Fixes issue #18911 for Eventarc test flakiness due to IAM races (#13200) (#21680)

[upstream:e5ccde7726d6b74cc15976ecd7623dab0e991042]

Signed-off-by: Modular Magician <magic-modules@google.com>

Author: modular-magician

.changelog/13200.txt

@@ -0,0 +1,2 @@
+```release-note:none
+```

google/services/eventarc/resource_eventarc_google_channel_config_test.go

@@ -40,9 +40,13 @@ func testAccEventarcGoogleChannelConfig_basic(t *testing.T) {
 		"project_number": envvar.GetTestProjectNumberFromEnv(),
 		"region":         region,
 		"random_suffix":  acctest.RandString(t, 10),
-		"key1":           acctest.BootstrapKMSKeyWithPurposeInLocationAndName(t, "ENCRYPT_DECRYPT", region, "tf-bootstrap-eventarc-google-channel-config-key1").CryptoKey.Name,
-		"key2":           acctest.BootstrapKMSKeyWithPurposeInLocationAndName(t, "ENCRYPT_DECRYPT", region, "tf-bootstrap-eventarc-google-channel-config-key2").CryptoKey.Name,
 	}
+	acctest.BootstrapIamMembers(t, []acctest.IamMember{
+		{
+			Member: "serviceAccount:service-{project_number}@gcp-sa-eventarc.iam.gserviceaccount.com",
+			Role:   "roles/cloudkms.cryptoKeyEncrypterDecrypter",
+		},
+	})
 
 	acctest.VcrTest(t, resource.TestCase{
 		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
@@ -62,22 +66,9 @@ func testAccEventarcGoogleChannelConfig_basic(t *testing.T) {
 
 func testAccEventarcGoogleChannelConfig_basicCfg(context map[string]interface{}) string {
 	return acctest.Nprintf(`
-resource "google_kms_crypto_key_iam_member" "key1_member" {
-  crypto_key_id = "%{key1}"
-  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
-  member        = "serviceAccount:service-%{project_number}@gcp-sa-eventarc.iam.gserviceaccount.com"
-}
-
-resource "google_kms_crypto_key_iam_member" "key2_member" {
-  crypto_key_id = "%{key2}"
-  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
-  member        = "serviceAccount:service-%{project_number}@gcp-sa-eventarc.iam.gserviceaccount.com"
-}
-
 resource "google_eventarc_google_channel_config" "primary" {
-  location   = "%{region}"
-  name       = "googleChannelConfig"
-  depends_on = [google_kms_crypto_key_iam_member.key1_member, google_kms_crypto_key_iam_member.key2_member]
+  location = "%{region}"
+  name     = "googleChannelConfig"
 }
 `, context)
 }
@@ -89,9 +80,13 @@ func testAccEventarcGoogleChannelConfig_longForm(t *testing.T) {
 		"project_number": envvar.GetTestProjectNumberFromEnv(),
 		"region":         region,
 		"random_suffix":  acctest.RandString(t, 10),
-		"key1":           acctest.BootstrapKMSKeyWithPurposeInLocationAndName(t, "ENCRYPT_DECRYPT", region, "tf-bootstrap-eventarc-google-channel-config-key1").CryptoKey.Name,
-		"key2":           acctest.BootstrapKMSKeyWithPurposeInLocationAndName(t, "ENCRYPT_DECRYPT", region, "tf-bootstrap-eventarc-google-channel-config-key2").CryptoKey.Name,
 	}
+	acctest.BootstrapIamMembers(t, []acctest.IamMember{
+		{
+			Member: "serviceAccount:service-{project_number}@gcp-sa-eventarc.iam.gserviceaccount.com",
+			Role:   "roles/cloudkms.cryptoKeyEncrypterDecrypter",
+		},
+	})
 
 	acctest.VcrTest(t, resource.TestCase{
 		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
@@ -112,23 +107,10 @@ func testAccEventarcGoogleChannelConfig_longForm(t *testing.T) {
 
