Iam bootstrapping generation (GoogleCloudPlatform#12797)

Author: melinath

docs/content/reference/resource.md

@@ -350,3 +350,68 @@ properties:
   - name: 'fieldOne'
     type: String
 ```
+
+## Examples
+
+### `examples`
+
+A list of configurations that are used to generate documentation and tests. Each example supports the following common
+attributes – for a full reference, see
+[examples.go ↗](https://github.com/GoogleCloudPlatform/magic-modules/blob/main/mmv1/api/resource/examples.go):
+
+- `name`: snake_case name of the example. This corresponds to the configuration file in
+  [mmv1/templates/terraform/examples](https://github.com/GoogleCloudPlatform/magic-modules/tree/main/mmv1/templates/terraform/examples) (excluding the `.go.tmpl` suffix) and is used to generate the test name and the documentation header.
+- `primary_resource_id`: The id of the resource under test. This is used by tests to automatically run additional checks.
+  Configuration files should reference this to avoid getting out of sync. For example:
+  `resource "google_compute_address" ""{{$.PrimaryResourceId}}" {`
+- `bootstrap_iam`: specify member/role pairs that should always exist. `{project_number}` will be replaced with the
+  default project's project number. This avoids race conditions when modifying the IAM permissions for the default test project.
+  Permissions attached to resources created _in_ a test should instead be provisioned with standard terraform resources.
+- `vars`: Key/value pairs of variables to inject into the configuration file. These can be referenced in the configuration file
+  with `{{index $.Vars "key"}}`. All resource IDs (even for resources not under test) should be declared with variables that
+  contain a `-` or `_`; this will ensure that, in tests, the resources are created with a `tf-test` prefix to allow automatic cleanup of dangling resources and a random suffix to avoid name collisions.
+- `test_env_vars`: Key/value pairs of variable names and special values indicating variables that should be pulled from the
+  environment during tests. These will receive a neutral default value in documentation. Common special values include:
+  `PROJECT_NAME`, `REGION`, `ORG_ID`, `BILLING_ACCT`, `SERVICE_ACCT` (the test runner service account).
+- `test_vars_overrides`: Key/value pairs of literal overrides for variables used in tests. This can be used to call functions to
+  generate or determine a variable's value.
+- `min_version`: Set this to `beta` if the resource is in the `google` provider but the example will only work with the
+  `google-beta` provider (for example, because it includes a beta-only field.)
+- `ignore_read_extra`: Properties to not check on import. This should be used in cases where a property will not be set on import,
+  for example write-only fields.
+- `exclude_test`: If set to `true`, no test will be generated based on this example.
+- `exclude_docs`: If set to `true`, no documentation will be generated based on this example.
+- `exclude_import_test`: If set to `true`, no import test will be generated for this example.
+- `skip_vcr`: See [Skip tests in VCR replaying mode]({{< ref "/test/test#skip-vcr" >}}) for more information about this flag.
+- `skip_test`: If not empty, the test generated based on this example will always be skipped. In most cases, the value should be a
+  link to a ticket explaining the issue that needs to be resolved before the test can be unskipped.
+- `external_providers`: A list of external providers that are needed for the testcase. This does add some latency to the testcase,
+  so only use if necessary. Common external providers: `random`, `time`.
+
+Example:
+
+```yaml
+examples:
+  - name: service_resource_basic
+    primary_resource_id: example
+    bootstrap_iam:
+      - member: "serviceAccount:service-{project_number}@gcp-sa-healthcare.iam.gserviceaccount.com"
+        role: "roles/bigquery.dataEditor"
+    vars:
+      dataset_id: "my-dataset"
+      network_name: "my-network"
+    test_env_vars:
+      org_id: "ORG_ID"
+    test_vars_overrides:
+      network_name: 'acctest.BootstrapSharedServiceNetworkingConnection(t, "service-resource-network-config")'
+    min_version: "beta"
+    ignore_read_extra: 
+      - 'foo'
+    exclude_test: true
+    exclude_docs: true
+    exclude_import_test: true
+    skip_vcr: true
+    skip_test: "https://github.com/hashicorp/terraform-provider-google/issues/20574"
+    external_providers:
+      - "time"
+```

docs/content/test/test.md

@@ -46,27 +46,37 @@ A create test is a test that creates the target resource and immediately destroy
 
 {{< tabs "create" >}}
 {{< tab "MMv1" >}}
-1. Using an editor of your choice, create a `*.tf.tmpl` file in [`mmv1/templates/terraform/examples/`](https://github.com/GoogleCloudPlatform/magic-modules/tree/main/mmv1/templates/terraform/examples). The name of the file should include the service name, resource name, and a descriptor. For example, `compute_subnetwork_basic.tf.tmpl`.
-2. Write the Terraform configuration for your test. This should include all of the required dependencies. For example, `google_compute_subnetwork` has a dependency on `google_compute_network`:
-   ```tf
-   resource "google_compute_subnetwork" "primary" {
-     name          = "my-subnet"
-     ip_cidr_range = "10.1.0.0/16"
-     region        = "us-central1"
-     network       = google_compute_network.network.name
-   }
-
-   resource "google_compute_network" "network" {
-     name                    = "my-network"
-     auto_create_subnetworks = false
-   }
+1. Add an entry to your `RESOURCE_NAME.yaml` file's `examples`. The fields listed here are the most commonly-used. For a comprehensive reference, see [MMv1 resource reference: `examples` ↗]({{<ref "/reference/resource#examples" >}}).
+   ```yaml
+   examples:
+     # name must correspond to a configuration file that you'll create in the next step.
+     # The name should include the product name, resource name, and a basic description
+     # of the test. This will be used to generate the test name and the documentation
+     # header.
+     - name: "PRODUCT_RESOURCE_basic"
+       # primary_resource_id will be used for the Terraform resource id in the configuration file.
+       primary_resource_id: "example"
+       # vars contains key/value pairs of variables to inject into the configuration file.
+       # These can be referenced in the configuration file as a key inside `{{$.Vars}}`.
+       # All resource IDs (even for resources not under test) should be declared
+       # with variables that contain a `-` or `_`; this will ensure that, in tests,
+       # the resources are created with a `tf-test` prefix to allow automatic cleanup
+       # of dangling resources and a random suffix to avoid name collisions.
+       vars:
+         network_name: "example-network"
+       # test_vars_overrides contains key/value pairs of literal overrides for
+       # variables used in tests. This can be used to call functions to
+       # generate or determine a variable's value – for example, bootstrapping
+       # a shared network for your product to avoid test failures due to limits
+       # on the default network.
+       test_vars_overrides:
+         network_name: 'acctest.BootstrapSharedServiceNetworkingConnection(t, "PRODUCT-RESOURCE-network-config")'
+       # Set min_version: beta if the resource is not beta-only and any beta-only fields are being tested.
+       min_version: beta
    ```
-3. If beta-only fields are being tested:
-   - Add `provider = google-beta` to every resource in the file.
-4. Modify the configuration to use templated values.
-   - Replace the id of the primary resource you are testing with `{{$.PrimaryResourceId}}`.
-   - Replace fields that are identifiers, like `id` or `name`, with an appropriately named variable. For example, `{{index $.Vars "subnetwork_name"}}`.
-   - The resulting configuration for the above example would look like this:
+
+2. Create a `.tf.tmpl` file in [`mmv1/templates/terraform/examples/`](https://github.com/GoogleCloudPlatform/magic-modules/tree/main/mmv1/templates/terraform/examples). The name of the file should match the name of the example created in the previous step. For example, `PRODUCT_RESOURCE_basic.tf.tmpl`.
+3. In that file, write the Terraform configuration for your test. This should include all of the required dependencies. For example, `google_compute_subnetwork` has a dependency on `google_compute_network`:
    ```tf
    resource "google_compute_subnetwork" "{{$.PrimaryResourceId}}" {
      name          = "{{index $.Vars "subnetwork_name"}}"
@@ -80,20 +90,8 @@ A create test is a test that creates the target resource and immediately destroy
      auto_create_subnetworks = false
    }
    ```
-5. Modify the relevant `RESOURCE_NAME.yaml` file under [magic-modules/mmv1/products](https://github.com/GoogleCloudPlatform/magic-modules/tree/main/mmv1/products) to include an [`examples`](https://github.com/GoogleCloudPlatform/magic-modules/blob/main/mmv1/api/resource/examples.go) block with your test. The `name` must match the name of your `*.tf.tmpl` file. For example:
-   ```yaml
-   examples:
-     - name: "compute_subnetwork_basic"
-       primary_resource_id: "example"
-       vars:
-         subnetwork_name: "example-subnet"
-         network_name: "example-network"
-   ```
-{{< hint warning >}}
-**Warning:** Values in `vars` must include a `-` (or `_`). They [trigger the addition of a `tf-test` prefix](https://github.com/GoogleCloudPlatform/magic-modules/blob/main/mmv1/api/resource/examples.go#L224), which the sweeper uses to clean them up after tests run.
-{{< /hint >}}
-6. If beta-only fields are being tested:
-   - Add `min_version: 'beta'` to the `examples` block in `RESOURCE_NAME.yaml`.
+4. If the resource or the example is beta-only:
+   - Add `provider = google-beta` to every resource in the file.
 {{< /tab >}}
 {{< tab "Handwritten" >}}
 This section assumes you've used the [Add a resource]({{< ref "/develop/add-resource" >}}) guide to create your handwritten resource, and you have a working MMv1 config.
@@ -273,7 +271,7 @@ func TestSignatureAlgorithmDiffSuppress(t *testing.T) {
 }
 ```
 
