Make the project field required for project IAM resources (#5332) (#3767

) Signed-off-by: Modular Magician <[email protected]>
hashicorp · Oct 25, 2021 · aaeaa34 · aaeaa34
1 parent 65b9e19
commit aaeaa34
Show file tree

Hide file tree

Showing 30 changed files with 132 additions and 64 deletions.
diff --git a/.changelog/5332.txt b/.changelog/5332.txt
@@ -0,0 +1,3 @@
+```release-note:breaking-change
+resourcemanager: changed the `project` field to `Required` in all `google_project_iam_*` resources
+```
diff --git a/google-beta/iam_project.go b/google-beta/iam_project.go
@@ -9,18 +9,6 @@ import (
 )
 
 var IamProjectSchema = map[string]*schema.Schema{
-	"project": {
-		Type:             schema.TypeString,
-		Optional:         true,
-		Computed:         true,
-		ForceNew:         true,
-		DiffSuppressFunc: compareProjectName,
-	},
-}
-
-// In google_project_iam_policy, project is required and not inferred by
-// getProject.
-var IamPolicyProjectSchema = map[string]*schema.Schema{
 	"project": {
 		Type:             schema.TypeString,
 		Required:         true,
@@ -36,25 +24,6 @@ type ProjectIamUpdater struct {
 }
 
 func NewProjectIamUpdater(d TerraformResourceData, config *Config) (ResourceIamUpdater, error) {
-	pid, err := getProject(d, config)
-	if err != nil {
-		return nil, err
-	}
-
-	if err := d.Set("project", pid); err != nil {
-		return nil, fmt.Errorf("Error setting project: %s", err)
-	}
-
-	return &ProjectIamUpdater{
-		resourceId: pid,
-		d:          d,
-		Config:     config,
-	}, nil
-}
-
-// NewProjectIamPolicyUpdater is similar to NewProjectIamUpdater, except that it
-// doesn't call getProject and only uses an explicitly set project.
-func NewProjectIamPolicyUpdater(d TerraformResourceData, config *Config) (ResourceIamUpdater, error) {
 	return &ProjectIamUpdater{
 		resourceId: d.Get("project").(string),
 		d:          d,

diff --git a/google-beta/provider.go b/google-beta/provider.go
@@ -1408,7 +1408,7 @@ func ResourceMapWithErrors() (map[string]*schema.Resource, error) {
 			"google_organization_iam_member":             ResourceIamMember(IamOrganizationSchema, NewOrganizationIamUpdater, OrgIdParseFunc),
 			"google_organization_iam_policy":             ResourceIamPolicy(IamOrganizationSchema, NewOrganizationIamUpdater, OrgIdParseFunc),
 			"google_organization_iam_audit_config":       ResourceIamAuditConfig(IamOrganizationSchema, NewOrganizationIamUpdater, OrgIdParseFunc),
-			"google_project_iam_policy":                  ResourceIamPolicy(IamPolicyProjectSchema, NewProjectIamPolicyUpdater, ProjectIdParseFunc),
+			"google_project_iam_policy":                  ResourceIamPolicy(IamProjectSchema, NewProjectIamUpdater, ProjectIdParseFunc),
 			"google_project_iam_binding":                 ResourceIamBindingWithBatching(IamProjectSchema, NewProjectIamUpdater, ProjectIdParseFunc, IamBatchingEnabled),
 			"google_project_iam_member":                  ResourceIamMemberWithBatching(IamProjectSchema, NewProjectIamUpdater, ProjectIdParseFunc, IamBatchingEnabled),
 			"google_project_iam_audit_config":            ResourceIamAuditConfigWithBatching(IamProjectSchema, NewProjectIamUpdater, ProjectIdParseFunc, IamBatchingEnabled),

diff --git a/google-beta/resource_bigquery_data_transfer_config_test.go b/google-beta/resource_bigquery_data_transfer_config_test.go
@@ -190,6 +190,8 @@ func testAccBigqueryDataTransferConfig_scheduledQuery(random_suffix, schedule, s
 data "google_project" "project" {}
 
 resource "google_project_iam_member" "permissions" {
+  project = data.google_project.project.project_id
+
   role   = "roles/iam.serviceAccountShortTermTokenMinter"
   member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-bigquerydatatransfer.iam.gserviceaccount.com"
 }
@@ -243,6 +245,8 @@ resource "google_service_account" "bqwriter" {
 }
 
 resource "google_project_iam_member" "data_editor" {
+  project = data.google_project.project.project_id
+
   role   = "roles/bigquery.dataEditor"
   member = "serviceAccount:${google_service_account.bqwriter.email}"
 }
@@ -277,6 +281,7 @@ func testAccBigqueryDataTransferConfig_scheduledQueryNoDestination(random_suffix
 data "google_project" "project" {}
 