 func testAccEventarcGoogleChannelConfig_longFormCfg(context map[string]interface{}) string {
 	return acctest.Nprintf(`
-resource "google_kms_crypto_key_iam_member" "key1_member" {
-  crypto_key_id = "%{key1}"
-  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
-  member        = "serviceAccount:service-%{project_number}@gcp-sa-eventarc.iam.gserviceaccount.com"
-}
-
-resource "google_kms_crypto_key_iam_member" "key2_member" {
-  crypto_key_id = "%{key2}"
-  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
-  member        = "serviceAccount:service-%{project_number}@gcp-sa-eventarc.iam.gserviceaccount.com"
-}
-
 resource "google_eventarc_google_channel_config" "primary" {
-  project    = "projects/%{project_name}"
-  location   = "long/form/%{region}"
-  name       = "projects/%{project_name}/locations/%{region}/googleChannelConfig"
-  depends_on = [google_kms_crypto_key_iam_member.key1_member, google_kms_crypto_key_iam_member.key2_member]
+  project  = "projects/%{project_name}"
+  location = "long/form/%{region}"
+  name     = "projects/%{project_name}/locations/%{region}/googleChannelConfig"
 }
 `, context)
 }
@@ -143,6 +125,12 @@ func testAccEventarcGoogleChannelConfig_cryptoKeyUpdate(t *testing.T) {
 		"key1":           acctest.BootstrapKMSKeyWithPurposeInLocationAndName(t, "ENCRYPT_DECRYPT", region, "tf-bootstrap-eventarc-google-channel-config-key1").CryptoKey.Name,
 		"key2":           acctest.BootstrapKMSKeyWithPurposeInLocationAndName(t, "ENCRYPT_DECRYPT", region, "tf-bootstrap-eventarc-google-channel-config-key2").CryptoKey.Name,
 	}
+	acctest.BootstrapIamMembers(t, []acctest.IamMember{
+		{
+			Member: "serviceAccount:service-{project_number}@gcp-sa-eventarc.iam.gserviceaccount.com",
+			Role:   "roles/cloudkms.cryptoKeyEncrypterDecrypter",
+		},
+	})
 
 	acctest.VcrTest(t, resource.TestCase{
 		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
@@ -188,69 +176,30 @@ func testAccEventarcGoogleChannelConfig_cryptoKeyUpdate(t *testing.T) {
 
 func testAccEventarcGoogleChannelConfig_setCryptoKeyCfg(context map[string]interface{}) string {
 	return acctest.Nprintf(`
-resource "google_kms_crypto_key_iam_member" "key1_member" {
-  crypto_key_id = "%{key1}"
-  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
-  member        = "serviceAccount:service-%{project_number}@gcp-sa-eventarc.iam.gserviceaccount.com"
-}
-
-resource "google_kms_crypto_key_iam_member" "key2_member" {
-  crypto_key_id = "%{key2}"
-  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
-  member        = "serviceAccount:service-%{project_number}@gcp-sa-eventarc.iam.gserviceaccount.com"
-}
-
 resource "google_eventarc_google_channel_config" "primary" {
   location        = "%{region}"
   name            = "projects/%{project_name}/locations/%{region}/googleChannelConfig"
   crypto_key_name = "%{key1}"
-  depends_on      = [google_kms_crypto_key_iam_member.key1_member, google_kms_crypto_key_iam_member.key2_member]
 }
 `, context)
 }
 
 func testAccEventarcGoogleChannelConfig_cryptoKeyUpdateCfg(context map[string]interface{}) string {
 	return acctest.Nprintf(`
-resource "google_kms_crypto_key_iam_member" "key1_member" {
-  crypto_key_id = "%{key1}"
-  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
-  member        = "serviceAccount:service-%{project_number}@gcp-sa-eventarc.iam.gserviceaccount.com"
-}
-
-resource "google_kms_crypto_key_iam_member" "key2_member" {
-  crypto_key_id = "%{key2}"
-  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
-  member        = "serviceAccount:service-%{project_number}@gcp-sa-eventarc.iam.gserviceaccount.com"
-}
-
 resource "google_eventarc_google_channel_config" "primary" {
   location        = "%{region}"
   name            = "projects/%{project_name}/locations/%{region}/googleChannelConfig"
   crypto_key_name = "%{key2}"
-  depends_on      = [google_kms_crypto_key_iam_member.key1_member, google_kms_crypto_key_iam_member.key2_member]
 }
 `, context)
 }
 
 func testAccEventarcGoogleChannelConfig_deleteCryptoKeyCfg(context map[string]interface{}) string {
 	return acctest.Nprintf(`
-resource "google_kms_crypto_key_iam_member" "key1_member" {
-  crypto_key_id = "%{key1}"
-  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
-  member        = "serviceAccount:service-%{project_number}@gcp-sa-eventarc.iam.gserviceaccount.com"
-}
-
-resource "google_kms_crypto_key_iam_member" "key2_member" {
-  crypto_key_id = "%{key2}"
-  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
-  member        = "serviceAccount:service-%{project_number}@gcp-sa-eventarc.iam.gserviceaccount.com"
-}
-
 resource "google_eventarc_google_channel_config" "primary" {
   location        = "%{region}"
   name            = "projects/%{project_name}/locations/%{region}/googleChannelConfig"
   crypto_key_name = ""
-  depends_on      = [google_kms_crypto_key_iam_member.key1_member, google_kms_crypto_key_iam_member.key2_member]
 }
 `, context)
 }

