Run KMS IAM tests in own project

google/resource_google_kms_crypto_key_iam_test.go

@@ -13,25 +13,28 @@ import (
 func TestAccGoogleKmsCryptoKeyIamBinding(t *testing.T) {
 	t.Parallel()
 
-	projectId := getTestProjectFromEnv()
+	orgId := getTestOrgFromEnv(t)
+	projectId := acctest.RandomWithPrefix("tf-test")
+	billingAccount := getTestBillingAccountFromEnv(t)
 	account := acctest.RandomWithPrefix("tf-test")
 	roleId := "roles/cloudkms.cryptoKeyDecrypter"
 	keyRingName := fmt.Sprintf("tf-test-%s", acctest.RandString(10))
 	cryptoKeyName := fmt.Sprintf("tf-test-%s", acctest.RandString(10))
+
 	resource.Test(t, resource.TestCase{
 		PreCheck:  func() { testAccPreCheck(t) },
 		Providers: testAccProviders,
 		Steps: []resource.TestStep{
 			{
 				// Test Iam Binding creation
-				Config: testAccGoogleKmsCryptoKeyIamBinding_basic(projectId, account, keyRingName, cryptoKeyName, roleId),
+				Config: testAccGoogleKmsCryptoKeyIamBinding_basic(projectId, orgId, billingAccount, account, keyRingName, cryptoKeyName, roleId),
 				Check: testAccCheckGoogleKmsCryptoKeyIamBindingExists("foo", roleId, []string{
 					fmt.Sprintf("serviceAccount:%s@%s.iam.gserviceaccount.com", account, projectId),
 				}),
 			},
 			{
 				// Test Iam Binding update
-				Config: testAccGoogleKmsCryptoKeyIamBinding_update(projectId, account, keyRingName, cryptoKeyName, roleId),
+				Config: testAccGoogleKmsCryptoKeyIamBinding_update(projectId, orgId, billingAccount, account, keyRingName, cryptoKeyName, roleId),
 				Check: testAccCheckGoogleKmsCryptoKeyIamBindingExists("foo", roleId, []string{
 					fmt.Sprintf("serviceAccount:%s@%s.iam.gserviceaccount.com", account, projectId),
 					fmt.Sprintf("serviceAccount:%s-2@%s.iam.gserviceaccount.com", account, projectId),
@@ -44,18 +47,21 @@ func TestAccGoogleKmsCryptoKeyIamBinding(t *testing.T) {
 func TestAccGoogleKmsCryptoKeyIamMember(t *testing.T) {
 	t.Parallel()
 
-	projectId := getTestProjectFromEnv()
+	orgId := getTestOrgFromEnv(t)
+	projectId := acctest.RandomWithPrefix("tf-test")
+	billingAccount := getTestBillingAccountFromEnv(t)
 	account := acctest.RandomWithPrefix("tf-test")
 	roleId := "roles/cloudkms.cryptoKeyEncrypter"
 	keyRingName := fmt.Sprintf("tf-test-%s", acctest.RandString(10))
 	cryptoKeyName := fmt.Sprintf("tf-test-%s", acctest.RandString(10))
+
 	resource.Test(t, resource.TestCase{
 		PreCheck:  func() { testAccPreCheck(t) },
 		Providers: testAccProviders,
 		Steps: []resource.TestStep{
 			{
 				// Test Iam Member creation (no update for member, no need to test)
-				Config: testAccGoogleKmsCryptoKeyIamMember_basic(projectId, account, keyRingName, cryptoKeyName, roleId),
+				Config: testAccGoogleKmsCryptoKeyIamMember_basic(projectId, orgId, billingAccount, account, keyRingName, cryptoKeyName, roleId),
 				Check: testAccCheckGoogleKmsCryptoKeyIamMemberExists("foo", roleId,
 					fmt.Sprintf("serviceAccount:%s@%s.iam.gserviceaccount.com", account, projectId),
 				),
@@ -137,19 +143,40 @@ func testAccCheckGoogleKmsCryptoKeyIamMemberExists(n, role, member string) resou
 
