From c3c18525c506bb566ab7129e53660d38b4f9e433 Mon Sep 17 00:00:00 2001
From: Abhishek Tiwari <abhiwa@google.com>
Date: Tue, 28 Jan 2025 14:47:58 +0000
Subject: [PATCH] validate sa creation

---
 modules/instance_template/README.md                          | 2 +-
 modules/instance_template/main.tf                            | 5 ++++-
 modules/instance_template/metadata.display.yaml              | 1 +
 modules/instance_template/metadata.yaml                      | 4 +---
 modules/instance_template/variables.tf                       | 2 +-
 modules/instance_template/versions.tf                        | 5 -----
 .../it_simple_with_sa_creation_test.go                       | 4 ++++
 7 files changed, 12 insertions(+), 11 deletions(-)

diff --git a/modules/instance_template/README.md b/modules/instance_template/README.md
index a3cce1ae..951bc85c 100644
--- a/modules/instance_template/README.md
+++ b/modules/instance_template/README.md
@@ -21,7 +21,7 @@ See the [simple](../../examples/instance_template/simple) for a usage example.
 | automatic\_restart | (Optional) Specifies whether the instance should be automatically restarted if it is terminated by Compute Engine (not terminated by a user). | `bool` | `true` | no |
 | can\_ip\_forward | Enable IP forwarding, for NAT instances for example | `string` | `"false"` | no |
 | confidential\_instance\_type | Defines the confidential computing technology the instance uses. If this is set to "SEV\_SNP", var.min\_cpu\_platform will be automatically set to "AMD Milan". See https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance#confidential_instance_type. | `string` | `null` | no |
-| create\_service\_account | Create a new service account to attach to the instance. This is alternate to providing the service\_account input variable. Please provide the service\_account input if setting this to false! | `bool` | `true` | no |
+| create\_service\_account | Create a new service account to attach to the instance. This is alternate to providing the service\_account input variable. Please provide the service\_account input if setting this to false. | `bool` | `true` | no |
 | description | The template's description | `string` | `""` | no |
 | disk\_encryption\_key | The id of the encryption key that is stored in Google Cloud KMS to use to encrypt all the disks on this instance | `string` | `null` | no |
 | disk\_labels | Labels to be assigned to boot disk, provided as a map | `map(string)` | `{}` | no |
diff --git a/modules/instance_template/main.tf b/modules/instance_template/main.tf
index 841dd9a2..46579867 100644
--- a/modules/instance_template/main.tf
+++ b/modules/instance_template/main.tf
@@ -85,13 +85,16 @@ locals {
 
 # Service account
 resource "google_service_account" "sa" {
-  count        = local.create_service_account ? 1 : 0
+  provider = google-beta
+  count    = local.create_service_account ? 1 : 0
+
   project      = var.project_id
   account_id   = "${local.service_account_prefix}-sa"
   display_name = "Service account for ${var.name_prefix} in ${var.region}"
 }
 
 resource "google_project_iam_member" "roles" {
+  provider = google-beta
   for_each = toset(distinct(var.service_account_project_roles))
 
   project = var.project_id
diff --git a/modules/instance_template/metadata.display.yaml b/modules/instance_template/metadata.display.yaml
index 9018f305..bac451ca 100644
--- a/modules/instance_template/metadata.display.yaml
+++ b/modules/instance_template/metadata.display.yaml
@@ -178,6 +178,7 @@ spec:
         source_image_project:
           name: source_image_project
           title: Source Image Project
+          level: 1
         spot:
           name: spot
           title: Spot
diff --git a/modules/instance_template/metadata.yaml b/modules/instance_template/metadata.yaml
index 7d90ed9a..e1d03df3 100644
--- a/modules/instance_template/metadata.yaml
+++ b/modules/instance_template/metadata.yaml
@@ -302,7 +302,7 @@ spec:
               outputExpr: email
               inputPath: email
       - name: create_service_account
-        description: Create a new service account to attach to the instance. This is alternate to providing the service_account input variable. Please provide the service_account input if setting this to false!
+        description: Create a new service account to attach to the instance. This is alternate to providing the service_account input variable. Please provide the service_account input if setting this to false.
         varType: bool
         defaultValue: true
       - name: service_account_project_roles
@@ -424,7 +424,5 @@ spec:
       - compute.googleapis.com
       - iam.googleapis.com
     providerVersions:
-      - source: hashicorp/google
-        version: ">= 5.36, < 7"
       - source: hashicorp/google-beta
         version: ">= 5.36, < 7"
diff --git a/modules/instance_template/variables.tf b/modules/instance_template/variables.tf
index 841b3fcc..69a6d3e1 100644
--- a/modules/instance_template/variables.tf
+++ b/modules/instance_template/variables.tf
@@ -333,7 +333,7 @@ variable "service_account" {
 
 variable "create_service_account" {
   type        = bool
-  description = "Create a new service account to attach to the instance. This is alternate to providing the service_account input variable. Please provide the service_account input if setting this to false!"
+  description = "Create a new service account to attach to the instance. This is alternate to providing the service_account input variable. Please provide the service_account input if setting this to false."
   default     = true
 }
 
diff --git a/modules/instance_template/versions.tf b/modules/instance_template/versions.tf
index 363feb2a..35e4dd0d 100644
--- a/modules/instance_template/versions.tf
+++ b/modules/instance_template/versions.tf
@@ -17,11 +17,6 @@
 terraform {
   required_version = ">=1.3"
   required_providers {
-    google = {
-      source  = "hashicorp/google"
-      version = ">= 5.36, < 7"
-    }
-
     google-beta = {
       source  = "hashicorp/google-beta"
       version = ">= 5.36, < 7"
diff --git a/test/integration/it_simple_with_sa_creation/it_simple_with_sa_creation_test.go b/test/integration/it_simple_with_sa_creation/it_simple_with_sa_creation_test.go
index 9c67f33b..c498381b 100644
--- a/test/integration/it_simple_with_sa_creation/it_simple_with_sa_creation_test.go
+++ b/test/integration/it_simple_with_sa_creation/it_simple_with_sa_creation_test.go
@@ -27,6 +27,7 @@ func TestInstanceTemplateSimpleSAModule(t *testing.T) {
 
 	const instanceNamePrefix = "it-simple-sa"
 	const expected_templates = 1
+	const expected_sa = 1
 
 	insSimpleT := tft.NewTFBlueprintTest(t)
 	insSimpleT.DefineVerify(func(assert *assert.Assertions) {
@@ -34,6 +35,9 @@ func TestInstanceTemplateSimpleSAModule(t *testing.T) {
 
 		instance_templates := gcloud.Run(t, fmt.Sprintf("compute instance-templates list --project %s --filter name~%s", insSimpleT.GetStringOutput("project_id"), instanceNamePrefix))
 		assert.Equal(expected_templates, len(instance_templates.Array()), fmt.Sprintf("should have %d instance_templates", expected_templates))
+
+		service_accounts := gcloud.Run(t, fmt.Sprintf("iam service-accounts list --project %s --filter email~%s", insSimpleT.GetStringOutput("project_id"), instanceNamePrefix))
+		assert.Equal(expected_sa, len(service_accounts.Array()), fmt.Sprintf("should have %d service_accounts", expected_sa))
 	})
 	insSimpleT.Test()
 }