-## Skip tests in VCR replaying mode
+## Skip tests in VCR replaying mode {#skip-vcr}
 
 Acceptance tests are run in VCR replaying mode on PRs (using pre-recorded HTTP requests and responses) to reduce the time it takes to present results to contributors. However, not all resources or tests are possible to run in replaying mode. Incompatible tests should be skipped during VCR replaying mode. They will still run in our nightly test suite.
 

mmv1/api/resource/examples.go

@@ -28,6 +28,10 @@ import (
 	"github.com/golang/glog"
 )
 
+type IamMember struct {
+	Member, Role string
+}
+
 // Generates configs to be shown as examples in docs and outputted as tests
 // from a shared template
 type Examples struct {
@@ -49,6 +53,13 @@ type Examples struct {
 	// object parent
 	PrimaryResourceType string `yaml:"primary_resource_type,omitempty"`
 
+	// BootstrapIam will automatically bootstrap the given member/role pairs.
+	// This should be used in cases where specific IAM permissions must be
+	// present on the default test project, to avoid race conditions between
+	// tests. Permissions attached to resources created in a test should instead
+	// be provisioned with standard terraform resources.
+	BootstrapIam []IamMember `yaml:"bootstrap_iam,omitempty"`
+
 	// Vars is a Hash from template variable names to output variable names.
 	// It will use the provided value as a prefix for generated tests, and
 	// insert it into the docs verbatim.
@@ -62,18 +73,18 @@ type Examples struct {
 	//
 	// test_env_vars is a Hash from template variable names to one of the
 	// following symbols:
-	//  - :PROJECT_NAME
-	//  - :CREDENTIALS
-	//  - :REGION
-	//  - :ORG_ID
-	//  - :ORG_TARGET
-	//  - :BILLING_ACCT
-	//  - :MASTER_BILLING_ACCT
-	//  - :SERVICE_ACCT
-	//  - :CUST_ID
-	//  - :IDENTITY_USER
-	//  - :CHRONICLE_ID
-	//  - :VMWAREENGINE_PROJECT
+	//  - PROJECT_NAME
+	//  - CREDENTIALS
+	//  - REGION
+	//  - ORG_ID
+	//  - ORG_TARGET
+	//  - BILLING_ACCT
+	//  - MASTER_BILLING_ACCT
+	//  - SERVICE_ACCT
+	//  - CUST_ID
+	//  - IDENTITY_USER
+	//  - CHRONICLE_ID
+	//  - VMWAREENGINE_PROJECT
 	// This list corresponds to the `get*FromEnv` methods in provider_test.go.
 	TestEnvVars map[string]string `yaml:"test_env_vars,omitempty"`
 

mmv1/products/healthcare/DicomStore.yaml

@@ -53,8 +53,11 @@ examples:
       pubsub_topic: 'dicom-notifications'
       bq_dataset_name: 'dicom_bq_ds'
       bq_table_name: 'dicom_bq_tb'
-    test_vars_overrides:
-      'policyChanged': ' acctest.BootstrapPSARoles(t, "service-", "gcp-sa-healthcare", []string{"roles/bigquery.dataEditor", "roles/bigquery.jobUser"})'
+    bootstrap_iam:
+      - member: "serviceAccount:service-{project_number}@gcp-sa-healthcare.iam.gserviceaccount.com"
+        role: "roles/bigquery.dataEditor"
+      - member: "serviceAccount:service-{project_number}@gcp-sa-healthcare.iam.gserviceaccount.com"
+        role: "roles/bigquery.jobUser"
 parameters:
   - name: 'dataset'
     type: ResourceRef