 // We are using a custom role since iam_binding is authoritative on the member list and
 // we want to avoid removing members from an existing role to prevent unwanted side effects.
-func testAccGoogleKmsCryptoKeyIamBinding_basic(projectId, account, keyRingName, cryptoKeyName, roleId string) string {
+func testAccGoogleKmsCryptoKeyIamBinding_basic(projectId, orgId, billingAccount, account, keyRingName, cryptoKeyName, roleId string) string {
 	return fmt.Sprintf(`
+resource "google_project" "test_project" {
+  name            = "Test project"
+  project_id      = "%s"
+  org_id          = "%s"
+  billing_account = "%s"
+}
+
+resource "google_project_services" "test_project" {
+  project = "${google_project.test_project.project_id}"
+
+  services = [
+     "cloudkms.googleapis.com",
+     "iam.googleapis.com",
+  ]
+}
+
 resource "google_service_account" "test_account" {
-  project      = "%s"
+  project      = "${google_project_services.test_project.project}"
   account_id   = "%s"
   display_name = "Iam Testing Account"
 }
 
 resource "google_kms_key_ring" "key_ring" {
-  project  = "%s"
+  project      = "${google_project_services.test_project.project}"
   location = "us-central1"
   name     = "%s"
 }
+resource "google_service_account" "test_account" {
+  project      = "%s"
+  account_id   = "%s"
+  display_name = "Iam Testing Account"
+}
 
 resource "google_kms_crypto_key" "crypto_key" {
   key_ring = "${google_kms_key_ring.key_ring.id}"
@@ -161,25 +188,41 @@ resource "google_kms_crypto_key_iam_binding" "foo" {
   role          = "%s"
   members       = ["serviceAccount:${google_service_account.test_account.email}"]
 }
-`, projectId, account, projectId, keyRingName, cryptoKeyName, roleId)
+`, projectId, orgId, billingAccount, account, keyRingName, cryptoKeyName, roleId)
 }
 
-func testAccGoogleKmsCryptoKeyIamBinding_update(projectId, account, keyRingName, cryptoKeyName, roleId string) string {
+func testAccGoogleKmsCryptoKeyIamBinding_update(projectId, orgId, billingAccount, account, keyRingName, cryptoKeyName, roleId string) string {
 	return fmt.Sprintf(`
+resource "google_project" "test_project" {
+  name            = "Test project"
+  project_id      = "%s"
+  org_id          = "%s"
+  billing_account = "%s"
+}
+
+resource "google_project_services" "test_project" {
+  project = "${google_project.test_project.project_id}"
+
+  services = [
+     "cloudkms.googleapis.com",
+     "iam.googleapis.com",
+  ]
+}
+
 resource "google_service_account" "test_account" {
-  project      = "%s"
+  project      = "${google_project_services.test_project.project}"
   account_id   = "%s"
   display_name = "Iam Testing Account"
 }
 
 resource "google_service_account" "test_account_2" {
-  project      = "%s"
+  project      = "${google_project_services.test_project.project}"
   account_id   = "%s-2"
   display_name = "Iam Testing Account"
 }
 
 resource "google_kms_key_ring" "key_ring" {
-  project  = "%s"
+  project  = "${google_project_services.test_project.project}"
   location = "us-central1"
   name     = "%s"
 }
@@ -197,23 +240,38 @@ resource "google_kms_crypto_key_iam_binding" "foo" {
     "serviceAccount:${google_service_account.test_account_2.email}"
   ]
 }
-`, projectId, account, projectId, account, projectId, keyRingName, cryptoKeyName, roleId)
+`, projectId, orgId, billingAccount, account, account, keyRingName, cryptoKeyName, roleId)
 }
 
-func testAccGoogleKmsCryptoKeyIamMember_basic(projectId, account, keyRingName, cryptoKeyName, roleId string) string {
+func testAccGoogleKmsCryptoKeyIamMember_basic(projectId, orgId, billingAccount, account, keyRingName, cryptoKeyName, roleId string) string {
 	return fmt.Sprintf(`
+resource "google_project" "test_project" {
+  name            = "Test project"
+  project_id      = "%s"
+  org_id          = "%s"
+  billing_account = "%s"
+}
+
+resource "google_project_services" "test_project" {
+  project = "${google_project.test_project.project_id}"
+
+  services = [
+     "cloudkms.googleapis.com",
+     "iam.googleapis.com",
+  ]
+}
+
 resource "google_service_account" "test_account" {
-  project      = "%s"
+  project      = "${google_project_services.test_project.project}"
   account_id   = "%s"
   display_name = "Iam Testing Account"
 }
 
