From 99db6511f320c166f2cae0c4cd3e98e06e8c61da Mon Sep 17 00:00:00 2001
From: Abhishek Tiwari <abhiwa@google.com>
Date: Thu, 23 Jan 2025 20:50:24 +0000
Subject: [PATCH 1/4] feat: create service account as part of instance template
 module

---
 .../simple_with_sa_creation/README.md         | 25 ++++++++++
 .../simple_with_sa_creation/main.tf           | 47 +++++++++++++++++++
 .../simple_with_sa_creation/outputs.tf        | 26 ++++++++++
 .../simple_with_sa_creation/variables.tf      | 32 +++++++++++++
 modules/instance_template/README.md           |  5 +-
 modules/instance_template/main.tf             | 36 +++++++++++++-
 .../instance_template/metadata.display.yaml   |  9 ++++
 modules/instance_template/metadata.yaml       | 13 ++++-
 modules/instance_template/outputs.tf          |  5 ++
 modules/instance_template/variables.tf        | 13 +++++
 10 files changed, 208 insertions(+), 3 deletions(-)
 create mode 100644 examples/instance_template/simple_with_sa_creation/README.md
 create mode 100644 examples/instance_template/simple_with_sa_creation/main.tf
 create mode 100644 examples/instance_template/simple_with_sa_creation/outputs.tf
 create mode 100644 examples/instance_template/simple_with_sa_creation/variables.tf

diff --git a/examples/instance_template/simple_with_sa_creation/README.md b/examples/instance_template/simple_with_sa_creation/README.md
new file mode 100644
index 00000000..70365182
--- /dev/null
+++ b/examples/instance_template/simple_with_sa_creation/README.md
@@ -0,0 +1,25 @@
+# instance-template-simple
+
+This is a simple, minimal example of how to use the instance_template module.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| enable\_nested\_virtualization | Defines whether the instance should have nested virtualization enabled. | `bool` | `false` | no |
+| labels | Labels, provided as a map | `map(string)` | n/a | yes |
+| project\_id | The GCP project to use for integration tests | `string` | n/a | yes |
+| region | The GCP region to create and test resources in | `string` | `"us-central1"` | no |
+| subnetwork | The name of the subnetwork create this instance in. | `string` | `""` | no |
+| tags | Network tags, provided as a list | `list(string)` | n/a | yes |
+| threads\_per\_core | The number of threads per physical core. To disable simultaneous multithreading (SMT) set this to 1. | `string` | `null` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| name | Name of the instance templates |
+| self\_link | Self-link to the instance template |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/examples/instance_template/simple_with_sa_creation/main.tf b/examples/instance_template/simple_with_sa_creation/main.tf
new file mode 100644
index 00000000..a704acdb
--- /dev/null
+++ b/examples/instance_template/simple_with_sa_creation/main.tf
@@ -0,0 +1,47 @@
+/**
+ * Copyright 2025 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+provider "google" {
+
+  project = var.project_id
+  region  = "us-central1"
+}
+
+resource "google_compute_address" "ip_address" {
+  name = "external-ip"
+}
+
+locals {
+  access_config = {
+    nat_ip       = google_compute_address.ip_address.address
+    network_tier = "PREMIUM"
+  }
+}
+
+module "instance_template" {
+  source = "../../../modules/instance_template"
+
+  project_id                   = var.project_id
+  region                       = "us-central1"
+  subnetwork                   = ""
+  stack_type                   = "IPV4_ONLY"
+  name_prefix                  = "simple"
+  tags                         = var.tags
+  labels                       = var.labels
+  access_config                = [local.access_config]
+  enable_nested_virtualization = false
+  threads_per_core             = null
+}
diff --git a/examples/instance_template/simple_with_sa_creation/outputs.tf b/examples/instance_template/simple_with_sa_creation/outputs.tf
new file mode 100644
index 00000000..8d7a828d
--- /dev/null
+++ b/examples/instance_template/simple_with_sa_creation/outputs.tf
@@ -0,0 +1,26 @@
+/**
+ * Copyright 2025 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "self_link" {
+  description = "Self-link to the instance template"
+  value       = module.instance_template.self_link
+}
+
+output "name" {
+  description = "Name of the instance templates"
+  value       = module.instance_template.name
+}
+
diff --git a/examples/instance_template/simple_with_sa_creation/variables.tf b/examples/instance_template/simple_with_sa_creation/variables.tf
new file mode 100644
index 00000000..45e742b5
--- /dev/null
+++ b/examples/instance_template/simple_with_sa_creation/variables.tf
@@ -0,0 +1,32 @@
+/**
+ * Copyright 2025 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+
+
+variable "project_id" {
+  description = "The GCP project to use for integration tests"
+  type        = string
+}
+
+variable "tags" {
+  type        = list(string)
+  description = "Network tags, provided as a list"
+}
+
+variable "labels" {
+  type        = map(string)
+  description = "Labels, provided as a map"
+}
diff --git a/modules/instance_template/README.md b/modules/instance_template/README.md
index d502b066..a3cce1ae 100644
--- a/modules/instance_template/README.md
+++ b/modules/instance_template/README.md
@@ -21,6 +21,7 @@ See the [simple](../../examples/instance_template/simple) for a usage example.
 | automatic\_restart | (Optional) Specifies whether the instance should be automatically restarted if it is terminated by Compute Engine (not terminated by a user). | `bool` | `true` | no |
 | can\_ip\_forward | Enable IP forwarding, for NAT instances for example | `string` | `"false"` | no |
 | confidential\_instance\_type | Defines the confidential computing technology the instance uses. If this is set to "SEV\_SNP", var.min\_cpu\_platform will be automatically set to "AMD Milan". See https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance#confidential_instance_type. | `string` | `null` | no |
+| create\_service\_account | Create a new service account to attach to the instance. This is alternate to providing the service\_account input variable. Please provide the service\_account input if setting this to false! | `bool` | `true` | no |
 | description | The template's description | `string` | `""` | no |
 | disk\_encryption\_key | The id of the encryption key that is stored in Google Cloud KMS to use to encrypt all the disks on this instance | `string` | `null` | no |
 | disk\_labels | Labels to be assigned to boot disk, provided as a map | `map(string)` | `{}` | no |
@@ -47,7 +48,8 @@ See the [simple](../../examples/instance_template/simple) for a usage example.
 | project\_id | The GCP project ID | `string` | n/a | yes |
 | region | Region where the instance template should be created. | `string` | n/a | yes |
 | resource\_policies | A list of self\_links of resource policies to attach to the instance. Modifying this list will cause the instance to recreate. Currently a max of 1 resource policy is supported. | `list(string)` | `[]` | no |
-| service\_account | Service account to attach to the instance. See https://www.terraform.io/docs/providers/google/r/compute_instance_template#service_account. | <pre>object({<br>    email  = string<br>    scopes = optional(set(string), ["cloud-platform"])<br>  })</pre> | n/a | yes |
+| service\_account | Service account to attach to the instance. See https://www.terraform.io/docs/providers/google/r/compute_instance_template#service_account. | <pre>object({<br>    email  = string<br>    scopes = optional(set(string), ["cloud-platform"])<br>  })</pre> | `null` | no |
+| service\_account\_project\_roles | Roles to grant to the newly created cloud run SA in specified project. Should be used with create\_service\_account set to true and no input for service\_account | `list(string)` | `[]` | no |
 | shielded\_instance\_config | Not used unless enable\_shielded\_vm is true. Shielded VM configuration for the instance. | <pre>object({<br>    enable_secure_boot          = bool<br>    enable_vtpm                 = bool<br>    enable_integrity_monitoring = bool<br>  })</pre> | <pre>{<br>  "enable_integrity_monitoring": true,<br>  "enable_secure_boot": true,<br>  "enable_vtpm": true<br>}</pre> | no |
 | source\_image | Source disk image. If neither source\_image nor source\_image\_family is specified, defaults to the latest public Rocky Linux 9 optimized for GCP image. | `string` | `""` | no |
 | source\_image\_family | Source image family. If neither source\_image nor source\_image\_family is specified, defaults to the latest public Rocky Linux 9 optimized for GCP image. | `string` | `"rocky-linux-9-optimized-gcp"` | no |
@@ -69,6 +71,7 @@ See the [simple](../../examples/instance_template/simple) for a usage example.
 | name | Name of instance template |
 | self\_link | Self-link of instance template |
 | self\_link\_unique | Unique self-link of instance template (recommended output to use instead of self\_link) |
+| service\_account\_info | Service account id and email |
 | tags | Tags that will be associated with instance(s) |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/modules/instance_template/main.tf b/modules/instance_template/main.tf
index 5c5917bb..841dd9a2 100644
--- a/modules/instance_template/main.tf
+++ b/modules/instance_template/main.tf
@@ -63,6 +63,40 @@ locals {
     # must be true when preemtible or spot is true
     var.preemptible || var.spot ? true : false
   )
+
+  service_account = (
+    var.service_account != null
+    ? var.service_account
+    : (
+      var.create_service_account
+      ? { email : google_service_account.sa[0].email, scopes : ["cloud-platform"] }
+      : null
+    )
+  )
+  create_service_account = var.create_service_account ? var.service_account == null : false
+
+  service_account_prefix = substr("${var.name_prefix}-${var.region}", 0, 27)
+  service_account_output = local.create_service_account ? {
+    id     = google_service_account.sa[0].account_id,
+    email  = google_service_account.sa[0].email,
+    member = google_service_account.sa[0].member
+  } : {}
+}
+
+# Service account
+resource "google_service_account" "sa" {
+  count        = local.create_service_account ? 1 : 0
+  project      = var.project_id
+  account_id   = "${local.service_account_prefix}-sa"
+  display_name = "Service account for ${var.name_prefix} in ${var.region}"
+}
+
+resource "google_project_iam_member" "roles" {
+  for_each = toset(distinct(var.service_account_project_roles))
+
+  project = var.project_id
+  role    = each.value
+  member  = "serviceAccount:${local.service_account.email}"
 }
 
