diff --git a/build/int.cloudbuild.yaml b/build/int.cloudbuild.yaml
index 20c85309..53c86b9c 100644
--- a/build/int.cloudbuild.yaml
+++ b/build/int.cloudbuild.yaml
@@ -29,235 +29,250 @@ steps:
- prepare
name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
args: ['/bin/bash', '-c', 'cft test run all --stage init --verbose']
-- id: create-all
- wait_for:
- - init-all
- name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
- args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do create']
-- id: converge-it-simple-local
- wait_for:
- - create-all
- name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
- args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge it-simple-local']
-- id: verify-it-simple-local
- wait_for:
- - converge-it-simple-local
- name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
- args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify it-simple-local']
-- id: destroy-it-simple-local
- wait_for:
- - verify-it-simple-local
- name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
- args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy it-simple-local']
-- id: converge-it-additional-disks-local
- wait_for:
- - create-all
- name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
- args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge it-additional-disks-local']
-- id: verify-it-additional-disks-local
- wait_for:
- - converge-it-additional-disks-local
- name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
- args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify it-additional-disks-local']
-- id: destroy-it-additional-disks-local
- wait_for:
- - verify-it-additional-disks-local
- name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
- args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy it-additional-disks-local']
-- id: converge-preemptible-and-regular-instance-templates-simple-local
- wait_for:
- - create-all
- name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
- args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge preemptible-and-regular-instance-templates-simple-local']
-- id: verify-preemptible-and-regular-instance-templates-simple-local
- wait_for:
- - converge-preemptible-and-regular-instance-templates-simple-local
- name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
- args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify preemptible-and-regular-instance-templates-simple-local']
-- id: destroy-preemptible-and-regular-instance-templates-simple-local
- wait_for:
- - verify-preemptible-and-regular-instance-templates-simple-local
- name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
- args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy preemptible-and-regular-instance-templates-simple-local']
-- id: go-init-instance-simple
+# - id: create-all
+# wait_for:
+# - init-all
+# name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+# args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do create']
+# - id: converge-it-simple-local
+# wait_for:
+# - create-all
+# name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+# args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge it-simple-local']
+# - id: verify-it-simple-local
+# wait_for:
+# - converge-it-simple-local
+# name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+# args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify it-simple-local']
+# - id: destroy-it-simple-local
+# wait_for:
+# - verify-it-simple-local
+# name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+# args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy it-simple-local']
+# - id: converge-it-additional-disks-local
+# wait_for:
+# - create-all
+# name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+# args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge it-additional-disks-local']
+# - id: verify-it-additional-disks-local
+# wait_for:
+# - converge-it-additional-disks-local
+# name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+# args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify it-additional-disks-local']
+# - id: destroy-it-additional-disks-local
+# wait_for:
+# - verify-it-additional-disks-local
+# name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+# args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy it-additional-disks-local']
+# - id: converge-preemptible-and-regular-instance-templates-simple-local
+# wait_for:
+# - create-all
+# name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+# args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge preemptible-and-regular-instance-templates-simple-local']
+# - id: verify-preemptible-and-regular-instance-templates-simple-local
+# wait_for:
+# - converge-preemptible-and-regular-instance-templates-simple-local
+# name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+# args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify preemptible-and-regular-instance-templates-simple-local']
+# - id: destroy-preemptible-and-regular-instance-templates-simple-local
+# wait_for:
+# - verify-preemptible-and-regular-instance-templates-simple-local
+# name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+# args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy preemptible-and-regular-instance-templates-simple-local']
+# - id: go-init-instance-simple
+# waitFor:
+# - create-all
+# name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+# args: ['/bin/bash', '-c', 'cd test/integration && RUN_STAGE=init go test -v -run TestInstanceSimpleModule ./... -p 1']
+# - id: go-apply-instance-simple
+# waitFor:
+# - go-init-instance-simple
+# name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+# args: ['/bin/bash', '-c', 'cd test/integration && RUN_STAGE=apply go test -v -run TestInstanceSimpleModule ./... -p 1']
+# timeout: 3600s
+# - id: go-verify-instance-simple
+# waitFor:
+# - go-apply-instance-simple
+# name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+# args: ['/bin/bash', '-c', 'cd test/integration && RUN_STAGE=verify go test -v -run TestInstanceSimpleModule ./... -p 1']
+# - id: go-destroy-instance-simple
+# waitFor:
+# - go-verify-instance-simple
+# name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+# args: ['/bin/bash', '-c', 'cd test/integration && RUN_STAGE=teardown go test -v -run TestInstanceSimpleModule ./... -p 1']
+# timeout: 1800s
+# - id: converge-mig-simple-local
+# wait_for:
+# - create-all
+# name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+# args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge mig-simple-local']
+# - id: verify-mig-simple-local
+# wait_for:
+# - converge-mig-simple-local
+# name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+# args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify mig-simple-local']
+# - id: destroy-mig-simple-local
+# wait_for:
+# - verify-mig-simple-local
+# name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+# args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy mig-simple-local']
+# - id: create-mig-autoscaler-local
+# wait_for:
+# - destroy-it-simple-local
+# - destroy-it-additional-disks-local
+# - destroy-preemptible-and-regular-instance-templates-simple-local
+# - go-destroy-instance-simple
+# - destroy-mig-simple-local
+# name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+# args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do create mig-autoscaler-local']
+# - id: converge-mig-autoscaler-local
+# wait_for:
+# - create-mig-autoscaler-local
+# name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+# args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge mig-autoscaler-local']
+# - id: verify-mig-autoscaler-local
+# wait_for:
+# - converge-mig-autoscaler-local
+# name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+# args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify mig-autoscaler-local']
+# - id: destroy-mig-autoscaler-local
+# wait_for:
+# - verify-mig-autoscaler-local
+# name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+# args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy mig-autoscaler-local']
+# - id: create-umig-simple-local
+# wait_for:
+# - destroy-it-simple-local
+# - destroy-it-additional-disks-local
+# - destroy-preemptible-and-regular-instance-templates-simple-local
+# - go-destroy-instance-simple
+# - destroy-mig-simple-local
+# name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+# args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do create umig-simple-local']
+# - id: converge-umig-simple-local
+# wait_for:
+# - create-umig-simple-local
+# name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+# args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge umig-simple-local']
+# - id: verify-umig-simple-local
+# wait_for:
+# - converge-umig-simple-local
+# name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+# args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify umig-simple-local']
+# - id: destroy-umig-simple-local
+# wait_for:
+# - verify-umig-simple-local
+# name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+# args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy umig-simple-local']
+# - id: create-umig-named-ports-local
+# wait_for:
+# - destroy-it-simple-local
+# - destroy-it-additional-disks-local
+# - destroy-preemptible-and-regular-instance-templates-simple-local
+# - go-destroy-instance-simple
+# - destroy-mig-simple-local
+# name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+# args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do create umig-named-ports-local']
+# - id: converge-umig-named-ports-local
+# wait_for:
+# - create-umig-named-ports-local
+# name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+# args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge umig-named-ports-local']
+# - id: verify-umig-named-ports-local
+# wait_for:
+# - converge-umig-named-ports-local
+# name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+# args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify umig-named-ports-local']
+# - id: destroy-umig-named-ports-local
+# wait_for:
+# - verify-umig-named-ports-local
+# name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+# args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy umig-named-ports-local']
+# - id: create-umig-static-ips-local
+# wait_for:
+# - destroy-it-simple-local
+# - destroy-it-additional-disks-local
+# - destroy-preemptible-and-regular-instance-templates-simple-local
+# - go-destroy-instance-simple
+# - destroy-mig-simple-local
+# name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+# args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do create umig-static-ips-local']
+# - id: converge-umig-static-ips-local
+# wait_for:
+# - create-umig-static-ips-local
+# name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+# args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge umig-static-ips-local']
+# - id: verify-umig-static-ips-local
+# wait_for:
+# - converge-umig-static-ips-local
+# name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+# args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify umig-static-ips-local']
