Add per module requirements to project-factory

Zheng Qin · Zheng Qin · commit 6cc8aad2df6f · 2025-07-15T17:12:47.000-04:00
diff --git a/.terraform.lock b/.terraform.lock
diff --git a/Makefile b/Makefile
@@ -18,7 +18,7 @@
 # Make will use bash instead of sh
 SHELL := /usr/bin/env bash
 
-DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.25
+DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.25.4
 DOCKER_IMAGE_DEVELOPER_TOOLS := cft/developer-tools
 REGISTRY_URL := gcr.io/cloud-foundation-cicd
 
@@ -94,7 +94,7 @@ docker_generate_docs:
 		-e ENABLE_BPMETADATA=1 \
 		-v "${CURDIR}":/workspace \
 		$(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \
-		/bin/bash -c 'source /usr/local/bin/task_helper_functions.sh && generate_docs'
+		/bin/bash -c 'source /usr/local/bin/task_helper_functions.sh && generate_docs --per-module-requirements'
 
 # Alias for backwards compatibility
 .PHONY: generate_docs
diff --git a/metadata.yaml b/metadata.yaml
@@ -359,40 +359,17 @@ spec:
     roles:
       - level: Project
         roles:
-          - roles/accesscontextmanager.policyAdmin
-          - roles/resourcemanager.organizationViewer
-          - roles/resourcemanager.tagAdmin
-          - roles/resourcemanager.tagUser
-      - level: Project
-        roles:
-          - roles/resourcemanager.projectCreator
-          - roles/resourcemanager.folderAdmin
-          - roles/resourcemanager.folderIamAdmin
-          - roles/billing.projectManager
-          - roles/compute.xpnAdmin
-      - level: Project
-        roles:
-          - roles/compute.admin
+          - roles/serviceusage.serviceUsageAdmin
+          - roles/billing.user
           - roles/iam.serviceAccountAdmin
-          - roles/resourcemanager.projectIamAdmin
-          - roles/storage.admin
           - roles/iam.serviceAccountUser
-          - roles/billing.projectManager
+          - roles/logging.logWriter
+          - roles/resourcemanager.organizationAdmin
     services:
-      - admin.googleapis.com
-      - appengine.googleapis.com
       - cloudbilling.googleapis.com
       - cloudresourcemanager.googleapis.com
-      - compute.googleapis.com
       - iam.googleapis.com
-      - iamcredentials.googleapis.com
-      - oslogin.googleapis.com
       - serviceusage.googleapis.com
-      - billingbudgets.googleapis.com
-      - pubsub.googleapis.com
-      - accesscontextmanager.googleapis.com
-      - essentialcontacts.googleapis.com
-      - serviceconsumermanagement.googleapis.com
     providerVersions:
       - source: hashicorp/google
         version: ">= 5.41, < 7"
diff --git a/modules/budget/metadata.yaml b/modules/budget/metadata.yaml
@@ -122,40 +122,11 @@ spec:
     roles:
       - level: Project
         roles:
-          - roles/accesscontextmanager.policyAdmin
-          - roles/resourcemanager.organizationViewer
-          - roles/resourcemanager.tagAdmin
-          - roles/resourcemanager.tagUser
-      - level: Project
-        roles:
-          - roles/resourcemanager.projectCreator
-          - roles/resourcemanager.folderAdmin
-          - roles/resourcemanager.folderIamAdmin
-          - roles/billing.projectManager
-          - roles/compute.xpnAdmin
-      - level: Project
-        roles:
-          - roles/compute.admin
-          - roles/iam.serviceAccountAdmin
-          - roles/resourcemanager.projectIamAdmin
-          - roles/storage.admin
-          - roles/iam.serviceAccountUser
-          - roles/billing.projectManager
+          - roles/billing.budgetAdmin
+          - roles/logging.logWriter
     services:
-      - admin.googleapis.com
-      - appengine.googleapis.com
-      - cloudbilling.googleapis.com
-      - cloudresourcemanager.googleapis.com
-      - compute.googleapis.com
-      - iam.googleapis.com
-      - iamcredentials.googleapis.com
-      - oslogin.googleapis.com
-      - serviceusage.googleapis.com
       - billingbudgets.googleapis.com
-      - pubsub.googleapis.com
-      - accesscontextmanager.googleapis.com
-      - essentialcontacts.googleapis.com
-      - serviceconsumermanagement.googleapis.com
+      - serviceusage.googleapis.com
     providerVersions:
       - source: hashicorp/google
         version: ">= 4.28, < 7"
diff --git a/modules/essential_contacts/metadata.yaml b/modules/essential_contacts/metadata.yaml
@@ -79,40 +79,11 @@ spec:
     roles:
       - level: Project
         roles:
-          - roles/accesscontextmanager.policyAdmin
-          - roles/resourcemanager.organizationViewer
-          - roles/resourcemanager.tagAdmin
-          - roles/resourcemanager.tagUser
-      - level: Project
-        roles:
-          - roles/resourcemanager.projectCreator
-          - roles/resourcemanager.folderAdmin