 ####################
@@ -111,7 +145,7 @@ resource "google_compute_instance_template" "tpl" {
   }
 
   dynamic "service_account" {
-    for_each = var.service_account == null ? [] : [var.service_account]
+    for_each = local.service_account == null ? [] : [local.service_account]
     content {
       email  = lookup(service_account.value, "email", null)
       scopes = lookup(service_account.value, "scopes", null)
diff --git a/modules/instance_template/metadata.display.yaml b/modules/instance_template/metadata.display.yaml
index 90917235..00452c9e 100644
--- a/modules/instance_template/metadata.display.yaml
+++ b/modules/instance_template/metadata.display.yaml
@@ -58,6 +58,12 @@ spec:
         confidential_instance_type:
           name: confidential_instance_type
           title: Confidential Instance Type
+        create_new_service_account:
+          name: create_new_service_account
+          title: Create New Service Account
+        create_service_account:
+          name: create_service_account
+          title: Create Service Account
         description:
           name: description
           title: Description
@@ -158,6 +164,9 @@ spec:
         service_account:
           name: service_account
           title: Service Account
+        service_account_project_roles:
+          name: service_account_project_roles
+          title: Service Account Project Roles
         shielded_instance_config:
           name: shielded_instance_config
           title: Shielded Instance Config
diff --git a/modules/instance_template/metadata.yaml b/modules/instance_template/metadata.yaml
index 0cb961b6..3fcf55db 100644
--- a/modules/instance_template/metadata.yaml
+++ b/modules/instance_template/metadata.yaml
@@ -74,6 +74,8 @@ spec:
         location: examples/preemptible_and_regular_instance_templates/simple
       - name: simple
         location: examples/umig/simple
+      - name: simple_with_sa_creation
+        location: examples/instance_template/simple_with_sa_creation
       - name: static_ips
         location: examples/umig/static_ips
       - name: tags
@@ -292,7 +294,6 @@ spec:
               email  = string
               scopes = optional(set(string), ["cloud-platform"])
             })
-        required: true
         connections:
           - source:
               source: github.com/terraform-google-modules/terraform-google-service-accounts//modules/simple-sa
@@ -300,6 +301,14 @@ spec:
             spec:
               outputExpr: email
               inputPath: email
+      - name: create_service_account
+        description: Create a new service account to attach to the instance. This is alternate to providing the service_account input variable. Please provide the service_account input if setting this to false!
+        varType: bool
+        defaultValue: true
+      - name: service_account_project_roles
+        description: Roles to grant to the newly created cloud run SA in specified project. Should be used with create_service_account set to true and no input for service_account
+        varType: list(string)
+        defaultValue: []
       - name: enable_shielded_vm
         description: Whether to enable the Shielded VM configuration on the instance. Note that the instance image must support Shielded VMs. See https://cloud.google.com/compute/docs/images
         varType: bool
@@ -365,6 +374,8 @@ spec:
       - name: self_link_unique
         description: Unique self-link of instance template (recommended output to use instead of self_link)
         type: string
+      - name: service_account_info
+        description: Service account id and email
       - name: tags
         description: Tags that will be associated with instance(s)
         type:
diff --git a/modules/instance_template/outputs.tf b/modules/instance_template/outputs.tf
index aea1b3d7..0171fb9c 100644
--- a/modules/instance_template/outputs.tf
+++ b/modules/instance_template/outputs.tf
@@ -33,3 +33,8 @@ output "tags" {
   description = "Tags that will be associated with instance(s)"
   value       = google_compute_instance_template.tpl.tags
 }
+
+output "service_account_info" {
+  description = "Service account id and email"
+  value       = local.service_account_output
+}
diff --git a/modules/instance_template/variables.tf b/modules/instance_template/variables.tf
index 1819c27b..841b3fcc 100644
--- a/modules/instance_template/variables.tf
+++ b/modules/instance_template/variables.tf
@@ -328,6 +328,19 @@ variable "service_account" {
     scopes = optional(set(string), ["cloud-platform"])
   })
   description = "Service account to attach to the instance. See https://www.terraform.io/docs/providers/google/r/compute_instance_template#service_account."
+  default     = null
+}
+
+variable "create_service_account" {
+  type        = bool
+  description = "Create a new service account to attach to the instance. This is alternate to providing the service_account input variable. Please provide the service_account input if setting this to false!"
+  default     = true
+}
+
+variable "service_account_project_roles" {
+  type        = list(string)
+  description = "Roles to grant to the newly created cloud run SA in specified project. Should be used with create_service_account set to true and no input for service_account"
+  default     = []
 }
 
 ###########################

From 84d0b8c66bec860cd3bd26870a1e3bf10b39de63 Mon Sep 17 00:00:00 2001
From: Abhishek Tiwari <abhiwa@google.com>
Date: Sat, 25 Jan 2025 06:11:53 +0000
Subject: [PATCH 2/4] Add test for simple instance template with sa craetion

---
 build/int.cloudbuild.yaml                     | 463 +++++++++---------
 .../simple_with_sa_creation/README.md         |  25 -
 .../simple_with_sa_creation/main.tf           |  47 --
 examples/it_simple_with_sa_creation/README.md |  20 +
 examples/it_simple_with_sa_creation/main.tf   |  71 +++
 .../outputs.tf                                |   4 +
 .../variables.tf                              |  10 -
 metadata.yaml                                 |   4 +
 modules/compute_disk_snapshot/metadata.yaml   |   4 +
 modules/compute_instance/metadata.yaml        |   4 +
 modules/instance_template/metadata.yaml       |   8 +-
 modules/instance_template/versions.tf         |   5 +
 modules/mig/metadata.yaml                     |   4 +
 modules/mig_with_percent/metadata.yaml        |   4 +
 .../metadata.yaml                             |   4 +
 modules/umig/metadata.yaml                    |   4 +
 .../it_simple_with_sa_creation_test.go        |  39 ++
 test/setup/iam.tf                             |   2 +
 18 files changed, 414 insertions(+), 308 deletions(-)
 delete mode 100644 examples/instance_template/simple_with_sa_creation/README.md
 delete mode 100644 examples/instance_template/simple_with_sa_creation/main.tf
 create mode 100644 examples/it_simple_with_sa_creation/README.md
 create mode 100644 examples/it_simple_with_sa_creation/main.tf
 rename examples/{instance_template/simple_with_sa_creation => it_simple_with_sa_creation}/outputs.tf (87%)
 rename examples/{instance_template/simple_with_sa_creation => it_simple_with_sa_creation}/variables.tf (78%)
 create mode 100644 test/integration/it_simple_with_sa_creation/it_simple_with_sa_creation_test.go