+# - id: destroy-umig-static-ips-local
+# wait_for:
+# - verify-umig-static-ips-local
+# name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+# args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy umig-static-ips-local']
+# - id: create-mig-with-percent-simple-local
+# wait_for:
+# - destroy-it-simple-local
+# - destroy-it-additional-disks-local
+# - destroy-preemptible-and-regular-instance-templates-simple-local
+# - go-destroy-instance-simple
+# - destroy-mig-simple-local
+# name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+# args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do create mig-with-percent-simple-local']
+# - id: converge-mig-with-percent-simple-local
+# wait_for:
+# - create-mig-with-percent-simple-local
+# name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+# args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge mig-with-percent-simple-local']
+# - id: verify-mig-with-percent-simple-local
+# wait_for:
+# - converge-mig-with-percent-simple-local
+# name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+# args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify mig-with-percent-simple-local']
+# - id: destroy-mig-with-percent-simple-local
+# wait_for:
+# - verify-mig-with-percent-simple-local
+# name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+# args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy mig-with-percent-simple-local']
+# - id: go-init-statful-mig
+# waitFor:
+# - create-all
+# name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+# args: ['/bin/bash', '-c', 'cft test run TestMigStatefulModule --stage create --verbose']
+# - id: go-apply-statful-mig
+# waitFor:
+# - go-init-statful-mig
+# name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+# args: ['/bin/bash', '-c', 'cft test run TestMigStatefulModule --stage apply --verbose']
+# timeout: 3600s
+# - id: go-verify-statful-mig
+# waitFor:
+# - go-apply-statful-mig
+# name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+# args: ['/bin/bash', '-c', 'cft test run TestMigStatefulModule --stage verify --verbose']
+# - id: go-destroy-statful-mig
+# waitFor:
+# - go-verify-statful-mig
+# name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+# args: ['/bin/bash', '-c', 'cft test run TestMigStatefulModule --stage destroy --verbose']
+# timeout: 1800s
+- id: it-simple-sa-apply
waitFor:
- - create-all
- name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
- args: ['/bin/bash', '-c', 'cd test/integration && RUN_STAGE=init go test -v -run TestInstanceSimpleModule ./... -p 1']
-- id: go-apply-instance-simple
- waitFor:
- - go-init-instance-simple
- name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
- args: ['/bin/bash', '-c', 'cd test/integration && RUN_STAGE=apply go test -v -run TestInstanceSimpleModule ./... -p 1']
- timeout: 3600s
-- id: go-verify-instance-simple
- waitFor:
- - go-apply-instance-simple
- name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
- args: ['/bin/bash', '-c', 'cd test/integration && RUN_STAGE=verify go test -v -run TestInstanceSimpleModule ./... -p 1']
-- id: go-destroy-instance-simple
- waitFor:
- - go-verify-instance-simple
- name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
- args: ['/bin/bash', '-c', 'cd test/integration && RUN_STAGE=teardown go test -v -run TestInstanceSimpleModule ./... -p 1']
- timeout: 1800s
-- id: converge-mig-simple-local
- wait_for:
- - create-all
- name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
- args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge mig-simple-local']
-- id: verify-mig-simple-local
- wait_for:
- - converge-mig-simple-local
- name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
- args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify mig-simple-local']
-- id: destroy-mig-simple-local
- wait_for:
- - verify-mig-simple-local
- name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
- args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy mig-simple-local']
-- id: create-mig-autoscaler-local
- wait_for:
- - destroy-it-simple-local
- - destroy-it-additional-disks-local
- - destroy-preemptible-and-regular-instance-templates-simple-local
- - go-destroy-instance-simple
- - destroy-mig-simple-local
- name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
- args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do create mig-autoscaler-local']
-- id: converge-mig-autoscaler-local
- wait_for:
- - create-mig-autoscaler-local
- name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
- args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge mig-autoscaler-local']
-- id: verify-mig-autoscaler-local
- wait_for:
- - converge-mig-autoscaler-local
- name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
- args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify mig-autoscaler-local']
-- id: destroy-mig-autoscaler-local
- wait_for:
- - verify-mig-autoscaler-local
- name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
- args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy mig-autoscaler-local']
-- id: create-umig-simple-local
- wait_for:
- - destroy-it-simple-local
- - destroy-it-additional-disks-local
- - destroy-preemptible-and-regular-instance-templates-simple-local
- - go-destroy-instance-simple
- - destroy-mig-simple-local
- name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
- args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do create umig-simple-local']
-- id: converge-umig-simple-local
- wait_for:
- - create-umig-simple-local
- name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