-          - roles/resourcemanager.folderIamAdmin
-          - roles/billing.projectManager
-          - roles/compute.xpnAdmin
-      - level: Project
-        roles:
-          - roles/compute.admin
-          - roles/iam.serviceAccountAdmin
-          - roles/resourcemanager.projectIamAdmin
-          - roles/storage.admin
-          - roles/iam.serviceAccountUser
-          - roles/billing.projectManager
+          - roles/essentialcontacts.configEditor
+          - roles/logging.logWriter
     services:
-      - admin.googleapis.com
-      - appengine.googleapis.com
-      - cloudbilling.googleapis.com
-      - cloudresourcemanager.googleapis.com
-      - compute.googleapis.com
-      - iam.googleapis.com
-      - iamcredentials.googleapis.com
-      - oslogin.googleapis.com
-      - serviceusage.googleapis.com
-      - billingbudgets.googleapis.com
-      - pubsub.googleapis.com
-      - accesscontextmanager.googleapis.com
       - essentialcontacts.googleapis.com
-      - serviceconsumermanagement.googleapis.com
+      - serviceusage.googleapis.com
     providerVersions:
       - source: hashicorp/google
         version: ">= 3.43, < 7"
diff --git a/modules/fabric-project/metadata.yaml b/modules/fabric-project/metadata.yaml
@@ -153,40 +153,11 @@ spec:
     roles:
       - level: Project
         roles:
-          - roles/accesscontextmanager.policyAdmin
-          - roles/resourcemanager.organizationViewer
-          - roles/resourcemanager.tagAdmin
-          - roles/resourcemanager.tagUser
-      - level: Project
-        roles:
-          - roles/resourcemanager.projectCreator
-          - roles/resourcemanager.folderAdmin
-          - roles/resourcemanager.folderIamAdmin
-          - roles/billing.projectManager
-          - roles/compute.xpnAdmin
-      - level: Project
-        roles:
-          - roles/compute.admin
-          - roles/iam.serviceAccountAdmin
           - roles/resourcemanager.projectIamAdmin
-          - roles/storage.admin
-          - roles/iam.serviceAccountUser
-          - roles/billing.projectManager
+          - roles/logging.logWriter
     services:
-      - admin.googleapis.com
-      - appengine.googleapis.com
-      - cloudbilling.googleapis.com
       - cloudresourcemanager.googleapis.com
-      - compute.googleapis.com
-      - iam.googleapis.com
-      - iamcredentials.googleapis.com
-      - oslogin.googleapis.com
       - serviceusage.googleapis.com
-      - billingbudgets.googleapis.com
-      - pubsub.googleapis.com
-      - accesscontextmanager.googleapis.com
-      - essentialcontacts.googleapis.com
-      - serviceconsumermanagement.googleapis.com
     providerVersions:
       - source: hashicorp/google
         version: ">= 5.41, < 7"
diff --git a/modules/gsuite_enabled/metadata.yaml b/modules/gsuite_enabled/metadata.yaml
@@ -250,40 +250,11 @@ spec:
     roles:
       - level: Project
         roles:
-          - roles/accesscontextmanager.policyAdmin
-          - roles/resourcemanager.organizationViewer
-          - roles/resourcemanager.tagAdmin
-          - roles/resourcemanager.tagUser
-      - level: Project
-        roles:
-          - roles/resourcemanager.projectCreator
-          - roles/resourcemanager.folderAdmin
-          - roles/resourcemanager.folderIamAdmin
-          - roles/billing.projectManager
-          - roles/compute.xpnAdmin
-      - level: Project
-        roles:
-          - roles/compute.admin
-          - roles/iam.serviceAccountAdmin
-          - roles/resourcemanager.projectIamAdmin
-          - roles/storage.admin
-          - roles/iam.serviceAccountUser
-          - roles/billing.projectManager
+          - roles/logging.logWriter
+          - roles/cloudidentity.groupMemberAdmin
     services:
-      - admin.googleapis.com
-      - appengine.googleapis.com
-      - cloudbilling.googleapis.com
-      - cloudresourcemanager.googleapis.com
-      - compute.googleapis.com
-      - iam.googleapis.com
-      - iamcredentials.googleapis.com
-      - oslogin.googleapis.com
+      - cloudidentity.googleapis.com
       - serviceusage.googleapis.com
-      - billingbudgets.googleapis.com
-      - pubsub.googleapis.com
-      - accesscontextmanager.googleapis.com
-      - essentialcontacts.googleapis.com
-      - serviceconsumermanagement.googleapis.com
     providerVersions:
       - source: DeviaVir/gsuite
         version: ~> 0.1
diff --git a/modules/project_services/metadata.yaml b/modules/project_services/metadata.yaml
@@ -104,40 +104,10 @@ spec:
     roles:
       - level: Project
         roles:
-          - roles/accesscontextmanager.policyAdmin
-          - roles/resourcemanager.organizationViewer
-          - roles/resourcemanager.tagAdmin