diff --git a/build/int.cloudbuild.yaml b/build/int.cloudbuild.yaml
index 20c85309..590132ec 100644
--- a/build/int.cloudbuild.yaml
+++ b/build/int.cloudbuild.yaml
@@ -29,235 +29,250 @@ steps:
       - prepare
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
   args: ['/bin/bash', '-c', 'cft test run all --stage init --verbose']
-- id: create-all
-  wait_for:
-    - init-all
-  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do create']
-- id: converge-it-simple-local
-  wait_for:
-    - create-all
-  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge it-simple-local']
-- id: verify-it-simple-local
-  wait_for:
-    - converge-it-simple-local
-  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify it-simple-local']
-- id: destroy-it-simple-local
-  wait_for:
-    - verify-it-simple-local
-  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy it-simple-local']
-- id: converge-it-additional-disks-local
-  wait_for:
-    - create-all
-  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge it-additional-disks-local']
-- id: verify-it-additional-disks-local
-  wait_for:
-    - converge-it-additional-disks-local
-  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify it-additional-disks-local']
-- id: destroy-it-additional-disks-local
-  wait_for:
-    - verify-it-additional-disks-local
-  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy it-additional-disks-local']
-- id: converge-preemptible-and-regular-instance-templates-simple-local
-  wait_for:
-    - create-all
-  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge preemptible-and-regular-instance-templates-simple-local']
-- id: verify-preemptible-and-regular-instance-templates-simple-local
-  wait_for:
-    - converge-preemptible-and-regular-instance-templates-simple-local
-  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify preemptible-and-regular-instance-templates-simple-local']
-- id: destroy-preemptible-and-regular-instance-templates-simple-local
-  wait_for:
-    - verify-preemptible-and-regular-instance-templates-simple-local
-  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy preemptible-and-regular-instance-templates-simple-local']
-- id: go-init-instance-simple
-  waitFor:
-    - create-all
-  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'cd test/integration && RUN_STAGE=init go test -v -run TestInstanceSimpleModule ./... -p 1']
-- id: go-apply-instance-simple
-  waitFor:
-    - go-init-instance-simple
-  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'cd test/integration && RUN_STAGE=apply go test -v -run TestInstanceSimpleModule ./... -p 1']
-  timeout: 3600s
-- id: go-verify-instance-simple
-  waitFor:
-    - go-apply-instance-simple
-  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'cd test/integration && RUN_STAGE=verify go test -v -run TestInstanceSimpleModule ./... -p 1']
-- id: go-destroy-instance-simple
-  waitFor:
-    - go-verify-instance-simple
-  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'cd test/integration && RUN_STAGE=teardown go test -v -run TestInstanceSimpleModule ./... -p 1']
-  timeout: 1800s
-- id: converge-mig-simple-local
-  wait_for:
-    - create-all
-  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge mig-simple-local']
-- id: verify-mig-simple-local
-  wait_for:
-    - converge-mig-simple-local
-  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify mig-simple-local']
-- id: destroy-mig-simple-local
-  wait_for:
-    - verify-mig-simple-local
-  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy mig-simple-local']
-- id: create-mig-autoscaler-local
-  wait_for:
-    - destroy-it-simple-local
-    - destroy-it-additional-disks-local
-    - destroy-preemptible-and-regular-instance-templates-simple-local
-    - go-destroy-instance-simple
-    - destroy-mig-simple-local
-  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do create mig-autoscaler-local']
-- id: converge-mig-autoscaler-local
-  wait_for:
-    - create-mig-autoscaler-local
-  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge mig-autoscaler-local']
-- id: verify-mig-autoscaler-local
-  wait_for:
-    - converge-mig-autoscaler-local
-  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify mig-autoscaler-local']
-- id: destroy-mig-autoscaler-local
-  wait_for:
-    - verify-mig-autoscaler-local
-  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy mig-autoscaler-local']
-- id: create-umig-simple-local
-  wait_for:
-    - destroy-it-simple-local
-    - destroy-it-additional-disks-local
-    - destroy-preemptible-and-regular-instance-templates-simple-local
-    - go-destroy-instance-simple
-    - destroy-mig-simple-local
-  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do create umig-simple-local']
-- id: converge-umig-simple-local
-  wait_for:
-    - create-umig-simple-local
-  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge umig-simple-local']
-- id: verify-umig-simple-local
-  wait_for:
-    - converge-umig-simple-local
-  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify umig-simple-local']
-- id: destroy-umig-simple-local
-  wait_for:
-    - verify-umig-simple-local
-  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy umig-simple-local']
-- id: create-umig-named-ports-local
-  wait_for:
-    - destroy-it-simple-local
-    - destroy-it-additional-disks-local
-    - destroy-preemptible-and-regular-instance-templates-simple-local
-    - go-destroy-instance-simple
-    - destroy-mig-simple-local
-  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do create umig-named-ports-local']
-- id: converge-umig-named-ports-local
-  wait_for:
-    - create-umig-named-ports-local
-  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge umig-named-ports-local']
-- id: verify-umig-named-ports-local
-  wait_for:
-    - converge-umig-named-ports-local
-  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify umig-named-ports-local']
-- id: destroy-umig-named-ports-local
-  wait_for:
-    - verify-umig-named-ports-local
-  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy umig-named-ports-local']
-- id: create-umig-static-ips-local
-  wait_for:
-    - destroy-it-simple-local
-    - destroy-it-additional-disks-local
-    - destroy-preemptible-and-regular-instance-templates-simple-local
-    - go-destroy-instance-simple
-    - destroy-mig-simple-local
-  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do create umig-static-ips-local']
-- id: converge-umig-static-ips-local
-  wait_for:
-    - create-umig-static-ips-local
-  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge umig-static-ips-local']
-- id: verify-umig-static-ips-local
-  wait_for:
-    - converge-umig-static-ips-local
-  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify umig-static-ips-local']
-- id: destroy-umig-static-ips-local
-  wait_for:
-    - verify-umig-static-ips-local
-  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy umig-static-ips-local']
-- id: create-mig-with-percent-simple-local
-  wait_for:
-    - destroy-it-simple-local
-    - destroy-it-additional-disks-local
-    - destroy-preemptible-and-regular-instance-templates-simple-local
-    - go-destroy-instance-simple
-    - destroy-mig-simple-local
-  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do create mig-with-percent-simple-local']
-- id: converge-mig-with-percent-simple-local
-  wait_for:
-    - create-mig-with-percent-simple-local
-  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge mig-with-percent-simple-local']
-- id: verify-mig-with-percent-simple-local
-  wait_for:
-    - converge-mig-with-percent-simple-local
-  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify mig-with-percent-simple-local']
-- id: destroy-mig-with-percent-simple-local
-  wait_for:
-    - verify-mig-with-percent-simple-local
-  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy mig-with-percent-simple-local']
-- id: go-init-statful-mig
-  waitFor:
-    - create-all
-  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'cft test run TestMigStatefulModule --stage create --verbose']
-- id: go-apply-statful-mig
+- id: it-simple-sa-apply
   waitFor:
-    - go-init-statful-mig
+    - init-all
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'cft test run TestMigStatefulModule --stage apply --verbose']
-  timeout: 3600s
-- id: go-verify-statful-mig
+  args: ['/bin/bash', '-c', 'cft test run TestInstanceTemplateSimpleSAModule --stage apply --verbose']
+- id: it-simple-sa-verify
   waitFor:
-    - go-apply-statful-mig
+    - it-simple-sa-apply
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'cft test run TestMigStatefulModule --stage verify --verbose']
-- id: go-destroy-statful-mig
+  args: ['/bin/bash', '-c', 'cft test run TestInstanceTemplateSimpleSAModule --stage verify --verbose']
+- id: it-simple-sa-destroy
   waitFor:
-    - go-verify-statful-mig
-  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-  args: ['/bin/bash', '-c', 'cft test run TestMigStatefulModule --stage destroy --verbose']
-  timeout: 1800s
+    - it-simple-sa-verify
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestInstanceTemplateSimpleSAModule --stage destroy --verbose']
+# - id: create-all
+#   wait_for:
+#     - init-all
+#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do create']
+# - id: converge-it-simple-local
+#   wait_for:
+#     - create-all
+#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge it-simple-local']
+# - id: verify-it-simple-local
+#   wait_for:
+#     - converge-it-simple-local
+#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify it-simple-local']
+# - id: destroy-it-simple-local
+#   wait_for:
+#     - verify-it-simple-local
+#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy it-simple-local']
+# - id: converge-it-additional-disks-local
+#   wait_for:
+#     - create-all
+#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge it-additional-disks-local']
+# - id: verify-it-additional-disks-local
+#   wait_for:
+#     - converge-it-additional-disks-local
+#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify it-additional-disks-local']
+# - id: destroy-it-additional-disks-local
+#   wait_for:
+#     - verify-it-additional-disks-local
+#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy it-additional-disks-local']
+# - id: converge-preemptible-and-regular-instance-templates-simple-local
+#   wait_for:
+#     - create-all
+#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge preemptible-and-regular-instance-templates-simple-local']
+# - id: verify-preemptible-and-regular-instance-templates-simple-local
+#   wait_for:
+#     - converge-preemptible-and-regular-instance-templates-simple-local
+#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify preemptible-and-regular-instance-templates-simple-local']
+# - id: destroy-preemptible-and-regular-instance-templates-simple-local
+#   wait_for:
+#     - verify-preemptible-and-regular-instance-templates-simple-local
+#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy preemptible-and-regular-instance-templates-simple-local']
+# - id: go-init-instance-simple
+#   waitFor:
+#     - create-all
+#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+#   args: ['/bin/bash', '-c', 'cd test/integration && RUN_STAGE=init go test -v -run TestInstanceSimpleModule ./... -p 1']
+# - id: go-apply-instance-simple
+#   waitFor:
+#     - go-init-instance-simple
+#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+#   args: ['/bin/bash', '-c', 'cd test/integration && RUN_STAGE=apply go test -v -run TestInstanceSimpleModule ./... -p 1']
+#   timeout: 3600s
+# - id: go-verify-instance-simple
+#   waitFor:
+#     - go-apply-instance-simple
+#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+#   args: ['/bin/bash', '-c', 'cd test/integration && RUN_STAGE=verify go test -v -run TestInstanceSimpleModule ./... -p 1']