 resource "google_project_iam_member" "permissions" {
+  project = data.google_project.project.project_id
   role   = "roles/iam.serviceAccountShortTermTokenMinter"
   member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-bigquerydatatransfer.iam.gserviceaccount.com"
 }
@@ -315,6 +320,7 @@ func testAccBigqueryDataTransferConfig_booleanParam(random_suffix string) string
 data "google_project" "project" {}
 
 resource "google_project_iam_member" "permissions" {
+  project = data.google_project.project.project_id
   role   = "roles/iam.serviceAccountShortTermTokenMinter"
   member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-bigquerydatatransfer.iam.gserviceaccount.com"
 }

diff --git a/google-beta/resource_bigquery_job_generated_test.go b/google-beta/resource_bigquery_job_generated_test.go
@@ -404,6 +404,7 @@ data "google_project" "project" {
 }
 
 resource "google_project_iam_member" "encrypt_role" {
+  project = data.google_project.project.project_id
   role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
   member = "serviceAccount:bq-${data.google_project.project.number}@bigquery-encryption.iam.gserviceaccount.com"
 }
@@ -558,6 +559,7 @@ data "google_project" "project" {
 }
 
 resource "google_project_iam_member" "encrypt_role" {
+  project = data.google_project.project.project_id
   role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
   member = "serviceAccount:bq-${data.google_project.project.number}@bigquery-encryption.iam.gserviceaccount.com"
 }

diff --git a/google-beta/resource_cloudbuild_trigger_generated_test.go b/google-beta/resource_cloudbuild_trigger_generated_test.go
@@ -178,6 +178,8 @@ func TestAccCloudBuildTrigger_cloudbuildTriggerServiceAccountExample(t *testing.
 
 func testAccCloudBuildTrigger_cloudbuildTriggerServiceAccountExample(context map[string]interface{}) string {
 	return Nprintf(`
+data "google_project" "project" {}
+
 resource "google_cloudbuild_trigger" "service-account-trigger" {
   trigger_template {
     branch_name = "master"
@@ -197,11 +199,13 @@ resource "google_service_account" "cloudbuild_service_account" {
 }
 
 resource "google_project_iam_member" "act_as" {
+  project = data.google_project.project.project_id
   role    = "roles/iam.serviceAccountUser"
   member  = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
 }
 
 resource "google_project_iam_member" "logs_writer" {
+  project = data.google_project.project.project_id
   role    = "roles/logging.logWriter"
   member  = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
 }

diff --git a/google-beta/resource_cloudfunctions_function_test.go b/google-beta/resource_cloudfunctions_function_test.go
@@ -847,8 +847,10 @@ resource "google_cloudfunctions_function" "function" {
 
 func testAccCloudFunctionsFunction_vpcConnector(projectNumber, networkName, functionName, bucketName, zipFilePath, vpcIp, vpcConnectorName string) string {
 	return fmt.Sprintf(`
+data "google_project" "project" {}
 
 resource "google_project_iam_member" "gcfadmin" {
+  project = data.google_project.project.project_id
   role     = "roles/editor"
   member   = "serviceAccount:service-%[email protected]"
 }

diff --git a/google-beta/resource_composer_environment_test.go b/google-beta/resource_composer_environment_test.go
@@ -1116,6 +1116,8 @@ resource "google_compute_subnetwork" "test" {
 
 func testAccComposerEnvironment_nodeCfg(environment, network, subnetwork, serviceAccount string) string {
 	return fmt.Sprintf(`
+data "google_project" "project" {}
+
 resource "google_composer_environment" "test" {
 	name   = "%s"
 	region = "us-east1"  # later should be changed to us-central1, when ip_masq_agent feature is accessible globally
@@ -1155,6 +1157,7 @@ resource "google_service_account" "test" {
 }
 
 resource "google_project_iam_member" "composer-worker" {
+	project = data.google_project.project.project_id
 	role   = "roles/composer.worker"
 	member = "serviceAccount:${google_service_account.test.email}"
 }

diff --git a/google-beta/resource_dataflow_flex_template_job_test.go b/google-beta/resource_dataflow_flex_template_job_test.go
@@ -210,11 +210,14 @@ resource "google_dataflow_flex_template_job" "job" {
 // note: this config creates a job that doesn't actually do anything, but still runs
 func testAccDataflowFlexTemplateJob_serviceAccount(job, accountId, zone string) string {
 	return fmt.Sprintf(`
+data "google_project" "project" {}
+
 resource "google_service_account" "dataflow-sa" {
   account_id   = "%s"
   display_name = "DataFlow Service Account"
 }
 resource "google_project_iam_member" "dataflow-worker" {
+  project = data.google_project.project.project_id
   role   = "roles/dataflow.worker"
   member = "serviceAccount:${google_service_account.dataflow-sa.email}"
 }