 resource "google_kms_key_ring" "key_ring" {
-  project  = "%s"
+  project  = "${google_project_services.test_project.project}"
   location = "us-central1"
   name     = "%s"
 }
-
 resource "google_kms_crypto_key" "crypto_key" {
   key_ring = "${google_kms_key_ring.key_ring.id}"
   name     = "%s"
@@ -224,5 +282,5 @@ resource "google_kms_crypto_key_iam_member" "foo" {
   role          = "%s"
   member        = "serviceAccount:${google_service_account.test_account.email}"
 }
-`, projectId, account, projectId, keyRingName, cryptoKeyName, roleId)
+`, projectId, orgId, billingAccount, account, keyRingName, cryptoKeyName, roleId)
 }

google/resource_google_kms_key_ring_iam_test.go

@@ -13,24 +13,27 @@ import (
 func TestAccGoogleKmsKeyRingIamBinding(t *testing.T) {
 	t.Parallel()
 
-	projectId := getTestProjectFromEnv()
+	orgId := getTestOrgFromEnv(t)
+	projectId := acctest.RandomWithPrefix("tf-test")
+	billingAccount := getTestBillingAccountFromEnv(t)
 	account := acctest.RandomWithPrefix("tf-test")
 	roleId := "roles/cloudkms.cryptoKeyDecrypter"
 	keyRingName := fmt.Sprintf("tf-test-%s", acctest.RandString(10))
+
 	resource.Test(t, resource.TestCase{
 		PreCheck:  func() { testAccPreCheck(t) },
 		Providers: testAccProviders,
 		Steps: []resource.TestStep{
 			{
 				// Test Iam Binding creation
-				Config: testAccGoogleKmsKeyRingIamBinding_basic(projectId, account, keyRingName, roleId),
+				Config: testAccGoogleKmsKeyRingIamBinding_basic(projectId, orgId, billingAccount, account, keyRingName, roleId),
 				Check: testAccCheckGoogleKmsKeyRingIamBindingExists("foo", roleId, []string{
 					fmt.Sprintf("serviceAccount:%s@%s.iam.gserviceaccount.com", account, projectId),
 				}),
 			},
 			{
 				// Test Iam Binding update
-				Config: testAccGoogleKmsKeyRingIamBinding_update(projectId, account, keyRingName, roleId),
+				Config: testAccGoogleKmsKeyRingIamBinding_update(projectId, orgId, billingAccount, account, keyRingName, roleId),
 				Check: testAccCheckGoogleKmsKeyRingIamBindingExists("foo", roleId, []string{
 					fmt.Sprintf("serviceAccount:%s@%s.iam.gserviceaccount.com", account, projectId),
 					fmt.Sprintf("serviceAccount:%s-2@%s.iam.gserviceaccount.com", account, projectId),
@@ -43,17 +46,20 @@ func TestAccGoogleKmsKeyRingIamBinding(t *testing.T) {
 func TestAccGoogleKmsKeyRingIamMember(t *testing.T) {
 	t.Parallel()
 
-	projectId := getTestProjectFromEnv()
+	orgId := getTestOrgFromEnv(t)
+	projectId := acctest.RandomWithPrefix("tf-test")
+	billingAccount := getTestBillingAccountFromEnv(t)
 	account := acctest.RandomWithPrefix("tf-test")
 	roleId := "roles/cloudkms.cryptoKeyEncrypter"
 	keyRingName := fmt.Sprintf("tf-test-%s", acctest.RandString(10))
+
 	resource.Test(t, resource.TestCase{
 		PreCheck:  func() { testAccPreCheck(t) },
 		Providers: testAccProviders,
 		Steps: []resource.TestStep{
 			{
 				// Test Iam Member creation (no update for member, no need to test)
-				Config: testAccGoogleKmsKeyRingIamMember_basic(projectId, account, keyRingName, roleId),
+				Config: testAccGoogleKmsKeyRingIamMember_basic(projectId, orgId, billingAccount, account, keyRingName, roleId),
 				Check: testAccCheckGoogleKmsKeyRingIamMemberExists("foo", roleId,
 					fmt.Sprintf("serviceAccount:%s@%s.iam.gserviceaccount.com", account, projectId),
 				),
@@ -135,16 +141,32 @@ func testAccCheckGoogleKmsKeyRingIamMemberExists(n, role, member string) resourc
 