- args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge umig-simple-local']
-- id: verify-umig-simple-local
- wait_for:
- - converge-umig-simple-local
- name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
- args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify umig-simple-local']
-- id: destroy-umig-simple-local
- wait_for:
- - verify-umig-simple-local
- name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
- args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy umig-simple-local']
-- id: create-umig-named-ports-local
- wait_for:
- - destroy-it-simple-local
- - destroy-it-additional-disks-local
- - destroy-preemptible-and-regular-instance-templates-simple-local
- - go-destroy-instance-simple
- - destroy-mig-simple-local
- name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
- args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do create umig-named-ports-local']
-- id: converge-umig-named-ports-local
- wait_for:
- - create-umig-named-ports-local
- name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
- args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge umig-named-ports-local']
-- id: verify-umig-named-ports-local
- wait_for:
- - converge-umig-named-ports-local
- name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
- args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify umig-named-ports-local']
-- id: destroy-umig-named-ports-local
- wait_for:
- - verify-umig-named-ports-local
- name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
- args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy umig-named-ports-local']
-- id: create-umig-static-ips-local
- wait_for:
- - destroy-it-simple-local
- - destroy-it-additional-disks-local
- - destroy-preemptible-and-regular-instance-templates-simple-local
- - go-destroy-instance-simple
- - destroy-mig-simple-local
- name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
- args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do create umig-static-ips-local']
-- id: converge-umig-static-ips-local
- wait_for:
- - create-umig-static-ips-local
- name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
- args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge umig-static-ips-local']
-- id: verify-umig-static-ips-local
- wait_for:
- - converge-umig-static-ips-local
- name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
- args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify umig-static-ips-local']
-- id: destroy-umig-static-ips-local
- wait_for:
- - verify-umig-static-ips-local
- name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
- args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy umig-static-ips-local']
-- id: create-mig-with-percent-simple-local
- wait_for:
- - destroy-it-simple-local
- - destroy-it-additional-disks-local
- - destroy-preemptible-and-regular-instance-templates-simple-local
- - go-destroy-instance-simple
- - destroy-mig-simple-local
- name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
- args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do create mig-with-percent-simple-local']
-- id: converge-mig-with-percent-simple-local
- wait_for:
- - create-mig-with-percent-simple-local
- name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
- args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge mig-with-percent-simple-local']
-- id: verify-mig-with-percent-simple-local
- wait_for:
- - converge-mig-with-percent-simple-local
- name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
- args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do verify mig-with-percent-simple-local']
-- id: destroy-mig-with-percent-simple-local
- wait_for:
- - verify-mig-with-percent-simple-local
- name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
- args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy mig-with-percent-simple-local']
-- id: go-init-statful-mig
- waitFor:
- - create-all
- name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
- args: ['/bin/bash', '-c', 'cft test run TestMigStatefulModule --stage create --verbose']
-- id: go-apply-statful-mig
- waitFor:
- - go-init-statful-mig
+ - init-all
name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
- args: ['/bin/bash', '-c', 'cft test run TestMigStatefulModule --stage apply --verbose']
- timeout: 3600s
-- id: go-verify-statful-mig
+ args: ['/bin/bash', '-c', 'cft test run TestInstanceTemplateSimpleSAModule --stage apply --verbose']
+- id: it-simple-sa-verify
waitFor:
- - go-apply-statful-mig
+ - it-simple-sa-apply
name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
- args: ['/bin/bash', '-c', 'cft test run TestMigStatefulModule --stage verify --verbose']
-- id: go-destroy-statful-mig
+ args: ['/bin/bash', '-c', 'cft test run TestInstanceTemplateSimpleSAModule --stage verify --verbose']
+- id: it-simple-sa-destroy
waitFor:
- - go-verify-statful-mig
+ - it-simple-sa-verify
name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
- args: ['/bin/bash', '-c', 'cft test run TestMigStatefulModule --stage destroy --verbose']
- timeout: 1800s
+ args: ['/bin/bash', '-c', 'cft test run TestInstanceTemplateSimpleSAModule --stage destroy --verbose']
tags:
- 'ci'
- 'integration'
diff --git a/examples/it_simple_with_sa_creation/README.md b/examples/it_simple_with_sa_creation/README.md
new file mode 100644
index 00000000..abd492e9
--- /dev/null
+++ b/examples/it_simple_with_sa_creation/README.md
@@ -0,0 +1,20 @@
+# instance-template-simple
+
+This is a simple, minimal example of how to use the instance_template module.