diff --git a/google-beta/resource_dataflow_job_test.go b/google-beta/resource_dataflow_job_test.go
@@ -721,6 +721,8 @@ resource "google_dataflow_job" "big_data" {
 
 func testAccDataflowJob_serviceAccount(bucket, job, accountId string) string {
 	return fmt.Sprintf(`
+data "google_project" "project" {}
+
 resource "google_storage_bucket" "temp" {
   name = "%s"
   force_destroy = true
@@ -738,6 +740,7 @@ resource "google_storage_bucket_iam_member" "dataflow-gcs" {
 }
 
 resource "google_project_iam_member" "dataflow-worker" {
+  project = data.google_project.project.project_id
   role   = "roles/dataflow.worker"
   member = "serviceAccount:${google_service_account.dataflow-sa.email}"
 }

diff --git a/google-beta/resource_dataproc_cluster_test.go b/google-beta/resource_dataproc_cluster_test.go
@@ -13,9 +13,8 @@ import (
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
 
-	"google.golang.org/api/googleapi"
-
 	dataproc "google.golang.org/api/dataproc/v1beta2"
+	"google.golang.org/api/googleapi"
 )
 
 func TestDataprocExtractInitTimeout(t *testing.T) {
@@ -1508,11 +1507,14 @@ resource "google_dataproc_cluster" "with_lifecycle_config" {
 
 func testAccDataprocCluster_withServiceAcc(sa string, rnd string) string {
 	return fmt.Sprintf(`
+data "google_project" "project" {}
+
 resource "google_service_account" "service_account" {
   account_id = "%s"
 }
 
 resource "google_project_iam_member" "service_account" {
+  project = data.google_project.project.project_id
   role   = "roles/dataproc.worker"
   member = "serviceAccount:${google_service_account.service_account.email}"
 }

diff --git a/google-beta/resource_dialogflowcx_agent_test.go b/google-beta/resource_dialogflowcx_agent_test.go
@@ -41,11 +41,14 @@ func TestAccDialogflowCXAgent_update(t *testing.T) {
 
 func testAccDialogflowCXAgent_basic(context map[string]interface{}) string {
 	return Nprintf(`
+	data "google_project" "project" {}
+
 	resource "google_service_account" "dialogflowcx_service_account" {
 		account_id = "tf-test-dialogflow-%{random_suffix}"
 	}
-	  
+
 	resource "google_project_iam_member" "agent_create" {
+		project = data.google_project.project.project_id
 		role    = "roles/dialogflow.admin"
 		member  = "serviceAccount:${google_service_account.dialogflowcx_service_account.email}"
 	}
@@ -65,11 +68,14 @@ func testAccDialogflowCXAgent_basic(context map[string]interface{}) string {
 
 func testAccDialogflowCXAgent_full(context map[string]interface{}) string {
 	return Nprintf(`
-    resource "google_service_account" "dialogflowcx_service_account" {
+	data "google_project" "project" {}
+
+	resource "google_service_account" "dialogflowcx_service_account" {
 		account_id = "tf-test-dialogflow-%{random_suffix}"
 	}
-	  
+
 	resource "google_project_iam_member" "agent_create" {
+		project = data.google_project.project.project_id
 		role    = "roles/dialogflow.admin"
 		member  = "serviceAccount:${google_service_account.dialogflowcx_service_account.email}"
 	}

diff --git a/google-beta/resource_dialogflowcx_entity_type_test.go b/google-beta/resource_dialogflowcx_entity_type_test.go
@@ -41,11 +41,14 @@ func TestAccDialogflowCXEntityType_update(t *testing.T) {
 
 func testAccDialogflowCXEntityType_basic(context map[string]interface{}) string {
 	return Nprintf(`
+	data "google_project" "project" {}
+
 	resource "google_service_account" "dialogflowcx_service_account" {
 		account_id = "tf-test-dialogflow-%{random_suffix}"
 	}
-	  
+
 	resource "google_project_iam_member" "agent_create" {
+		project = data.google_project.project.project_id
 		role    = "roles/dialogflow.admin"
 		member  = "serviceAccount:${google_service_account.dialogflowcx_service_account.email}"
 	}
@@ -80,11 +83,14 @@ func testAccDialogflowCXEntityType_basic(context map[string]interface{}) string
 
 func testAccDialogflowCXEntityType_full(context map[string]interface{}) string {
 	return Nprintf(`
-    resource "google_service_account" "dialogflowcx_service_account" {
+	data "google_project" "project" {}
+
+	resource "google_service_account" "dialogflowcx_service_account" {
 		account_id = "tf-test-dialogflow-%{random_suffix}"
 	}
-	  
+
 	resource "google_project_iam_member" "agent_create" {
+		project = data.google_project.project.project_id
 		role    = "roles/dialogflow.admin"
 		member  = "serviceAccount:${google_service_account.dialogflowcx_service_account.email}"
 	}