mmv1/products/healthcare/FhirStore.yaml

@@ -51,8 +51,11 @@ examples:
       fhir_store_name: 'example-fhir-store'
       pubsub_topic: 'fhir-notifications'
       bq_dataset_name: 'bq_example_dataset'
-    test_vars_overrides:
-      'policyChanged': ' acctest.BootstrapPSARoles(t, "service-", "gcp-sa-healthcare", []string{"roles/bigquery.dataEditor", "roles/bigquery.jobUser"})'
+    bootstrap_iam:
+      - member: "serviceAccount:service-{project_number}@gcp-sa-healthcare.iam.gserviceaccount.com"
+        role: "roles/bigquery.dataEditor"
+      - member: "serviceAccount:service-{project_number}@gcp-sa-healthcare.iam.gserviceaccount.com"
+        role: "roles/bigquery.jobUser"
   - name: 'healthcare_fhir_store_notification_config'
     primary_resource_id: 'default'
     vars:

mmv1/products/pubsub/Subscription.yaml

@@ -72,17 +72,23 @@ examples:
       subscription_name: 'example-subscription'
       dataset_id: 'example_dataset'
       table_id: 'example_table'
-    test_vars_overrides:
-      policy_changed: 'acctest.BootstrapPSARoles(t, "service-", "gcp-sa-pubsub", []string{"roles/bigquery.dataEditor", "roles/bigquery.metadataViewer"})'
+    bootstrap_iam:
+      - member: "serviceAccount:service-{project_number}@gcp-sa-pubsub.iam.gserviceaccount.com"
+        role: "roles/bigquery.dataEditor"
+      - member: "serviceAccount:service-{project_number}@gcp-sa-pubsub.iam.gserviceaccount.com"
+        role: "roles/bigquery.metadataViewer"
   - name: 'pubsub_subscription_push_bq_table_schema'
     primary_resource_id: 'example'
     vars:
       topic_name: 'example-topic'
       subscription_name: 'example-subscription'
       dataset_id: 'example_dataset'
       table_id: 'example_table'
-    test_vars_overrides:
-      policy_changed: 'acctest.BootstrapPSARoles(t, "service-", "gcp-sa-pubsub", []string{"roles/bigquery.dataEditor", "roles/bigquery.metadataViewer"})'
+    bootstrap_iam:
+      - member: "serviceAccount:service-{project_number}@gcp-sa-pubsub.iam.gserviceaccount.com"
+        role: "roles/bigquery.dataEditor"
+      - member: "serviceAccount:service-{project_number}@gcp-sa-pubsub.iam.gserviceaccount.com"
+        role: "roles/bigquery.metadataViewer"
   - name: 'pubsub_subscription_push_bq_service_account'
     primary_resource_id: 'example'
     vars:

mmv1/provider/template_data.go

@@ -170,7 +170,7 @@ func (td *TemplateData) GenerateIamPolicyTestFile(filePath string, resource api.
 	templates := []string{
 		templatePath,
 		"templates/terraform/env_var_context.go.tmpl",
-		"templates/terraform/iam/iam_context.go.tmpl",
+		"templates/terraform/iam/iam_test_setup.go.tmpl",
 	}
 	td.GenerateFile(filePath, templatePath, resource, true, templates...)
 }

mmv1/templates/terraform/examples/base_configs/iam_test_file.go.tmpl

@@ -32,7 +32,7 @@ import (
 {{ $example := $.FirstTestExample }}
 func TestAcc{{ $.ResourceName }}IamBindingGenerated(t *testing.T) {
 	t.Parallel()
-{{ template "IamContext" $ }}
+{{ template "IamTestSetup" $ }}
 
 	acctest.VcrTest(t, resource.TestCase{
 		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
@@ -78,7 +78,7 @@ func TestAcc{{ $.ResourceName }}IamBindingGenerated(t *testing.T) {
 
 func TestAcc{{ $.ResourceName }}IamMemberGenerated(t *testing.T) {
 	t.Parallel()
-{{ template "IamContext" $ }}
+{{ template "IamTestSetup" $ }}
 