+# - id: go-destroy-instance-simple
+#   waitFor:
+#     - go-verify-instance-simple
+#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+#   args: ['/bin/bash', '-c', 'cd test/integration && RUN_STAGE=teardown go test -v -run TestInstanceSimpleModule ./... -p 1']
+#   timeout: 1800s
+# - id: converge-mig-simple-local
+#   wait_for:
+#     - create-all
+#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge mig-simple-local']
+# - id: verify-mig-simple-local
+#   wait_for:
+#     - converge-mig-simple-local
+#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify mig-simple-local']
+# - id: destroy-mig-simple-local
+#   wait_for:
+#     - verify-mig-simple-local
+#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy mig-simple-local']
+# - id: create-mig-autoscaler-local
+#   wait_for:
+#     - destroy-it-simple-local
+#     - destroy-it-additional-disks-local
+#     - destroy-preemptible-and-regular-instance-templates-simple-local
+#     - go-destroy-instance-simple
+#     - destroy-mig-simple-local
+#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do create mig-autoscaler-local']
+# - id: converge-mig-autoscaler-local
+#   wait_for:
+#     - create-mig-autoscaler-local
+#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge mig-autoscaler-local']
+# - id: verify-mig-autoscaler-local
+#   wait_for:
+#     - converge-mig-autoscaler-local
+#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify mig-autoscaler-local']
+# - id: destroy-mig-autoscaler-local
+#   wait_for:
+#     - verify-mig-autoscaler-local
+#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy mig-autoscaler-local']
+# - id: create-umig-simple-local
+#   wait_for:
+#     - destroy-it-simple-local
+#     - destroy-it-additional-disks-local
+#     - destroy-preemptible-and-regular-instance-templates-simple-local
+#     - go-destroy-instance-simple
+#     - destroy-mig-simple-local
+#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do create umig-simple-local']
+# - id: converge-umig-simple-local
+#   wait_for:
+#     - create-umig-simple-local
+#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge umig-simple-local']
+# - id: verify-umig-simple-local
+#   wait_for:
+#     - converge-umig-simple-local
+#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify umig-simple-local']
+# - id: destroy-umig-simple-local
+#   wait_for:
+#     - verify-umig-simple-local
+#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy umig-simple-local']
+# - id: create-umig-named-ports-local
+#   wait_for:
+#     - destroy-it-simple-local
+#     - destroy-it-additional-disks-local
+#     - destroy-preemptible-and-regular-instance-templates-simple-local
+#     - go-destroy-instance-simple
+#     - destroy-mig-simple-local
+#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do create umig-named-ports-local']
+# - id: converge-umig-named-ports-local
+#   wait_for:
+#     - create-umig-named-ports-local
+#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge umig-named-ports-local']
+# - id: verify-umig-named-ports-local
+#   wait_for:
+#     - converge-umig-named-ports-local
+#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify umig-named-ports-local']
+# - id: destroy-umig-named-ports-local
+#   wait_for:
+#     - verify-umig-named-ports-local
+#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy umig-named-ports-local']
+# - id: create-umig-static-ips-local
+#   wait_for:
+#     - destroy-it-simple-local
+#     - destroy-it-additional-disks-local
+#     - destroy-preemptible-and-regular-instance-templates-simple-local
+#     - go-destroy-instance-simple
+#     - destroy-mig-simple-local
+#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do create umig-static-ips-local']
+# - id: converge-umig-static-ips-local
+#   wait_for:
+#     - create-umig-static-ips-local
+#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge umig-static-ips-local']
+# - id: verify-umig-static-ips-local
+#   wait_for:
+#     - converge-umig-static-ips-local
+#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify umig-static-ips-local']
+# - id: destroy-umig-static-ips-local
+#   wait_for:
+#     - verify-umig-static-ips-local
+#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy umig-static-ips-local']
+# - id: create-mig-with-percent-simple-local
+#   wait_for:
+#     - destroy-it-simple-local
+#     - destroy-it-additional-disks-local
+#     - destroy-preemptible-and-regular-instance-templates-simple-local
+#     - go-destroy-instance-simple
+#     - destroy-mig-simple-local
+#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do create mig-with-percent-simple-local']
+# - id: converge-mig-with-percent-simple-local
+#   wait_for:
+#     - create-mig-with-percent-simple-local
+#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge mig-with-percent-simple-local']
+# - id: verify-mig-with-percent-simple-local
+#   wait_for:
+#     - converge-mig-with-percent-simple-local
+#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify mig-with-percent-simple-local']
+# - id: destroy-mig-with-percent-simple-local
+#   wait_for:
+#     - verify-mig-with-percent-simple-local
+#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy mig-with-percent-simple-local']
+# - id: go-init-statful-mig
+#   waitFor:
+#     - create-all
+#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+#   args: ['/bin/bash', '-c', 'cft test run TestMigStatefulModule --stage create --verbose']
+# - id: go-apply-statful-mig
+#   waitFor:
+#     - go-init-statful-mig
+#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+#   args: ['/bin/bash', '-c', 'cft test run TestMigStatefulModule --stage apply --verbose']
+#   timeout: 3600s
+# - id: go-verify-statful-mig
+#   waitFor:
+#     - go-apply-statful-mig
+#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+#   args: ['/bin/bash', '-c', 'cft test run TestMigStatefulModule --stage verify --verbose']
+# - id: go-destroy-statful-mig
+#   waitFor:
+#     - go-verify-statful-mig
+#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+#   args: ['/bin/bash', '-c', 'cft test run TestMigStatefulModule --stage destroy --verbose']
+#   timeout: 1800s
 tags:
 - 'ci'
 - 'integration'
diff --git a/examples/instance_template/simple_with_sa_creation/README.md b/examples/instance_template/simple_with_sa_creation/README.md
deleted file mode 100644
index 70365182..00000000
--- a/examples/instance_template/simple_with_sa_creation/README.md
+++ /dev/null
@@ -1,25 +0,0 @@
-# instance-template-simple
-
-This is a simple, minimal example of how to use the instance_template module.
-
-<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
-## Inputs
-
-| Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
-| enable\_nested\_virtualization | Defines whether the instance should have nested virtualization enabled. | `bool` | `false` | no |
-| labels | Labels, provided as a map | `map(string)` | n/a | yes |
-| project\_id | The GCP project to use for integration tests | `string` | n/a | yes |
-| region | The GCP region to create and test resources in | `string` | `"us-central1"` | no |
-| subnetwork | The name of the subnetwork create this instance in. | `string` | `""` | no |
-| tags | Network tags, provided as a list | `list(string)` | n/a | yes |
-| threads\_per\_core | The number of threads per physical core. To disable simultaneous multithreading (SMT) set this to 1. | `string` | `null` | no |
-
-## Outputs
-
-| Name | Description |
-|------|-------------|
-| name | Name of the instance templates |
-| self\_link | Self-link to the instance template |
-
-<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/examples/instance_template/simple_with_sa_creation/main.tf b/examples/instance_template/simple_with_sa_creation/main.tf
deleted file mode 100644
index a704acdb..00000000
--- a/examples/instance_template/simple_with_sa_creation/main.tf
+++ /dev/null
@@ -1,47 +0,0 @@
-/**
- * Copyright 2025 Google LLC
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-provider "google" {
-
-  project = var.project_id
-  region  = "us-central1"
-}
-
-resource "google_compute_address" "ip_address" {
-  name = "external-ip"
-}
-
-locals {
-  access_config = {
-    nat_ip       = google_compute_address.ip_address.address
-    network_tier = "PREMIUM"
-  }
-}
-
-module "instance_template" {
-  source = "../../../modules/instance_template"
-
-  project_id                   = var.project_id
-  region                       = "us-central1"
-  subnetwork                   = ""
-  stack_type                   = "IPV4_ONLY"
-  name_prefix                  = "simple"
-  tags                         = var.tags
-  labels                       = var.labels
-  access_config                = [local.access_config]
-  enable_nested_virtualization = false
-  threads_per_core             = null
-}
diff --git a/examples/it_simple_with_sa_creation/README.md b/examples/it_simple_with_sa_creation/README.md
new file mode 100644
index 00000000..abd492e9
--- /dev/null
+++ b/examples/it_simple_with_sa_creation/README.md
@@ -0,0 +1,20 @@
+# instance-template-simple
+
+This is a simple, minimal example of how to use the instance_template module.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| project\_id | The GCP project to use for integration tests | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| name | Name of the instance templates |
+| project\_id | The GCP project to use for integration tests |
+| self\_link | Self-link to the instance template |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/examples/it_simple_with_sa_creation/main.tf b/examples/it_simple_with_sa_creation/main.tf
new file mode 100644
index 00000000..40275d1e
--- /dev/null
+++ b/examples/it_simple_with_sa_creation/main.tf
@@ -0,0 +1,71 @@
+/**
+ * Copyright 2025 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+provider "google" {
+
+  project = var.project_id
+  region  = "us-central1"
+}
+
+resource "google_compute_address" "ip_address" {
+  name = "external-ip"
+}
+
+locals {
+  access_config = {
+    nat_ip       = google_compute_address.ip_address.address
+    network_tier = "PREMIUM"
+  }
+}
+
+resource "random_string" "suffix" {
+  length  = 4
+  special = "false"
+  upper   = "false"
+}
+
+resource "google_compute_network" "main" {
+  project                 = var.project_id
+  name                    = "cft-vm-test-${random_string.suffix.result}"
+  auto_create_subnetworks = "false"
+}
+
+resource "google_compute_subnetwork" "main" {
+  project       = var.project_id
+  region        = "us-central1"
+  name          = "cft-vm-test-${random_string.suffix.result}"
+  ip_cidr_range = "10.128.0.0/20"
+  network       = google_compute_network.main.self_link
+}
+
+module "instance_template" {
+  source  = "terraform-google-modules/vm/google//modules/instance_template"
+  version = "~> 13.0"
+
+  project_id  = var.project_id
+  region      = "us-central1"
+  subnetwork  = google_compute_subnetwork.main.self_link
+  stack_type  = "IPV4_ONLY"
+  name_prefix = "it-simple-sa"
+  tags        = ["foo", "bar", "sa"]
+  labels = {
+    environment = "dev"
+  }
+  access_config                 = [local.access_config]
+  enable_nested_virtualization  = false
+  threads_per_core              = null
+  service_account_project_roles = ["roles/compute.admin"]
+}
diff --git a/examples/instance_template/simple_with_sa_creation/outputs.tf b/examples/it_simple_with_sa_creation/outputs.tf
similarity index 87%
rename from examples/instance_template/simple_with_sa_creation/outputs.tf
rename to examples/it_simple_with_sa_creation/outputs.tf
index 8d7a828d..503f5bed 100644
--- a/examples/instance_template/simple_with_sa_creation/outputs.tf
+++ b/examples/it_simple_with_sa_creation/outputs.tf
@@ -24,3 +24,7 @@ output "name" {
   value       = module.instance_template.name
 }
 
