fix: fix propagation issues in bootstrap on retry

[daniel-cit]

This PR adds a set of depends to the module that creates the CI/CD project to prevent errors when granting roles to resources in that project during a retry of execution.

Additionally this PR also fixes an error related to the service 'alpha-documentai.googleapis.com' not being supported any more as a restricted service in VPC-SC

[daniel-cit]

Error and trigger of a retry

Step #3 - "converge-bootstrap": TestBootstrap 2025-10-04T00:07:12Z command.go:185: Error: Error applying IAM policy for KMS CryptoKey "projects/REDACTED_SEED_PROJECT/locations/us-central1/keyRings/kbv-keyring/cryptoKeys/kbv-key": Error setting IAM policy for KMS CryptoKey "projects/REDACTED_SEED_PROJECT/locations/us-central1/keyRings/kbv-keyring/cryptoKeys/kbv-key": googleapi: Error 400: Service account service-REDACTED_SEED_PROJECT_NUMBER@gs-project-accounts.iam.gserviceaccount.com does not exist., badRequest
Step #3 - "converge-bootstrap": TestBootstrap 2025-10-04T00:07:12Z command.go:185: 
Step #3 - "converge-bootstrap": TestBootstrap 2025-10-04T00:07:12Z command.go:185:   with module.seed_bootstrap.module.kms[0].google_kms_crypto_key_iam_binding.decrypters[0],
Step #3 - "converge-bootstrap": TestBootstrap 2025-10-04T00:07:12Z command.go:185:   on .terraform/modules/seed_bootstrap.kms/main.tf line 82, in resource "google_kms_crypto_key_iam_binding" "decrypters":
Step #3 - "converge-bootstrap": TestBootstrap 2025-10-04T00:07:12Z command.go:185:   82: resource "google_kms_crypto_key_iam_binding" "decrypters" {
Step #3 - "converge-bootstrap": TestBootstrap 2025-10-04T00:07:12Z command.go:185: 
Step #3 - "converge-bootstrap": TestBootstrap 2025-10-04T00:07:12Z retry.go:144: 'terraform [apply -input=false -auto-approve -var bucket_tfstate_kms_force_destroy=true -var folder_deletion_protection=false -var workflow_deletion_protection=false -var project_deletion_policy=DELETE -var bucket_force_destroy=true -no-color -lock=false]' failed with the error 'error while running command: exit status 1; 
Step #3 - "converge-bootstrap": Error: Error applying IAM policy for KMS CryptoKey "projects/REDACTED_SEED_PROJECT/locations/us-central1/keyRings/kbv-keyring/cryptoKeys/kbv-key": Error setting IAM policy for KMS CryptoKey "projects/REDACTED_SEED_PROJECT/locations/us-central1/keyRings/kbv-keyring/cryptoKeys/kbv-key": googleapi: Error 400: Service account service-REDACTED_SEED_PROJECT_NUMBER@gs-project-accounts.iam.gserviceaccount.com does not exist., badRequest
Step #3 - "converge-bootstrap": 
Step #3 - "converge-bootstrap":   with module.seed_bootstrap.module.kms[0].google_kms_crypto_key_iam_binding.decrypters[0],
Step #3 - "converge-bootstrap":   on .terraform/modules/seed_bootstrap.kms/main.tf line 82, in resource "google_kms_crypto_key_iam_binding" "decrypters":
Step #3 - "converge-bootstrap":   82: resource "google_kms_crypto_key_iam_binding" "decrypters" {
Step #3 - "converge-bootstrap": ' but this error was expected and warrants a retry. Further details: Error setting IAM policy
Step #3 - "converge-bootstrap": 
Step #3 - "converge-bootstrap": TestBootstrap 2025-10-04T00:07:12Z retry.go:103: terraform [apply -input=false -auto-approve -var bucket_tfstate_kms_force_destroy=true -var folder_deletion_protection=false -var workflow_deletion_protection=false -var project_deletion_policy=DELETE -var bucket_force_destroy=true -no-color -lock=false] returned an error: error while running command: exit status 1; 
Step #3 - "converge-bootstrap": Error: Error applying IAM policy for KMS CryptoKey "projects/REDACTED_SEED_PROJECT/locations/us-central1/keyRings/kbv-keyring/cryptoKeys/kbv-key": Error setting IAM policy for KMS CryptoKey "projects/REDACTED_SEED_PROJECT/locations/us-central1/keyRings/kbv-keyring/cryptoKeys/kbv-key": googleapi: Error 400: Service account service-REDACTED_SEED_PROJECT_NUMBER@gs-project-accounts.iam.gserviceaccount.com does not exist., badRequest
Step #3 - "converge-bootstrap": 
Step #3 - "converge-bootstrap":   with module.seed_bootstrap.module.kms[0].google_kms_crypto_key_iam_binding.decrypters[0],
Step #3 - "converge-bootstrap":   on .terraform/modules/seed_bootstrap.kms/main.tf line 82, in resource "google_kms_crypto_key_iam_binding" "decrypters":
Step #3 - "converge-bootstrap":   82: resource "google_kms_crypto_key_iam_binding" "decrypters" {
Step #3 - "converge-bootstrap": . Sleeping for 2m0s and will try again.

Build was sucessful after the retry

Step #3 - "converge-bootstrap": TestBootstrap 2025-10-04T00:18:09Z command.go:185: Terraform has been successfully initialized!
Step #3 - "converge-bootstrap": 2025/10/04 00:18:09 RUN_STAGE env var set to apply
Step #3 - "converge-bootstrap": 2025/10/04 00:18:09 Skipping stage verify
Step #3 - "converge-bootstrap": 2025/10/04 00:18:09 RUN_STAGE env var set to apply
Step #3 - "converge-bootstrap": 2025/10/04 00:18:09 Skipping stage teardown
Step #3 - "converge-bootstrap": --- PASS: TestBootstrap (1220.52s)
Step #3 - "converge-bootstrap": PASS
Step #3 - "converge-bootstrap": ok  	github.com/terraform-google-modules/terraform-example-foundation/test/integration/bootstrap	1220.576s
Finished Step #3 - "converge-bootstrap"

[daniel-cit]

@apeabody Could you PTAL?

[apeabody]

/gemini review

[apeabody]

Thanks @daniel-cit!

[gemini-code-assist]

Code Review

This pull request addresses two separate issues: it adds explicit depends_on attributes to several Terraform resources to mitigate propagation delays during retries, and it removes an unsupported service from the VPC Service Controls configuration. The changes are generally good and address the stated goals. I have one suggestion to make one of the new dependencies more specific, which should improve the robustness of the fix.

[gemini-code-assist]

For better dependency clarity and robustness, it's recommended to make this dependency more specific. This resource grants permissions on an Artifact Registry repository, which is created by module.tf_cloud_builder. While module.tf_cloud_builder depends on module.tf_source, explicitly depending on module.tf_cloud_builder ensures that the repository is fully created before attempting to modify its IAM policy. This makes the configuration more resilient to potential race conditions related to the repository's creation.

  depends_on = [module.tf_cloud_builder]