@imrannayer can you trigger lint again?

@imrannayer can you trigger gcbrun?

/gcbrun

@ps-occrp integration test is failing with following error:

Step #1 - "prepare": ╷
Step #1 - "prepare": │ Error: Error creating AutokeyConfig: googleapi: Error 403: Permission 'cloudkms.autokeyConfigs.update' denied on resource '//cloudkms.googleapis.com/folders/784453279667/autokeyConfig' (or it may not exist).
Step #1 - "prepare": │ Details:
Step #1 - "prepare": │ [
Step #1 - "prepare": │   {
Step #1 - "prepare": │     "@type": "type.googleapis.com/google.rpc.ErrorInfo",
Step #1 - "prepare": │     "domain": "cloudkms.googleapis.com",
Step #1 - "prepare": │     "metadata": {
Step #1 - "prepare": │       "permission": "cloudkms.autokeyConfigs.update",
Step #1 - "prepare": │       "resource": "folders/784453279667/autokeyConfig"
Step #1 - "prepare": │     },
Step #1 - "prepare": │     "reason": "IAM_PERMISSION_DENIED"
Step #1 - "prepare": │   }
Step #1 - "prepare": │ ]
Step #1 - "prepare": │ 
Step #1 - "prepare": │   with module.autokey.google_kms_autokey_config.autokey_config[0],
Step #1 - "prepare": │   on .terraform/modules/autokey/main.tf line 130, in resource "google_kms_autokey_config" "autokey_config":
Step #1 - "prepare": │  130: resource "google_kms_autokey_config" "autokey_config" {
Step #1 - "prepare": │ 
Step #1 - "prepare": ╵

@imrannayer how do you suggest to solve this? Service account doesn't have permission to setup autokey on folder where project is being created. Can we create test folder within current folder? I don't know if there are sufficient permissions for this as well. Also I don't know what GCP module maintainers policy is about this kind of things.

@ps-occrp check these examples

@imrannayer If I understand correctly it would be something like this? and entitlement_requesters should be service account that runs/sets up test infra. I don't know which service account that is or how to get that information.

module "entitlement_folder" {
  source  = "GoogleCloudPlatform/pam/google"
  version = "~> 2.0"

  entitlement_id = "autokey-entitlement"
  parent_id      = var.folder_id
  parent_type    = "folder"
  organization_id = var.org_id
  grant_service_agent_permissions = true

  entitlement_requesters = [
    "serviceAccount:${var.entitlement_requester}",
  ]
  entitlement_approvers = ["domain:google.com",]
  role_bindings = [
    {
      role = "roles/cloudkms.autokeyAdmin"
    }
  ]
}

@ps-occrp sorry pasted wrong link. As part of setup you can create an autokey folder/project and grant appropriate permissions. Follow this example

@ps-occrp can u plz set this to 18.0?

@ps-occrp seems like autokey module is restricting TF version to 5.X. Can you plz avoid that module and follow the example I sent u earlier?
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/kms_key_handle#example-usage---kms-key-handle-basic

@imrannayer can you trigger it again?

/gcbrun

@imrannayer I have switched to using module to get random project id, can you test now? In my test environment I am able to run it.

@ps-occrp integration test is failing to setup. Can you move following block from setup to example? Since your Service account has appropriate permission on the folder you created it should work fine there.

resource "google_kms_autokey_config" "autokey_config" {
  provider    = google-beta
  folder      = google_folder.autokey_folder.folder_id
  key_project = "projects/${module.autokey-project.project_id}"
  depends_on  = [time_sleep.wait_srv_acc_permissions]
}

@imrannayer How should autokey folder id and project id be passed to example? Folder id I might be able to get from datasource but not sure about autokey project id. Should I use fixtures for that? If so can you point me to an example.

@ps-occrp you can put it in output on setup and define it as same name variable in your example. This is how example gets project_id

@imrannayer here I am already doing it, I think this way it should work.
PS: I have also added fixtures for same

@ps-occrp you can remove fixtures. Just add variables in example key_project_id and folder_id

@imrannayer done!

@ps-occrp lint test is failing

@imrannayer can you trigger workflow again?

@ps-occrp can u plz add following variables to fixture file for postgres-ha? I thought is is called directly but seems like test if calling it through fixture.

variable "key_project_id" {
  type        = string
  description = "The project where autokey is setup"
}

variable "folder_id" {
  type        = string
  description = "The folder where project is created"
}

done!

@imrannayer can you run gcbrun again?

/gcbrun

@imrannayer what's the issue? I think this time its in example right?

@ps-occrp in IAM script permissions are granted on resource project. Can you also add a code to grant these permissions on the folder level?

@imrannayer done!

@ps-occrp can u plz fix lint issues?

@imrannayer fixed linting

/gcbrun

@imrannayer can you tell me what changed between two gcbruns?