+output "project_id" {
+  description = "The GCP project to use for integration tests"
+  value       = var.project_id
+}
diff --git a/examples/instance_template/simple_with_sa_creation/variables.tf b/examples/it_simple_with_sa_creation/variables.tf
similarity index 78%
rename from examples/instance_template/simple_with_sa_creation/variables.tf
rename to examples/it_simple_with_sa_creation/variables.tf
index 45e742b5..9408e0ea 100644
--- a/examples/instance_template/simple_with_sa_creation/variables.tf
+++ b/examples/it_simple_with_sa_creation/variables.tf
@@ -20,13 +20,3 @@ variable "project_id" {
   description = "The GCP project to use for integration tests"
   type        = string
 }
-
-variable "tags" {
-  type        = list(string)
-  description = "Network tags, provided as a list"
-}
-
-variable "labels" {
-  type        = map(string)
-  description = "Labels, provided as a map"
-}
diff --git a/metadata.yaml b/metadata.yaml
index 43ba4436..42fb4313 100644
--- a/metadata.yaml
+++ b/metadata.yaml
@@ -64,6 +64,8 @@ spec:
         location: examples/umig/full
       - name: healthcheck
         location: examples/mig/healthcheck
+      - name: it_simple_with_sa_creation
+        location: examples/it_simple_with_sa_creation
       - name: mig_stateful
         location: examples/mig_stateful
       - name: multiple_interfaces
@@ -96,7 +98,9 @@ spec:
           - roles/compute.admin
           - roles/compute.networkAdmin
           - roles/iam.serviceAccountUser
+          - roles/iam.serviceAccountAdmin
           - roles/compute.instanceAdmin
+          - roles/resourcemanager.projectIamAdmin
     services:
       - cloudresourcemanager.googleapis.com
       - storage-api.googleapis.com
diff --git a/modules/compute_disk_snapshot/metadata.yaml b/modules/compute_disk_snapshot/metadata.yaml
index fbc58658..47906d3b 100644
--- a/modules/compute_disk_snapshot/metadata.yaml
+++ b/modules/compute_disk_snapshot/metadata.yaml
@@ -54,6 +54,8 @@ spec:
         location: examples/umig/full
       - name: healthcheck
         location: examples/mig/healthcheck
+      - name: it_simple_with_sa_creation
+        location: examples/it_simple_with_sa_creation
       - name: mig_stateful
         location: examples/mig_stateful
       - name: multiple_interfaces
@@ -162,7 +164,9 @@ spec:
           - roles/compute.admin
           - roles/compute.networkAdmin
           - roles/iam.serviceAccountUser
+          - roles/iam.serviceAccountAdmin
           - roles/compute.instanceAdmin
+          - roles/resourcemanager.projectIamAdmin
     services:
       - cloudresourcemanager.googleapis.com
       - storage-api.googleapis.com
diff --git a/modules/compute_instance/metadata.yaml b/modules/compute_instance/metadata.yaml
index 40e86640..30eed246 100644
--- a/modules/compute_instance/metadata.yaml
+++ b/modules/compute_instance/metadata.yaml
@@ -54,6 +54,8 @@ spec:
         location: examples/umig/full
       - name: healthcheck
         location: examples/mig/healthcheck
+      - name: it_simple_with_sa_creation
+        location: examples/it_simple_with_sa_creation
       - name: mig_stateful
         location: examples/mig_stateful
       - name: multiple_interfaces
@@ -173,7 +175,9 @@ spec:
           - roles/compute.admin
           - roles/compute.networkAdmin
           - roles/iam.serviceAccountUser
+          - roles/iam.serviceAccountAdmin
           - roles/compute.instanceAdmin
+          - roles/resourcemanager.projectIamAdmin
     services:
       - cloudresourcemanager.googleapis.com
       - storage-api.googleapis.com
diff --git a/modules/instance_template/metadata.yaml b/modules/instance_template/metadata.yaml
index 3fcf55db..c3cc748f 100644
--- a/modules/instance_template/metadata.yaml
+++ b/modules/instance_template/metadata.yaml
@@ -54,6 +54,8 @@ spec:
         location: examples/umig/full
       - name: healthcheck
         location: examples/mig/healthcheck
+      - name: it_simple_with_sa_creation
+        location: examples/it_simple_with_sa_creation
       - name: mig_stateful
         location: examples/mig_stateful
       - name: multiple_interfaces
@@ -74,8 +76,6 @@ spec:
         location: examples/preemptible_and_regular_instance_templates/simple
       - name: simple
         location: examples/umig/simple
-      - name: simple_with_sa_creation
-        location: examples/instance_template/simple_with_sa_creation
       - name: static_ips
         location: examples/umig/static_ips
       - name: tags
@@ -388,7 +388,9 @@ spec:
           - roles/compute.admin
           - roles/compute.networkAdmin
           - roles/iam.serviceAccountUser
+          - roles/iam.serviceAccountAdmin
           - roles/compute.instanceAdmin
+          - roles/resourcemanager.projectIamAdmin
     services:
       - cloudresourcemanager.googleapis.com
       - storage-api.googleapis.com
@@ -396,5 +398,7 @@ spec:
       - compute.googleapis.com
       - iam.googleapis.com
     providerVersions:
+      - source: hashicorp/google
+        version: ">= 5.36, < 7"
       - source: hashicorp/google-beta
         version: ">= 5.36, < 7"
diff --git a/modules/instance_template/versions.tf b/modules/instance_template/versions.tf
index 35e4dd0d..363feb2a 100644
--- a/modules/instance_template/versions.tf
+++ b/modules/instance_template/versions.tf
@@ -17,6 +17,11 @@
 terraform {
   required_version = ">=1.3"
   required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = ">= 5.36, < 7"
+    }
+
     google-beta = {
       source  = "hashicorp/google-beta"
       version = ">= 5.36, < 7"
diff --git a/modules/mig/metadata.yaml b/modules/mig/metadata.yaml
index 211a0dc4..2c610a28 100644
--- a/modules/mig/metadata.yaml
+++ b/modules/mig/metadata.yaml
@@ -54,6 +54,8 @@ spec:
         location: examples/umig/full
       - name: healthcheck
         location: examples/mig/healthcheck
+      - name: it_simple_with_sa_creation
+        location: examples/it_simple_with_sa_creation
       - name: mig_stateful
         location: examples/mig_stateful
       - name: multiple_interfaces
@@ -317,7 +319,9 @@ spec:
           - roles/compute.admin
           - roles/compute.networkAdmin
           - roles/iam.serviceAccountUser
+          - roles/iam.serviceAccountAdmin
           - roles/compute.instanceAdmin
+          - roles/resourcemanager.projectIamAdmin
     services:
       - cloudresourcemanager.googleapis.com
       - storage-api.googleapis.com
diff --git a/modules/mig_with_percent/metadata.yaml b/modules/mig_with_percent/metadata.yaml
index 83172d39..972a344c 100644
--- a/modules/mig_with_percent/metadata.yaml
+++ b/modules/mig_with_percent/metadata.yaml
@@ -54,6 +54,8 @@ spec:
         location: examples/umig/full
       - name: healthcheck
         location: examples/mig/healthcheck
+      - name: it_simple_with_sa_creation
+        location: examples/it_simple_with_sa_creation
       - name: mig_stateful
         location: examples/mig_stateful
       - name: multiple_interfaces
@@ -304,7 +306,9 @@ spec:
           - roles/compute.admin
           - roles/compute.networkAdmin
           - roles/iam.serviceAccountUser
+          - roles/iam.serviceAccountAdmin
           - roles/compute.instanceAdmin
+          - roles/resourcemanager.projectIamAdmin
     services:
       - cloudresourcemanager.googleapis.com
       - storage-api.googleapis.com
diff --git a/modules/preemptible_and_regular_instance_templates/metadata.yaml b/modules/preemptible_and_regular_instance_templates/metadata.yaml
index 25eada7f..bcf6b03b 100644
--- a/modules/preemptible_and_regular_instance_templates/metadata.yaml
+++ b/modules/preemptible_and_regular_instance_templates/metadata.yaml
@@ -54,6 +54,8 @@ spec:
         location: examples/umig/full
       - name: healthcheck
         location: examples/mig/healthcheck
+      - name: it_simple_with_sa_creation
+        location: examples/it_simple_with_sa_creation
       - name: mig_stateful
         location: examples/mig_stateful
       - name: multiple_interfaces
@@ -204,7 +206,9 @@ spec:
           - roles/compute.admin
           - roles/compute.networkAdmin
           - roles/iam.serviceAccountUser
+          - roles/iam.serviceAccountAdmin
           - roles/compute.instanceAdmin
+          - roles/resourcemanager.projectIamAdmin
     services:
       - cloudresourcemanager.googleapis.com
       - storage-api.googleapis.com
diff --git a/modules/umig/metadata.yaml b/modules/umig/metadata.yaml
index 8ca9bf10..faf4faf5 100644
--- a/modules/umig/metadata.yaml
+++ b/modules/umig/metadata.yaml
@@ -54,6 +54,8 @@ spec:
         location: examples/umig/full
       - name: healthcheck
         location: examples/mig/healthcheck
+      - name: it_simple_with_sa_creation
+        location: examples/it_simple_with_sa_creation
       - name: mig_stateful
         location: examples/mig_stateful
       - name: multiple_interfaces
@@ -181,7 +183,9 @@ spec:
           - roles/compute.admin
           - roles/compute.networkAdmin
           - roles/iam.serviceAccountUser
+          - roles/iam.serviceAccountAdmin
           - roles/compute.instanceAdmin
+          - roles/resourcemanager.projectIamAdmin
     services:
       - cloudresourcemanager.googleapis.com
       - storage-api.googleapis.com
diff --git a/test/integration/it_simple_with_sa_creation/it_simple_with_sa_creation_test.go b/test/integration/it_simple_with_sa_creation/it_simple_with_sa_creation_test.go
new file mode 100644
index 00000000..9c67f33b
--- /dev/null
+++ b/test/integration/it_simple_with_sa_creation/it_simple_with_sa_creation_test.go
@@ -0,0 +1,39 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package it_simple_with_sa_creation
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/gcloud"
+	"github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestInstanceTemplateSimpleSAModule(t *testing.T) {
+
+	const instanceNamePrefix = "it-simple-sa"
+	const expected_templates = 1
+
+	insSimpleT := tft.NewTFBlueprintTest(t)
+	insSimpleT.DefineVerify(func(assert *assert.Assertions) {
+		insSimpleT.DefaultVerify(assert)
+
+		instance_templates := gcloud.Run(t, fmt.Sprintf("compute instance-templates list --project %s --filter name~%s", insSimpleT.GetStringOutput("project_id"), instanceNamePrefix))
+		assert.Equal(expected_templates, len(instance_templates.Array()), fmt.Sprintf("should have %d instance_templates", expected_templates))
+	})
+	insSimpleT.Test()
+}
diff --git a/test/setup/iam.tf b/test/setup/iam.tf
index 02230449..64c1d6e0 100644
--- a/test/setup/iam.tf
+++ b/test/setup/iam.tf
@@ -19,7 +19,9 @@ locals {
     "roles/compute.admin",
     "roles/compute.networkAdmin",
     "roles/iam.serviceAccountUser",
+    "roles/iam.serviceAccountAdmin",
     "roles/compute.instanceAdmin",
+    "roles/resourcemanager.projectIamAdmin",
   ]
 }
 

