms.cryptoKeyEncrypterDecrypter") {
4359-
t.Fatal("Stopping the test because a role was added to the policy.")
4360-
}
4361+
acctest.BootstrapIamMembers(t, []acctest.IamMember{
4362+
{
4363+
Member: "serviceAccount:service-{project_number}@compute-system.iam.gserviceaccount.com",
4364+
Role: "roles/cloudkms.cryptoKeyEncrypterDecrypter",
4365+
},
4366+
})
43614367

43624368
acctest.VcrTest(t, resource.TestCase{
43634369
PreCheck: func() { acctest.AccTestPreCheck(t) },

mmv1/third_party/terraform/services/dataflow/resource_dataflow_flex_template_job_test.go.tmpl

+10-7
Original file line numberDiff line numberDiff line change
@@ -306,13 +306,16 @@ func TestAccDataflowFlexTemplateJob_withKmsKey(t *testing.T) {
306306
bucket := "tf-test-dataflow-bucket-" + randStr
307307
topic := "tf-test-topic" + randStr
308308

309-
if acctest.BootstrapPSARole(t, "service-", "compute-system", "roles/cloudkms.cryptoKeyEncrypterDecrypter") {
310-
t.Fatal("Stopping the test because a role was added to the policy.")
311-
}
312-
313-
if acctest.BootstrapPSARole(t, "service-", "dataflow-service-producer-prod", "roles/cloudkms.cryptoKeyEncrypterDecrypter") {
314-
t.Fatal("Stopping the test because a role was added to the policy.")
315-
}
309+
acctest.BootstrapIamMembers(t, []acctest.IamMember{
310+
{
311+
Member: "serviceAccount:service-{project_number}@compute-system.iam.gserviceaccount.com",
312+
Role: "roles/cloudkms.cryptoKeyEncrypterDecrypter",
313+
},
314+
{
315+
Member: "serviceAccount:service-{project_number}@dataflow-service-producer-prod.iam.gserviceaccount.com",
316+
Role: "roles/cloudkms.cryptoKeyEncrypterDecrypter",
317+
},
318+
})
316319

317320
acctest.VcrTest(t, resource.TestCase{
318321
PreCheck: func() { acctest.AccTestPreCheck(t) },

mmv1/third_party/terraform/services/dataflow/resource_dataflow_job_test.go.tmpl

+10-7
Original file line numberDiff line numberDiff line change
@@ -422,13 +422,16 @@ func TestAccDataflowJob_withKmsKey(t *testing.T) {
422422
job := "tf-test-dataflow-job-" + randStr
423423
zone := "us-east5-b"
424424

425-
if acctest.BootstrapPSARole(t, "service-", "compute-system", "roles/cloudkms.cryptoKeyEncrypterDecrypter") {
426-
t.Fatal("Stopping the test because a role was added to the policy.")
427-
}
428-
429-
if acctest.BootstrapPSARole(t, "service-", "dataflow-service-producer-prod", "roles/cloudkms.cryptoKeyEncrypterDecrypter") {
430-
t.Fatal("Stopping the test because a role was added to the policy.")
431-
}
425+
acctest.BootstrapIamMembers(t, []acctest.IamMember{
426+
{
427+
Member: "serviceAccount:service-{project_number}@compute-system.iam.gserviceaccount.com",
428+
Role: "roles/cloudkms.cryptoKeyEncrypterDecrypter",
429+
},
430+
{
431+
Member: "serviceAccount:service-{project_number}@dataflow-service-producer-prod.iam.gserviceaccount.com",
432+
Role: "roles/cloudkms.cryptoKeyEncrypterDecrypter",
433+
},
434+
})
432435

433436
acctest.VcrTest(t, resource.TestCase{
434437
PreCheck: func() { acctest.AccTestPreCheck(t) },

mmv1/third_party/terraform/services/dataproc/resource_dataproc_cluster_test.go.tmpl

+6-3
Original file line numberDiff line numberDiff line change
@@ -1052,9 +1052,12 @@ func TestAccDataprocCluster_KMS(t *testing.T) {
10521052
subnetworkName := acctest.BootstrapSubnet(t, "dataproc-cluster", networkName)
10531053
acctest.BootstrapFirewallForDataprocSharedNetwork(t, "dataproc-cluster", networkName)
10541054

1055-
if acctest.BootstrapPSARole(t, "service-", "compute-system", "roles/cloudkms.cryptoKeyEncrypterDecrypter") {
1056-
t.Fatal("Stopping the test because a role was added to the policy.")
1057-
}
1055+
acctest.BootstrapIamMembers(t, []acctest.IamMember{
1056+
{
1057+
Member: "serviceAccount:service-{project_number}@compute-system.iam.gserviceaccount.com",
1058+
Role: "roles/cloudkms.cryptoKeyEncrypterDecrypter",
1059+
},
1060+
})
10581061