google/services/eventarc/resource_eventarc_message_bus_test.go

@@ -41,6 +41,12 @@ func testAccEventarcMessageBus_basic(t *testing.T) {
 		"region":        envvar.GetTestRegionFromEnv(),
 		"random_suffix": acctest.RandString(t, 10),
 	}
+	acctest.BootstrapIamMembers(t, []acctest.IamMember{
+		{
+			Member: "serviceAccount:service-{project_number}@gcp-sa-eventarc.iam.gserviceaccount.com",
+			Role:   "roles/cloudkms.cryptoKeyEncrypterDecrypter",
+		},
+	})
 
 	acctest.VcrTest(t, resource.TestCase{
 		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
@@ -78,13 +84,18 @@ resource "google_eventarc_message_bus" "primary" {
 
 func testAccEventarcMessageBus_cryptoKey(t *testing.T) {
 	region := envvar.GetTestRegionFromEnv()
-
 	context := map[string]interface{}{
 		"project_number": envvar.GetTestProjectNumberFromEnv(),
 		"region":         region,
 		"key":            acctest.BootstrapKMSKeyWithPurposeInLocationAndName(t, "ENCRYPT_DECRYPT", region, "tf-bootstrap-eventarc-messagebus-key").CryptoKey.Name,
 		"random_suffix":  acctest.RandString(t, 10),
 	}
+	acctest.BootstrapIamMembers(t, []acctest.IamMember{
+		{
+			Member: "serviceAccount:service-{project_number}@gcp-sa-eventarc.iam.gserviceaccount.com",
+			Role:   "roles/cloudkms.cryptoKeyEncrypterDecrypter",
+		},
+	})
 
 	acctest.VcrTest(t, resource.TestCase{
 		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
@@ -106,34 +117,32 @@ func testAccEventarcMessageBus_cryptoKey(t *testing.T) {
 
 func testAccEventarcMessageBus_cryptoKeyCfg(context map[string]interface{}) string {
 	return acctest.Nprintf(`
-resource "google_kms_crypto_key_iam_member" "key_member" {
-  crypto_key_id = "%{key}"
-  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
-  member        = "serviceAccount:service-%{project_number}@gcp-sa-eventarc.iam.gserviceaccount.com"
-}
-
 resource "google_eventarc_message_bus" "primary" {
   location        = "%{region}"
   message_bus_id  = "tf-test-messagebus%{random_suffix}"
   crypto_key_name = "%{key}"
   logging_config {
     log_severity = "ALERT"
   }
-  depends_on = [google_kms_crypto_key_iam_member.key_member]
 }
 `, context)
 }
 
 func testAccEventarcMessageBus_update(t *testing.T) {
 	region := envvar.GetTestRegionFromEnv()
-
 	context := map[string]interface{}{
 		"project_number": envvar.GetTestProjectNumberFromEnv(),
 		"region":         region,
 		"key1":           acctest.BootstrapKMSKeyWithPurposeInLocationAndName(t, "ENCRYPT_DECRYPT", region, "tf-bootstrap-eventarc-messagebus-key1").CryptoKey.Name,
 		"key2":           acctest.BootstrapKMSKeyWithPurposeInLocationAndName(t, "ENCRYPT_DECRYPT", region, "tf-bootstrap-eventarc-messagebus-key2").CryptoKey.Name,
 		"random_suffix":  acctest.RandString(t, 10),
 	}
+	acctest.BootstrapIamMembers(t, []acctest.IamMember{
+		{
+			Member: "serviceAccount:service-{project_number}@gcp-sa-eventarc.iam.gserviceaccount.com",
+			Role:   "roles/cloudkms.cryptoKeyEncrypterDecrypter",
+		},
+	})
 
 	acctest.VcrTest(t, resource.TestCase{
 		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
@@ -183,12 +192,6 @@ func testAccEventarcMessageBus_update(t *testing.T) {
 