From a5d2dd92c1784039c0dd70e7506644ff2bccfa21 Mon Sep 17 00:00:00 2001
From: Abhishek Tiwari <abhiwa@google.com>
Date: Sat, 25 Jan 2025 13:06:51 +0000
Subject: [PATCH 3/4] add connection metadata and output type

---
 build/int.cloudbuild.yaml                     | 464 +++++++++---------
 .../instance_template/metadata.display.yaml   |   4 +-
 modules/instance_template/metadata.yaml       |  26 +
 modules/mig/metadata.display.yaml             |   2 +-
 4 files changed, 262 insertions(+), 234 deletions(-)

diff --git a/build/int.cloudbuild.yaml b/build/int.cloudbuild.yaml
index 590132ec..1c296bfd 100644
--- a/build/int.cloudbuild.yaml
+++ b/build/int.cloudbuild.yaml
@@ -29,9 +29,242 @@ steps:
       - prepare
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
   args: ['/bin/bash', '-c', 'cft test run all --stage init --verbose']
+- id: create-all
+  wait_for:
+    - init-all
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do create']
+- id: converge-it-simple-local
+  wait_for:
+    - create-all
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge it-simple-local']
+- id: verify-it-simple-local
+  wait_for:
+    - converge-it-simple-local
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify it-simple-local']
+- id: destroy-it-simple-local
+  wait_for:
+    - verify-it-simple-local
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy it-simple-local']
+- id: converge-it-additional-disks-local
+  wait_for:
+    - create-all
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge it-additional-disks-local']
+- id: verify-it-additional-disks-local
+  wait_for:
+    - converge-it-additional-disks-local
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify it-additional-disks-local']
+- id: destroy-it-additional-disks-local
+  wait_for:
+    - verify-it-additional-disks-local
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy it-additional-disks-local']
+- id: converge-preemptible-and-regular-instance-templates-simple-local
+  wait_for:
+    - create-all
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge preemptible-and-regular-instance-templates-simple-local']
+- id: verify-preemptible-and-regular-instance-templates-simple-local
+  wait_for:
+    - converge-preemptible-and-regular-instance-templates-simple-local
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify preemptible-and-regular-instance-templates-simple-local']
+- id: destroy-preemptible-and-regular-instance-templates-simple-local
+  wait_for:
+    - verify-preemptible-and-regular-instance-templates-simple-local
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy preemptible-and-regular-instance-templates-simple-local']
+- id: go-init-instance-simple
+  waitFor:
+    - create-all
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cd test/integration && RUN_STAGE=init go test -v -run TestInstanceSimpleModule ./... -p 1']
+- id: go-apply-instance-simple
+  waitFor:
+    - go-init-instance-simple
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cd test/integration && RUN_STAGE=apply go test -v -run TestInstanceSimpleModule ./... -p 1']
+  timeout: 3600s
+- id: go-verify-instance-simple
+  waitFor:
+    - go-apply-instance-simple
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cd test/integration && RUN_STAGE=verify go test -v -run TestInstanceSimpleModule ./... -p 1']
+- id: go-destroy-instance-simple
+  waitFor:
+    - go-verify-instance-simple
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cd test/integration && RUN_STAGE=teardown go test -v -run TestInstanceSimpleModule ./... -p 1']
+  timeout: 1800s
+- id: converge-mig-simple-local
+  wait_for:
+    - create-all
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge mig-simple-local']
+- id: verify-mig-simple-local
+  wait_for:
+    - converge-mig-simple-local
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify mig-simple-local']
+- id: destroy-mig-simple-local
+  wait_for:
+    - verify-mig-simple-local
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy mig-simple-local']
+- id: create-mig-autoscaler-local
+  wait_for:
+    - destroy-it-simple-local
+    - destroy-it-additional-disks-local
+    - destroy-preemptible-and-regular-instance-templates-simple-local
+    - go-destroy-instance-simple
+    - destroy-mig-simple-local
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do create mig-autoscaler-local']
+- id: converge-mig-autoscaler-local
+  wait_for:
+    - create-mig-autoscaler-local
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge mig-autoscaler-local']
+- id: verify-mig-autoscaler-local
+  wait_for:
+    - converge-mig-autoscaler-local
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify mig-autoscaler-local']
+- id: destroy-mig-autoscaler-local
+  wait_for:
+    - verify-mig-autoscaler-local
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy mig-autoscaler-local']
+- id: create-umig-simple-local
+  wait_for:
+    - destroy-it-simple-local
+    - destroy-it-additional-disks-local
+    - destroy-preemptible-and-regular-instance-templates-simple-local
+    - go-destroy-instance-simple
+    - destroy-mig-simple-local
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do create umig-simple-local']
+- id: converge-umig-simple-local
+  wait_for:
+    - create-umig-simple-local
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge umig-simple-local']
+- id: verify-umig-simple-local
+  wait_for:
+    - converge-umig-simple-local
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify umig-simple-local']
+- id: destroy-umig-simple-local
+  wait_for:
+    - verify-umig-simple-local
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy umig-simple-local']
+- id: create-umig-named-ports-local
+  wait_for:
+    - destroy-it-simple-local
+    - destroy-it-additional-disks-local
+    - destroy-preemptible-and-regular-instance-templates-simple-local
+    - go-destroy-instance-simple
+    - destroy-mig-simple-local
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do create umig-named-ports-local']
+- id: converge-umig-named-ports-local
+  wait_for:
+    - create-umig-named-ports-local
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge umig-named-ports-local']
+- id: verify-umig-named-ports-local
+  wait_for:
+    - converge-umig-named-ports-local
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify umig-named-ports-local']
+- id: destroy-umig-named-ports-local
+  wait_for:
+    - verify-umig-named-ports-local
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy umig-named-ports-local']
+- id: create-umig-static-ips-local
+  wait_for:
+    - destroy-it-simple-local
+    - destroy-it-additional-disks-local
+    - destroy-preemptible-and-regular-instance-templates-simple-local
+    - go-destroy-instance-simple
+    - destroy-mig-simple-local
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do create umig-static-ips-local']
+- id: converge-umig-static-ips-local
+  wait_for:
+    - create-umig-static-ips-local
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge umig-static-ips-local']
+- id: verify-umig-static-ips-local
+  wait_for:
+    - converge-umig-static-ips-local
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify umig-static-ips-local']
+- id: destroy-umig-static-ips-local
+  wait_for:
+    - verify-umig-static-ips-local
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy umig-static-ips-local']
+- id: create-mig-with-percent-simple-local
+  wait_for:
+    - destroy-it-simple-local
+    - destroy-it-additional-disks-local
+    - destroy-preemptible-and-regular-instance-templates-simple-local
+    - go-destroy-instance-simple
+    - destroy-mig-simple-local
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do create mig-with-percent-simple-local']
+- id: converge-mig-with-percent-simple-local
+  wait_for:
+    - create-mig-with-percent-simple-local
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge mig-with-percent-simple-local']
+- id: verify-mig-with-percent-simple-local
+  wait_for:
+    - converge-mig-with-percent-simple-local
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify mig-with-percent-simple-local']
+- id: destroy-mig-with-percent-simple-local
+  wait_for:
+    - verify-mig-with-percent-simple-local
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy mig-with-percent-simple-local']
+- id: go-init-statful-mig
+  waitFor:
+    - create-all
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestMigStatefulModule --stage create --verbose']
+- id: go-apply-statful-mig
+  waitFor:
+    - go-init-statful-mig
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestMigStatefulModule --stage apply --verbose']
+  timeout: 3600s
+- id: go-verify-statful-mig
+  waitFor:
+    - go-apply-statful-mig
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestMigStatefulModule --stage verify --verbose']
+- id: go-destroy-statful-mig
+  waitFor:
+    - go-verify-statful-mig
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestMigStatefulModule --stage destroy --verbose']
+  timeout: 1800s
 - id: it-simple-sa-apply
   waitFor:
-    - init-all
+    - destroy-it-simple-local
+    - destroy-it-additional-disks-local
+    - destroy-preemptible-and-regular-instance-templates-simple-local
+    - go-destroy-instance-simple
+    - destroy-mig-simple-local
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
   args: ['/bin/bash', '-c', 'cft test run TestInstanceTemplateSimpleSAModule --stage apply --verbose']
 - id: it-simple-sa-verify
@@ -44,235 +277,6 @@ steps:
     - it-simple-sa-verify
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
   args: ['/bin/bash', '-c', 'cft test run TestInstanceTemplateSimpleSAModule --stage destroy --verbose']
-# - id: create-all
-#   wait_for:
-#     - init-all
-#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do create']
-# - id: converge-it-simple-local
-#   wait_for:
-#     - create-all
-#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge it-simple-local']
-# - id: verify-it-simple-local
-#   wait_for:
-#     - converge-it-simple-local
-#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify it-simple-local']
-# - id: destroy-it-simple-local
-#   wait_for:
-#     - verify-it-simple-local
-#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy it-simple-local']
-# - id: converge-it-additional-disks-local
-#   wait_for:
-#     - create-all
-#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge it-additional-disks-local']
-# - id: verify-it-additional-disks-local
-#   wait_for:
-#     - converge-it-additional-disks-local
-#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify it-additional-disks-local']
-# - id: destroy-it-additional-disks-local
-#   wait_for:
-#     - verify-it-additional-disks-local
-#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy it-additional-disks-local']
-# - id: converge-preemptible-and-regular-instance-templates-simple-local
-#   wait_for:
-#     - create-all
-#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge preemptible-and-regular-instance-templates-simple-local']
-# - id: verify-preemptible-and-regular-instance-templates-simple-local