10591062
var cluster dataproc.Cluster
10601063
acctest.VcrTest(t, resource.TestCase{

mmv1/third_party/terraform/services/pubsub/resource_pubsub_subscription_test.go

+10-3
Original file line numberDiff line numberDiff line change
@@ -241,9 +241,16 @@ func TestAccPubsubSubscriptionBigQuery_serviceAccount(t *testing.T) {
241241
topic := fmt.Sprintf("tf-test-topic-%s", acctest.RandString(t, 10))
242242
subscriptionShort := fmt.Sprintf("tf-test-sub-%s", acctest.RandString(t, 10))
243243

244-
if acctest.BootstrapPSARoles(t, "service-", "gcp-sa-pubsub", []string{"roles/bigquery.dataEditor", "roles/bigquery.metadataViewer"}) {
245-
t.Fatal("Stopping the test because roles were added to IAM policy.")
246-
}
244+
acctest.BootstrapIamMembers(t, []acctest.IamMember{
245+
{
246+
Member: "serviceAccount:service-{project_number}@gcp-sa-pubsub.iam.gserviceaccount.com",
247+
Role: "roles/bigquery.dataEditor",
248+
},
249+
{
250+
Member: "serviceAccount:service-{project_number}@gcp-sa-pubsub.iam.gserviceaccount.com",
251+
Role: "roles/bigquery.metadataViewer",
252+
},
253+
})
247254

248255
acctest.VcrTest(t, resource.TestCase{
249256
PreCheck: func() { acctest.AccTestPreCheck(t) },

mmv1/third_party/terraform/services/pubsub/resource_pubsub_topic_test.go

+6-3
Original file line numberDiff line numberDiff line change
@@ -48,9 +48,12 @@ func TestAccPubsubTopic_cmek(t *testing.T) {
4848
kms := acctest.BootstrapKMSKey(t)
4949
topicName := fmt.Sprintf("tf-test-%s", acctest.RandString(t, 10))
5050

51-
if acctest.BootstrapPSARole(t, "service-", "gcp-sa-pubsub", "roles/cloudkms.cryptoKeyEncrypterDecrypter") {
52-
t.Fatal("Stopping the test because a role was added to the policy.")
53-
}
51+
acctest.BootstrapIamMembers(t, []acctest.IamMember{
52+
{
53+
Member: "serviceAccount:service-{project_number}@gcp-sa-pubsub.iam.gserviceaccount.com",
54+
Role: "roles/cloudkms.cryptoKeyEncrypterDecrypter",
55+
},
56+
})
5457

5558
acctest.VcrTest(t, resource.TestCase{
5659
PreCheck: func() { acctest.AccTestPreCheck(t) },

mmv1/third_party/terraform/services/spanner/resource_spanner_database_test.go.tmpl

+6-4
Original file line numberDiff line numberDiff line change
@@ -520,10 +520,12 @@ resource "google_spanner_database" "database" {
520520
func TestAccSpannerDatabase_cmek(t *testing.T) {
521521
t.Parallel()
522522

523-
// Handle bootstrapping out of band so we don't need beta provider, and for consistency with mrcmek test
524-
if acctest.BootstrapPSARole(t, "service-", "gcp-sa-spanner", "roles/cloudkms.cryptoKeyEncrypterDecrypter") {
525-
t.Fatal("Stopping the test because a role was added to the policy.")
526-
}
523+
acctest.BootstrapIamMembers(t, []acctest.IamMember{
524+
{
525+
Member: "serviceAccount:service-{project_number}@gcp-sa-spanner.iam.gserviceaccount.com",
526+
Role: "roles/cloudkms.cryptoKeyEncrypterDecrypter",
527+
},
528+
})
527529

528530
// Make the keys outside of Terraform so that a) the project isn't littered with a key from each run and b) so that VCR
529531
// can work.

mmv1/third_party/terraform/services/workflows/resource_workflows_workflow_test.go.tmpl

+6-3
Original file line numberDiff line numberDiff line change
@@ -287,9 +287,12 @@ func TestAccWorkflowsWorkflow_CMEK(t *testing.T) {
287287

288288
workflowName := fmt.Sprintf("tf-test-acc-workflow-%d", acctest.RandInt(t))
289289
kms := acctest.BootstrapKMSKeyInLocation(t, "us-central1")
290-
if acctest.BootstrapPSARole(t, "service-", "gcp-sa-workflows", "roles/cloudkms.cryptoKeyEncrypterDecrypter") {
291-
t.Fatal("Stopping the test because a role was added to the policy.")
292-
}
290+
acctest.BootstrapIamMembers(t, []acctest.IamMember{
291+
{
292+
Member: "serviceAccount:service-{project_number}@gcp-sa-workflows.iam.gserviceaccount.com",
293+
Role: "roles/cloudkms.cryptoKeyEncrypterDecrypter",
294+
},
295+
})
293296

294297
acctest.VcrTest(t, resource.TestCase{
295298
PreCheck: func() { acctest.AccTestPreCheck(t) },

0 commit comments

Comments
 (0)