diff --git a/google-beta/resource_dialogflowcx_environment_test.go b/google-beta/resource_dialogflowcx_environment_test.go
@@ -41,11 +41,14 @@ func TestAccDialogflowCXEnvironment_update(t *testing.T) {
 
 func testAccDialogflowCXEnvironment_basic(context map[string]interface{}) string {
 	return Nprintf(`
+	data "google_project" "project" {}
+
 	resource "google_service_account" "dialogflowcx_service_account" {
 		account_id = "tf-test-dialogflow-%{random_suffix}"
 	}
-	  
+
 	resource "google_project_iam_member" "agent_create" {
+		project = data.google_project.project.project_id
 		role    = "roles/dialogflow.admin"
 		member  = "serviceAccount:${google_service_account.dialogflowcx_service_account.email}"
 	}
@@ -79,11 +82,14 @@ func testAccDialogflowCXEnvironment_basic(context map[string]interface{}) string
 
 func testAccDialogflowCXEnvironment_full(context map[string]interface{}) string {
 	return Nprintf(`
-    resource "google_service_account" "dialogflowcx_service_account" {
+	data "google_project" "project" {}
+
+	resource "google_service_account" "dialogflowcx_service_account" {
 		account_id = "tf-test-dialogflow-%{random_suffix}"
 	}
-	  
+
 	resource "google_project_iam_member" "agent_create" {
+		project = data.google_project.project.project_id
 		role    = "roles/dialogflow.admin"
 		member  = "serviceAccount:${google_service_account.dialogflowcx_service_account.email}"
 	}

diff --git a/google-beta/resource_dialogflowcx_flow_test.go b/google-beta/resource_dialogflowcx_flow_test.go
@@ -41,11 +41,14 @@ func TestAccDialogflowCXFlow_update(t *testing.T) {
 
 func testAccDialogflowCXFlow_basic(context map[string]interface{}) string {
 	return Nprintf(`
+	data "google_project" "project" {}
+
 	resource "google_service_account" "dialogflowcx_service_account" {
 		account_id = "tf-test-dialogflow-%{random_suffix}"
 	}
-	  
+
 	resource "google_project_iam_member" "agent_create" {
+		project = data.google_project.project.project_id
 		role    = "roles/dialogflow.admin"
 		member  = "serviceAccount:${google_service_account.dialogflowcx_service_account.email}"
 	}
@@ -75,11 +78,14 @@ func testAccDialogflowCXFlow_basic(context map[string]interface{}) string {
 
 func testAccDialogflowCXFlow_full(context map[string]interface{}) string {
 	return Nprintf(`
-    resource "google_service_account" "dialogflowcx_service_account" {
+	data "google_project" "project" {}
+
+	resource "google_service_account" "dialogflowcx_service_account" {
 		account_id = "tf-test-dialogflow-%{random_suffix}"
 	}
-	  
+
 	resource "google_project_iam_member" "agent_create" {
+		project = data.google_project.project.project_id
 		role    = "roles/dialogflow.admin"
 		member  = "serviceAccount:${google_service_account.dialogflowcx_service_account.email}"
 	}

diff --git a/google-beta/resource_dialogflowcx_intent_test.go b/google-beta/resource_dialogflowcx_intent_test.go
@@ -41,11 +41,14 @@ func TestAccDialogflowCXIntent_update(t *testing.T) {
 
 func testAccDialogflowCXIntent_basic(context map[string]interface{}) string {
 	return Nprintf(`
+	data "google_project" "project" {}
+
 	resource "google_service_account" "dialogflowcx_service_account" {
 		account_id = "tf-test-dialogflow-%{random_suffix}"
 	}
-	  
+
 	resource "google_project_iam_member" "agent_create" {
+		project = data.google_project.project.project_id
 		role    = "roles/dialogflow.admin"
 		member  = "serviceAccount:${google_service_account.dialogflowcx_service_account.email}"
 	}
@@ -97,11 +100,14 @@ func testAccDialogflowCXIntent_basic(context map[string]interface{}) string {
 
 func testAccDialogflowCXIntent_full(context map[string]interface{}) string {
 	return Nprintf(`
-    resource "google_service_account" "dialogflowcx_service_account" {
+	data "google_project" "project" {}
+
+	resource "google_service_account" "dialogflowcx_service_account" {
 		account_id = "tf-test-dialogflow-%{random_suffix}"
 	}
-	  
+
 	resource "google_project_iam_member" "agent_create" {
+		project = data.google_project.project.project_id
 		role    = "roles/dialogflow.admin"
 		member  = "serviceAccount:${google_service_account.dialogflowcx_service_account.email}"
 	}