-#   wait_for:
-#     - converge-preemptible-and-regular-instance-templates-simple-local
-#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify preemptible-and-regular-instance-templates-simple-local']
-# - id: destroy-preemptible-and-regular-instance-templates-simple-local
-#   wait_for:
-#     - verify-preemptible-and-regular-instance-templates-simple-local
-#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy preemptible-and-regular-instance-templates-simple-local']
-# - id: go-init-instance-simple
-#   waitFor:
-#     - create-all
-#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-#   args: ['/bin/bash', '-c', 'cd test/integration && RUN_STAGE=init go test -v -run TestInstanceSimpleModule ./... -p 1']
-# - id: go-apply-instance-simple
-#   waitFor:
-#     - go-init-instance-simple
-#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-#   args: ['/bin/bash', '-c', 'cd test/integration && RUN_STAGE=apply go test -v -run TestInstanceSimpleModule ./... -p 1']
-#   timeout: 3600s
-# - id: go-verify-instance-simple
-#   waitFor:
-#     - go-apply-instance-simple
-#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-#   args: ['/bin/bash', '-c', 'cd test/integration && RUN_STAGE=verify go test -v -run TestInstanceSimpleModule ./... -p 1']
-# - id: go-destroy-instance-simple
-#   waitFor:
-#     - go-verify-instance-simple
-#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-#   args: ['/bin/bash', '-c', 'cd test/integration && RUN_STAGE=teardown go test -v -run TestInstanceSimpleModule ./... -p 1']
-#   timeout: 1800s
-# - id: converge-mig-simple-local
-#   wait_for:
-#     - create-all
-#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge mig-simple-local']
-# - id: verify-mig-simple-local
-#   wait_for:
-#     - converge-mig-simple-local
-#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify mig-simple-local']
-# - id: destroy-mig-simple-local
-#   wait_for:
-#     - verify-mig-simple-local
-#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy mig-simple-local']
-# - id: create-mig-autoscaler-local
-#   wait_for:
-#     - destroy-it-simple-local
-#     - destroy-it-additional-disks-local
-#     - destroy-preemptible-and-regular-instance-templates-simple-local
-#     - go-destroy-instance-simple
-#     - destroy-mig-simple-local
-#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do create mig-autoscaler-local']
-# - id: converge-mig-autoscaler-local
-#   wait_for:
-#     - create-mig-autoscaler-local
-#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge mig-autoscaler-local']
-# - id: verify-mig-autoscaler-local
-#   wait_for:
-#     - converge-mig-autoscaler-local
-#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify mig-autoscaler-local']
-# - id: destroy-mig-autoscaler-local
-#   wait_for:
-#     - verify-mig-autoscaler-local
-#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy mig-autoscaler-local']
-# - id: create-umig-simple-local
-#   wait_for:
-#     - destroy-it-simple-local
-#     - destroy-it-additional-disks-local
-#     - destroy-preemptible-and-regular-instance-templates-simple-local
-#     - go-destroy-instance-simple
-#     - destroy-mig-simple-local
-#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do create umig-simple-local']
-# - id: converge-umig-simple-local
-#   wait_for:
-#     - create-umig-simple-local
-#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge umig-simple-local']
-# - id: verify-umig-simple-local
-#   wait_for:
-#     - converge-umig-simple-local
-#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify umig-simple-local']
-# - id: destroy-umig-simple-local
-#   wait_for:
-#     - verify-umig-simple-local
-#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy umig-simple-local']
-# - id: create-umig-named-ports-local
-#   wait_for:
-#     - destroy-it-simple-local
-#     - destroy-it-additional-disks-local
-#     - destroy-preemptible-and-regular-instance-templates-simple-local
-#     - go-destroy-instance-simple
-#     - destroy-mig-simple-local
-#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do create umig-named-ports-local']
-# - id: converge-umig-named-ports-local
-#   wait_for:
-#     - create-umig-named-ports-local
-#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge umig-named-ports-local']
-# - id: verify-umig-named-ports-local
-#   wait_for:
-#     - converge-umig-named-ports-local
-#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify umig-named-ports-local']
-# - id: destroy-umig-named-ports-local
-#   wait_for:
-#     - verify-umig-named-ports-local
-#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy umig-named-ports-local']
-# - id: create-umig-static-ips-local
-#   wait_for:
-#     - destroy-it-simple-local
-#     - destroy-it-additional-disks-local
-#     - destroy-preemptible-and-regular-instance-templates-simple-local
-#     - go-destroy-instance-simple
-#     - destroy-mig-simple-local
-#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do create umig-static-ips-local']
-# - id: converge-umig-static-ips-local
-#   wait_for:
-#     - create-umig-static-ips-local
-#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge umig-static-ips-local']
-# - id: verify-umig-static-ips-local
-#   wait_for:
-#     - converge-umig-static-ips-local
-#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify umig-static-ips-local']
-# - id: destroy-umig-static-ips-local
-#   wait_for:
-#     - verify-umig-static-ips-local
-#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy umig-static-ips-local']
-# - id: create-mig-with-percent-simple-local
-#   wait_for:
-#     - destroy-it-simple-local
-#     - destroy-it-additional-disks-local
-#     - destroy-preemptible-and-regular-instance-templates-simple-local
-#     - go-destroy-instance-simple
-#     - destroy-mig-simple-local
-#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do create mig-with-percent-simple-local']
-# - id: converge-mig-with-percent-simple-local
-#   wait_for:
-#     - create-mig-with-percent-simple-local
-#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge mig-with-percent-simple-local']
-# - id: verify-mig-with-percent-simple-local
-#   wait_for:
-#     - converge-mig-with-percent-simple-local
-#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify mig-with-percent-simple-local']
-# - id: destroy-mig-with-percent-simple-local
-#   wait_for:
-#     - verify-mig-with-percent-simple-local
-#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-#   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy mig-with-percent-simple-local']
-# - id: go-init-statful-mig
-#   waitFor:
-#     - create-all
-#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-#   args: ['/bin/bash', '-c', 'cft test run TestMigStatefulModule --stage create --verbose']
-# - id: go-apply-statful-mig
-#   waitFor:
-#     - go-init-statful-mig
-#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-#   args: ['/bin/bash', '-c', 'cft test run TestMigStatefulModule --stage apply --verbose']
-#   timeout: 3600s
-# - id: go-verify-statful-mig
-#   waitFor:
-#     - go-apply-statful-mig
-#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-#   args: ['/bin/bash', '-c', 'cft test run TestMigStatefulModule --stage verify --verbose']
-# - id: go-destroy-statful-mig
-#   waitFor:
-#     - go-verify-statful-mig
-#   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
-#   args: ['/bin/bash', '-c', 'cft test run TestMigStatefulModule --stage destroy --verbose']
-#   timeout: 1800s
 tags:
 - 'ci'
 - 'integration'
diff --git a/modules/instance_template/metadata.display.yaml b/modules/instance_template/metadata.display.yaml
index 00452c9e..9018f305 100644
--- a/modules/instance_template/metadata.display.yaml
+++ b/modules/instance_template/metadata.display.yaml
@@ -58,12 +58,10 @@ spec:
         confidential_instance_type:
           name: confidential_instance_type
           title: Confidential Instance Type
-        create_new_service_account:
-          name: create_new_service_account
-          title: Create New Service Account
         create_service_account:
           name: create_service_account
           title: Create Service Account
+          level: 1
         description:
           name: description
           title: Description
diff --git a/modules/instance_template/metadata.yaml b/modules/instance_template/metadata.yaml
index c3cc748f..7d90ed9a 100644
--- a/modules/instance_template/metadata.yaml
+++ b/modules/instance_template/metadata.yaml
@@ -309,6 +309,27 @@ spec:
         description: Roles to grant to the newly created cloud run SA in specified project. Should be used with create_service_account set to true and no input for service_account
         varType: list(string)
         defaultValue: []
+        connections:
+          - source:
+              source: github.com/terraform-google-modules/terraform-google-sql-db//modules/postgresql
+              version: ">= 23.0"
+            spec:
+              outputExpr: "[\"roles/cloudsql.instanceUser\", \"roles/cloudsql.client\"]"
+          - source:
+              source: github.com/terraform-google-modules/terraform-google-sql-db//modules/mysql
+              version: ">= 23.0"
+            spec:
+              outputExpr: "[\"roles/cloudsql.instanceUser\", \"roles/cloudsql.client\"]"
+          - source:
+              source: github.com/terraform-google-modules/terraform-google-memorystore
+              version: ">= 12.0"
+            spec:
+              outputExpr: "[\"roles/redis.editor\"]"
+          - source:
+              source: github.com/terraform-google-modules/terraform-google-project-factory//modules/project_services
+              version: ">= 17.1.0"
+            spec:
+              outputExpr: "[\"roles/aiplatform.user\"]"
       - name: enable_shielded_vm
         description: Whether to enable the Shielded VM configuration on the instance. Note that the instance image must support Shielded VMs. See https://cloud.google.com/compute/docs/images
         varType: bool
@@ -376,6 +397,11 @@ spec:
         type: string
       - name: service_account_info
         description: Service account id and email
+        type:
+          - object
+          - email: string
+            id: string
+            member: string
       - name: tags
         description: Tags that will be associated with instance(s)
         type:
diff --git a/modules/mig/metadata.display.yaml b/modules/mig/metadata.display.yaml
index ed38334e..3784d5d2 100644
--- a/modules/mig/metadata.display.yaml
+++ b/modules/mig/metadata.display.yaml
@@ -46,7 +46,6 @@ spec:
         autoscaling_mode:
           name: autoscaling_mode
           title: Autoscaling Mode
-          level: 1
           enumValueLabels:
             - label: "ON"
               value: "ON"
@@ -54,6 +53,7 @@ spec:
               value: ONLY_SCALE_OUT
             - label: "OFF"
               value: "OFF"
+          level: 1
         autoscaling_scale_in_control:
           name: autoscaling_scale_in_control
           title: Autoscaling Scale In Control