 	acctest.VcrTest(t, resource.TestCase{
 		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
@@ -116,7 +116,7 @@ func TestAcc{{ $.ResourceName }}IamPolicyGenerated(t *testing.T) {
 {{ if $.IamPolicy.AdminIamRole }}
 	// This may skip test, so do it first
 	sa := envvar.GetTestServiceAccountFromEnv(t)
-{{-  end }}{{ template "IamContext" $ }}
+{{-  end }}{{ template "IamTestSetup" $ }}
 {{- if $.IamPolicy.AdminIamRole }}
 	context["service_account"] = sa
 {{-  end }}
@@ -165,7 +165,7 @@ func TestAcc{{ $.ResourceName }}IamPolicyGenerated(t *testing.T) {
 {{ if $.IamPolicy.IamConditionsRequestType }}
 func TestAcc{{ $.ResourceName }}IamBindingGenerated_withCondition(t *testing.T) {
 	t.Parallel()
-{{ template "IamContext" $ }}
+{{ template "IamTestSetup" $ }}
 
 	acctest.VcrTest(t, resource.TestCase{
 		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
@@ -201,7 +201,7 @@ func TestAcc{{ $.ResourceName }}IamBindingGenerated_withAndWithoutCondition(t *t
 	// Multiple fine-grained resources
 	acctest.SkipIfVcr(t)
 	t.Parallel()
-{{ template "IamContext" $ }}
+{{ template "IamTestSetup" $ }}
 
 	acctest.VcrTest(t, resource.TestCase{
 		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
@@ -248,7 +248,7 @@ func TestAcc{{ $.ResourceName }}IamBindingGenerated_withAndWithoutCondition(t *t
 func TestAcc{{ $.ResourceName }}IamMemberGenerated_withCondition(t *testing.T) {
 	t.Parallel()
 
-{{ template "IamContext" $ }}
+{{ template "IamTestSetup" $ }}
 
 	acctest.VcrTest(t, resource.TestCase{
 		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
@@ -284,7 +284,7 @@ func TestAcc{{ $.ResourceName }}IamMemberGenerated_withAndWithoutCondition(t *te
 	// Multiple fine-grained resources
 	acctest.SkipIfVcr(t)
 	t.Parallel()
-{{ template "IamContext" $ }}
+{{ template "IamTestSetup" $ }}
 
 	acctest.VcrTest(t, resource.TestCase{
 		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
@@ -334,7 +334,7 @@ func TestAcc{{ $.ResourceName }}IamPolicyGenerated_withCondition(t *testing.T) {
 	// This may skip test, so do it first
 	sa := envvar.GetTestServiceAccountFromEnv(t)
 {{-  end }}
-{{- template "IamContext" $ }}
+{{- template "IamTestSetup" $ }}
 {{- if $.IamPolicy.AdminIamRole }}
 	context["service_account"] = sa
 {{-  end }}

mmv1/templates/terraform/examples/base_configs/test_file.go.tmpl

@@ -47,6 +47,17 @@ func TestAcc{{ $e.TestSlug $.Res.ProductMetadata.Name $.Res.Name }}(t *testing.T
 	{{- end }}
 	t.Parallel()
 
+	{{- if $e.BootstrapIam }}
+	acctest.BootstrapIamMembers(t, []acctest.IamMember{
+	{{- range $iam := $e.BootstrapIam }}
+		{
+			Member: "{{$iam.Member}}",
+			Role:   "{{$iam.Role}}",
+		},
+	{{- end}}
+	})
+	{{- end }}
+
 	context := map[string]interface{}{
 	{{- template "EnvVarContext" dict "TestEnvVars" $e.TestEnvVars "HasNewLine" false}}
 	{{- range $varKey, $varVal := $e.TestVarsOverrides }}

mmv1/templates/terraform/iam/iam_context.go.tmpl renamed to mmv1/templates/terraform/iam/iam_test_setup.go.tmpl

@@ -1,4 +1,14 @@
-{{- define "IamContext" }}
+{{- define "IamTestSetup" }}
+{{- if $.FirstTestExample.BootstrapIam }}
+	acctest.BootstrapIamMembers(t, []acctest.IamMember{
+{{- range $iam := $.FirstTestExample.BootstrapIam }}
+		{
+			Member: "{{$iam.Member}}",
+			Role:   "{{$iam.Role}}",
+		},
+{{- end}}
+	})
+{{- end }}
 	context := map[string]interface{}{
 		"random_suffix": acctest.RandString(t, 10),
 		"role":          "{{ $.IamPolicy.AllowedIamRole }}",