 func testAccEventarcMessageBus_setCfg(context map[string]interface{}) string {
 	return acctest.Nprintf(`
-resource "google_kms_crypto_key_iam_member" "key1_member" {
-  crypto_key_id = "%{key1}"
-  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
-  member        = "serviceAccount:service-%{project_number}@gcp-sa-eventarc.iam.gserviceaccount.com"
-}
-
 resource "google_eventarc_message_bus" "primary" {
   location        = "%{region}"
   message_bus_id  = "tf-test-messagebus%{random_suffix}"
@@ -197,25 +200,12 @@ resource "google_eventarc_message_bus" "primary" {
   logging_config {
     log_severity = "ALERT"
   }
-  depends_on = [google_kms_crypto_key_iam_member.key1_member]
 }
 `, context)
 }
 
 func testAccEventarcMessageBus_updateCfg(context map[string]interface{}) string {
 	return acctest.Nprintf(`
-resource "google_kms_crypto_key_iam_member" "key1_member" {
-  crypto_key_id = "%{key1}"
-  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
-  member        = "serviceAccount:service-%{project_number}@gcp-sa-eventarc.iam.gserviceaccount.com"
-}
-
-resource "google_kms_crypto_key_iam_member" "key2_member" {
-  crypto_key_id = "%{key2}"
-  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
-  member        = "serviceAccount:service-%{project_number}@gcp-sa-eventarc.iam.gserviceaccount.com"
-}
-
 resource "google_eventarc_message_bus" "primary" {
   location        = "%{region}"
   message_bus_id  = "tf-test-messagebus%{random_suffix}"
@@ -224,25 +214,12 @@ resource "google_eventarc_message_bus" "primary" {
   logging_config {
     log_severity = "DEBUG"
   }
-  depends_on = [google_kms_crypto_key_iam_member.key1_member, google_kms_crypto_key_iam_member.key2_member]
 }
 `, context)
 }
 
 func testAccEventarcMessageBus_deleteCfg(context map[string]interface{}) string {
 	return acctest.Nprintf(`
-resource "google_kms_crypto_key_iam_member" "key1_member" {
-  crypto_key_id = "%{key1}"
-  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
-  member        = "serviceAccount:service-%{project_number}@gcp-sa-eventarc.iam.gserviceaccount.com"
-}
-
-resource "google_kms_crypto_key_iam_member" "key2_member" {
-  crypto_key_id = "%{key2}"
-  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
-  member        = "serviceAccount:service-%{project_number}@gcp-sa-eventarc.iam.gserviceaccount.com"
-}
-
 resource "google_eventarc_message_bus" "primary" {
   location        = "%{region}"
   message_bus_id  = "tf-test-messagebus%{random_suffix}"

google/services/eventarc/resource_eventarc_trigger_generated_test.go

@@ -162,10 +162,15 @@ resource "google_eventarc_trigger" "primary" {
 
 func TestAccEventarcTrigger_eventarcTriggerWithChannelCmekExample(t *testing.T) {
 	t.Parallel()
+	acctest.BootstrapIamMembers(t, []acctest.IamMember{
+		{
+			Member: "serviceAccount:service-{project_number}@gcp-sa-eventarc.iam.gserviceaccount.com",
+			Role:   "roles/cloudkms.cryptoKeyEncrypterDecrypter",
+		},
+	})
 
 	context := map[string]interface{}{
 		"project_id":      envvar.GetTestProjectFromEnv(),
-		"project_number":  envvar.GetTestProjectNumberFromEnv(),
 		"service_account": envvar.GetTestServiceAccountFromEnv(t),
 		"key_name":        acctest.BootstrapKMSKeyWithPurposeInLocationAndName(t, "ENCRYPT_DECRYPT", "us-central1", "tf-bootstrap-eventarc-trigger-key").CryptoKey.Name,
 		"random_suffix":   acctest.RandString(t, 10),
@@ -191,18 +196,11 @@ func TestAccEventarcTrigger_eventarcTriggerWithChannelCmekExample(t *testing.T)
 
 func testAccEventarcTrigger_eventarcTriggerWithChannelCmekExample(context map[string]interface{}) string {
 	return acctest.Nprintf(`
-resource "google_kms_crypto_key_iam_member" "key_member" {
-  crypto_key_id = "%{key_name}"
-  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
-  member        = "serviceAccount:service-%{project_number}@gcp-sa-eventarc.iam.gserviceaccount.com"
-}
-
 resource "google_eventarc_channel" "test_channel" {
   location             = "us-central1"
   name                 = "tf-test-some-channel%{random_suffix}"
   crypto_key_name      = "%{key_name}"
   third_party_provider = "projects/%{project_id}/locations/us-central1/providers/datadog"
-  depends_on           = [google_kms_crypto_key_iam_member.key_member]
 }
 
 resource "google_cloud_run_service" "default" {