From 918ed6b88dfbab257b230ec517e229730d17e819 Mon Sep 17 00:00:00 2001
From: Abhishek Tiwari <abhiwa@google.com>
Date: Tue, 28 Jan 2025 14:47:58 +0000
Subject: [PATCH 4/4] validate sa creation

---
 modules/instance_template/README.md           |  2 +-
 modules/instance_template/main.tf             |  5 +++-
 .../instance_template/metadata.display.yaml   |  1 +
 modules/instance_template/metadata.yaml       |  4 +--
 modules/instance_template/variables.tf        |  2 +-
 modules/instance_template/versions.tf         |  5 ----
 .../it_simple_with_sa_creation_test.go        | 25 +++++++++++++------
 7 files changed, 26 insertions(+), 18 deletions(-)

diff --git a/modules/instance_template/README.md b/modules/instance_template/README.md
index a3cce1ae..951bc85c 100644
--- a/modules/instance_template/README.md
+++ b/modules/instance_template/README.md
@@ -21,7 +21,7 @@ See the [simple](../../examples/instance_template/simple) for a usage example.
 | automatic\_restart | (Optional) Specifies whether the instance should be automatically restarted if it is terminated by Compute Engine (not terminated by a user). | `bool` | `true` | no |
 | can\_ip\_forward | Enable IP forwarding, for NAT instances for example | `string` | `"false"` | no |
 | confidential\_instance\_type | Defines the confidential computing technology the instance uses. If this is set to "SEV\_SNP", var.min\_cpu\_platform will be automatically set to "AMD Milan". See https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance#confidential_instance_type. | `string` | `null` | no |
-| create\_service\_account | Create a new service account to attach to the instance. This is alternate to providing the service\_account input variable. Please provide the service\_account input if setting this to false! | `bool` | `true` | no |
+| create\_service\_account | Create a new service account to attach to the instance. This is alternate to providing the service\_account input variable. Please provide the service\_account input if setting this to false. | `bool` | `true` | no |
 | description | The template's description | `string` | `""` | no |
 | disk\_encryption\_key | The id of the encryption key that is stored in Google Cloud KMS to use to encrypt all the disks on this instance | `string` | `null` | no |
 | disk\_labels | Labels to be assigned to boot disk, provided as a map | `map(string)` | `{}` | no |
diff --git a/modules/instance_template/main.tf b/modules/instance_template/main.tf
index 841dd9a2..46579867 100644
--- a/modules/instance_template/main.tf
+++ b/modules/instance_template/main.tf
@@ -85,13 +85,16 @@ locals {
 
 # Service account
 resource "google_service_account" "sa" {
-  count        = local.create_service_account ? 1 : 0
+  provider = google-beta
+  count    = local.create_service_account ? 1 : 0
+
   project      = var.project_id
   account_id   = "${local.service_account_prefix}-sa"
   display_name = "Service account for ${var.name_prefix} in ${var.region}"
 }
 
 resource "google_project_iam_member" "roles" {
+  provider = google-beta
   for_each = toset(distinct(var.service_account_project_roles))
 
   project = var.project_id
diff --git a/modules/instance_template/metadata.display.yaml b/modules/instance_template/metadata.display.yaml
index 9018f305..bac451ca 100644
--- a/modules/instance_template/metadata.display.yaml
+++ b/modules/instance_template/metadata.display.yaml
@@ -178,6 +178,7 @@ spec:
         source_image_project:
           name: source_image_project
           title: Source Image Project
+          level: 1
         spot:
           name: spot
           title: Spot
diff --git a/modules/instance_template/metadata.yaml b/modules/instance_template/metadata.yaml
index 7d90ed9a..e1d03df3 100644
--- a/modules/instance_template/metadata.yaml
+++ b/modules/instance_template/metadata.yaml
@@ -302,7 +302,7 @@ spec:
               outputExpr: email
               inputPath: email
       - name: create_service_account
-        description: Create a new service account to attach to the instance. This is alternate to providing the service_account input variable. Please provide the service_account input if setting this to false!
+        description: Create a new service account to attach to the instance. This is alternate to providing the service_account input variable. Please provide the service_account input if setting this to false.
         varType: bool
         defaultValue: true
       - name: service_account_project_roles
@@ -424,7 +424,5 @@ spec:
       - compute.googleapis.com
       - iam.googleapis.com
     providerVersions:
-      - source: hashicorp/google
-        version: ">= 5.36, < 7"
       - source: hashicorp/google-beta
         version: ">= 5.36, < 7"
diff --git a/modules/instance_template/variables.tf b/modules/instance_template/variables.tf
index 841b3fcc..69a6d3e1 100644
--- a/modules/instance_template/variables.tf
+++ b/modules/instance_template/variables.tf
@@ -333,7 +333,7 @@ variable "service_account" {
 
 variable "create_service_account" {
   type        = bool
-  description = "Create a new service account to attach to the instance. This is alternate to providing the service_account input variable. Please provide the service_account input if setting this to false!"
+  description = "Create a new service account to attach to the instance. This is alternate to providing the service_account input variable. Please provide the service_account input if setting this to false."
   default     = true
 }
 
diff --git a/modules/instance_template/versions.tf b/modules/instance_template/versions.tf
index 363feb2a..35e4dd0d 100644
--- a/modules/instance_template/versions.tf
+++ b/modules/instance_template/versions.tf
@@ -17,11 +17,6 @@
 terraform {
   required_version = ">=1.3"
   required_providers {
-    google = {
-      source  = "hashicorp/google"
-      version = ">= 5.36, < 7"
-    }
-
     google-beta = {
       source  = "hashicorp/google-beta"
       version = ">= 5.36, < 7"
diff --git a/test/integration/it_simple_with_sa_creation/it_simple_with_sa_creation_test.go b/test/integration/it_simple_with_sa_creation/it_simple_with_sa_creation_test.go
index 9c67f33b..9d176efd 100644
--- a/test/integration/it_simple_with_sa_creation/it_simple_with_sa_creation_test.go
+++ b/test/integration/it_simple_with_sa_creation/it_simple_with_sa_creation_test.go
@@ -26,14 +26,25 @@ import (
 func TestInstanceTemplateSimpleSAModule(t *testing.T) {
 
 	const instanceNamePrefix = "it-simple-sa"
-	const expected_templates = 1
+	const expectedTemplates = 1
+	const expectedServiceAccounts = 1
 
-	insSimpleT := tft.NewTFBlueprintTest(t)
-	insSimpleT.DefineVerify(func(assert *assert.Assertions) {
-		insSimpleT.DefaultVerify(assert)
+	instanceSimpleTest := tft.NewTFBlueprintTest(t)
+	instanceSimpleTest.DefineVerify(func(assert *assert.Assertions) {
+		instanceSimpleTest.DefaultVerify(assert)
 
-		instance_templates := gcloud.Run(t, fmt.Sprintf("compute instance-templates list --project %s --filter name~%s", insSimpleT.GetStringOutput("project_id"), instanceNamePrefix))
-		assert.Equal(expected_templates, len(instance_templates.Array()), fmt.Sprintf("should have %d instance_templates", expected_templates))
+		projectID := instanceSimpleTest.GetStringOutput("project_id")
+		instanceTemplates := gcloud.Run(t, fmt.Sprintf("compute instance-templates list --project %s --filter name~%s", projectID, instanceNamePrefix))
+		assert.Equal(expectedTemplates, len(instanceTemplates.Array()), fmt.Sprintf("should have %d instance templates", expectedTemplates))
+
+		serviceAccounts := gcloud.Run(t, fmt.Sprintf("iam service-accounts list --project %s --filter email~%s", projectID, instanceNamePrefix))
+		assert.Equal(expectedServiceAccounts, len(serviceAccounts.Array()), fmt.Sprintf("should have %d service accounts", expectedServiceAccounts))
+
+		for _, it := range instanceTemplates.Array() {
+			instanceTemplateName := it.Get("name").String()
+			instanceTemplateServiceAccounts := gcloud.Run(t, fmt.Sprintf("compute instance-templates describe %s --project %s", instanceTemplateName, projectID), gcloud.WithCommonArgs([]string{"--format", "json(properties.serviceAccounts)"}))
+			assert.Contains(instanceTemplateServiceAccounts.String(), instanceNamePrefix, fmt.Sprintf("Instance template service account %s should contain %s", instanceTemplateServiceAccounts.String(), instanceNamePrefix))
+		}
 	})
-	insSimpleT.Test()
+	instanceSimpleTest.Test()
 }