 // We are using a custom role since iam_binding is authoritative on the member list and
 // we want to avoid removing members from an existing role to prevent unwanted side effects.
-func testAccGoogleKmsKeyRingIamBinding_basic(projectId, account, keyRingName, roleId string) string {
+func testAccGoogleKmsKeyRingIamBinding_basic(projectId, orgId, billingAccount, account, keyRingName, roleId string) string {
 	return fmt.Sprintf(`
+resource "google_project" "test_project" {
+  name            = "Test project"
+  project_id      = "%s"
+  org_id          = "%s"
+  billing_account = "%s"
+}
+
+resource "google_project_services" "test_project" {
+  project = "${google_project.test_project.project_id}"
+
+  services = [
+     "cloudkms.googleapis.com",
+     "iam.googleapis.com",
+  ]
+}
+
 resource "google_service_account" "test_account" {
-  project      = "%s"
+  project      = "${google_project_services.test_project.project}"
   account_id   = "%s"
   display_name = "Iam Testing Account"
 }
 
 resource "google_kms_key_ring" "key_ring" {
-  project  = "%s"
+  project      = "${google_project_services.test_project.project}"
   location = "us-central1"
   name     = "%s"
 }
@@ -154,25 +176,41 @@ resource "google_kms_key_ring_iam_binding" "foo" {
   role        = "%s"
   members     = ["serviceAccount:${google_service_account.test_account.email}"]
 }
-`, projectId, account, projectId, keyRingName, roleId)
+`, projectId, orgId, billingAccount, account, keyRingName, roleId)
 }
 
-func testAccGoogleKmsKeyRingIamBinding_update(projectId, account, keyRingName, roleId string) string {
+func testAccGoogleKmsKeyRingIamBinding_update(projectId, orgId, billingAccount, account, keyRingName, roleId string) string {
 	return fmt.Sprintf(`
+resource "google_project" "test_project" {
+  name            = "Test project"
+  project_id      = "%s"
+  org_id          = "%s"
+  billing_account = "%s"
+}
+
+resource "google_project_services" "test_project" {
+  project = "${google_project.test_project.project_id}"
+
+  services = [
+     "cloudkms.googleapis.com",
+     "iam.googleapis.com",
+  ]
+}
+
 resource "google_service_account" "test_account" {
-  project      = "%s"
+  project      = "${google_project_services.test_project.project}"
   account_id   = "%s"
   display_name = "Iam Testing Account"
 }
 
 resource "google_service_account" "test_account_2" {
-  project      = "%s"
+  project      = "${google_project_services.test_project.project}"
   account_id   = "%s-2"
   display_name = "Iam Testing Account"
 }
 
 resource "google_kms_key_ring" "key_ring" {
-  project  = "%s"
+  project  = "${google_project_services.test_project.project}"
   location = "us-central1"
   name     = "%s"
 }
@@ -185,19 +223,35 @@ resource "google_kms_key_ring_iam_binding" "foo" {
     "serviceAccount:${google_service_account.test_account_2.email}"
   ]
 }
-`, projectId, account, projectId, account, projectId, keyRingName, roleId)
+`, projectId, orgId, billingAccount, account, account, keyRingName, roleId)
 }
 
-func testAccGoogleKmsKeyRingIamMember_basic(projectId, account, keyRingName, roleId string) string {
+func testAccGoogleKmsKeyRingIamMember_basic(projectId, orgId, billingAccount, account, keyRingName, roleId string) string {
 	return fmt.Sprintf(`
+resource "google_project" "test_project" {
+  name            = "Test project"
+  project_id      = "%s"
+  org_id          = "%s"
+  billing_account = "%s"
+}
+
+resource "google_project_services" "test_project" {
+  project = "${google_project.test_project.project_id}"
+
+  services = [
+     "cloudkms.googleapis.com",
+     "iam.googleapis.com",
+  ]
+}
+
 resource "google_service_account" "test_account" {
-  project      = "%s"
+  project      = "${google_project_services.test_project.project}"
   account_id   = "%s"
   display_name = "Iam Testing Account"
 }
 
 resource "google_kms_key_ring" "key_ring" {
-  project  = "%s"
+  project  = "${google_project_services.test_project.project}"
   location = "us-central1"
   name     = "%s"
 }
@@ -207,5 +261,5 @@ resource "google_kms_key_ring_iam_member" "foo" {
   role        = "%s"
   member      = "serviceAccount:${google_service_account.test_account.email}"
 }
-`, projectId, account, projectId, keyRingName, roleId)
+`, projectId, orgId, billingAccount, account, keyRingName, roleId)
 }