-          - roles/resourcemanager.tagUser
-      - level: Project
-        roles:
-          - roles/resourcemanager.projectCreator
-          - roles/resourcemanager.folderAdmin
-          - roles/resourcemanager.folderIamAdmin
-          - roles/billing.projectManager
-          - roles/compute.xpnAdmin
-      - level: Project
-        roles:
-          - roles/compute.admin
-          - roles/iam.serviceAccountAdmin
-          - roles/resourcemanager.projectIamAdmin
-          - roles/storage.admin
-          - roles/iam.serviceAccountUser
-          - roles/billing.projectManager
+          - roles/logging.logWriter
+          - roles/serviceusage.serviceUsageAdmin
     services:
-      - admin.googleapis.com
-      - appengine.googleapis.com
-      - cloudbilling.googleapis.com
-      - cloudresourcemanager.googleapis.com
-      - compute.googleapis.com
-      - iam.googleapis.com
-      - iamcredentials.googleapis.com
-      - oslogin.googleapis.com
       - serviceusage.googleapis.com
-      - billingbudgets.googleapis.com
-      - pubsub.googleapis.com
-      - accesscontextmanager.googleapis.com
-      - essentialcontacts.googleapis.com
-      - serviceconsumermanagement.googleapis.com
     providerVersions:
       - source: hashicorp/google
         version: ">= 3.43, < 7"
diff --git a/modules/quota_manager/metadata.yaml b/modules/quota_manager/metadata.yaml
@@ -79,40 +79,10 @@ spec:
     roles:
       - level: Project
         roles:
-          - roles/accesscontextmanager.policyAdmin
-          - roles/resourcemanager.organizationViewer
-          - roles/resourcemanager.tagAdmin
-          - roles/resourcemanager.tagUser
-      - level: Project
-        roles:
-          - roles/resourcemanager.projectCreator
-          - roles/resourcemanager.folderAdmin
-          - roles/resourcemanager.folderIamAdmin
-          - roles/billing.projectManager
-          - roles/compute.xpnAdmin
-      - level: Project
-        roles:
-          - roles/compute.admin
-          - roles/iam.serviceAccountAdmin
-          - roles/resourcemanager.projectIamAdmin
-          - roles/storage.admin
-          - roles/iam.serviceAccountUser
-          - roles/billing.projectManager
+          - roles/serviceusage.quotaViewer
+          - roles/logging.logWriter
     services:
-      - admin.googleapis.com
-      - appengine.googleapis.com
-      - cloudbilling.googleapis.com
-      - cloudresourcemanager.googleapis.com
-      - compute.googleapis.com
-      - iam.googleapis.com
-      - iamcredentials.googleapis.com
-      - oslogin.googleapis.com
       - serviceusage.googleapis.com
-      - billingbudgets.googleapis.com
-      - pubsub.googleapis.com
-      - accesscontextmanager.googleapis.com
-      - essentialcontacts.googleapis.com
-      - serviceconsumermanagement.googleapis.com
     providerVersions:
       - source: hashicorp/google-beta
         version: ">= 4.11, < 7"
diff --git a/modules/shared_vpc_access/metadata.yaml b/modules/shared_vpc_access/metadata.yaml
@@ -106,40 +106,12 @@ spec:
     roles:
       - level: Project
         roles:
-          - roles/accesscontextmanager.policyAdmin
-          - roles/resourcemanager.organizationViewer
-          - roles/resourcemanager.tagAdmin
-          - roles/resourcemanager.tagUser
-      - level: Project
-        roles:
-          - roles/resourcemanager.projectCreator
-          - roles/resourcemanager.folderAdmin
-          - roles/resourcemanager.folderIamAdmin
-          - roles/billing.projectManager
-          - roles/compute.xpnAdmin
-      - level: Project
-        roles:
-          - roles/compute.admin
-          - roles/iam.serviceAccountAdmin
-          - roles/resourcemanager.projectIamAdmin
-          - roles/storage.admin
+          - roles/compute.networkUser
           - roles/iam.serviceAccountUser
-          - roles/billing.projectManager
+          - roles/logging.logWriter
     services:
-      - admin.googleapis.com
-      - appengine.googleapis.com
-      - cloudbilling.googleapis.com
-      - cloudresourcemanager.googleapis.com
       - compute.googleapis.com
-      - iam.googleapis.com
-      - iamcredentials.googleapis.com
-      - oslogin.googleapis.com
       - serviceusage.googleapis.com
-      - billingbudgets.googleapis.com
-      - pubsub.googleapis.com
-      - accesscontextmanager.googleapis.com
-      - essentialcontacts.googleapis.com
-      - serviceconsumermanagement.googleapis.com
     providerVersions:
       - source: hashicorp/google
         version: ">= 3.43, < 7"
diff --git a/modules/svpc_service_project/metadata.yaml b/modules/svpc_service_project/metadata.yaml
diff --git a/test/setup/iam.tf b/test/setup/iam.tf
diff --git a/test/setup/main.tf b/test/setup/main.tf