+
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| project\_id | The GCP project to use for integration tests | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| name | Name of the instance templates |
+| project\_id | The GCP project to use for integration tests |
+| self\_link | Self-link to the instance template |
+
+
diff --git a/examples/it_simple_with_sa_creation/main.tf b/examples/it_simple_with_sa_creation/main.tf
new file mode 100644
index 00000000..40275d1e
--- /dev/null
+++ b/examples/it_simple_with_sa_creation/main.tf
@@ -0,0 +1,71 @@
+/**
+ * Copyright 2025 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+provider "google" {
+
+ project = var.project_id
+ region = "us-central1"
+}
+
+resource "google_compute_address" "ip_address" {
+ name = "external-ip"
+}
+
+locals {
+ access_config = {
+ nat_ip = google_compute_address.ip_address.address
+ network_tier = "PREMIUM"
+ }
+}
+
+resource "random_string" "suffix" {
+ length = 4
+ special = "false"
+ upper = "false"
+}
+
+resource "google_compute_network" "main" {
+ project = var.project_id
+ name = "cft-vm-test-${random_string.suffix.result}"
+ auto_create_subnetworks = "false"
+}
+
+resource "google_compute_subnetwork" "main" {
+ project = var.project_id
+ region = "us-central1"
+ name = "cft-vm-test-${random_string.suffix.result}"
+ ip_cidr_range = "10.128.0.0/20"
+ network = google_compute_network.main.self_link
+}
+
+module "instance_template" {
+ source = "terraform-google-modules/vm/google//modules/instance_template"
+ version = "~> 13.0"
+
+ project_id = var.project_id
+ region = "us-central1"
+ subnetwork = google_compute_subnetwork.main.self_link
+ stack_type = "IPV4_ONLY"
+ name_prefix = "it-simple-sa"
+ tags = ["foo", "bar", "sa"]
+ labels = {
+ environment = "dev"
+ }
+ access_config = [local.access_config]
+ enable_nested_virtualization = false
+ threads_per_core = null
+ service_account_project_roles = ["roles/compute.admin"]
+}
diff --git a/examples/it_simple_with_sa_creation/outputs.tf b/examples/it_simple_with_sa_creation/outputs.tf
new file mode 100644
index 00000000..503f5bed
--- /dev/null
+++ b/examples/it_simple_with_sa_creation/outputs.tf
@@ -0,0 +1,30 @@
+/**
+ * Copyright 2025 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "self_link" {
+ description = "Self-link to the instance template"
+ value = module.instance_template.self_link
+}
+
+output "name" {
+ description = "Name of the instance templates"
+ value = module.instance_template.name
+}
+
+output "project_id" {
+ description = "The GCP project to use for integration tests"
+ value = var.project_id
+}
diff --git a/examples/it_simple_with_sa_creation/variables.tf b/examples/it_simple_with_sa_creation/variables.tf
new file mode 100644
index 00000000..9408e0ea
--- /dev/null
+++ b/examples/it_simple_with_sa_creation/variables.tf
@@ -0,0 +1,22 @@
+/**
+ * Copyright 2025 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+
+
+variable "project_id" {
+ description = "The GCP project to use for integration tests"
+ type = string
+}
diff --git a/metadata.yaml b/metadata.yaml
index 43ba4436..42fb4313 100644
--- a/metadata.yaml
+++ b/metadata.yaml
@@ -64,6 +64,8 @@ spec:
location: examples/umig/full
- name: healthcheck
location: examples/mig/healthcheck
+ - name: it_simple_with_sa_creation
+ location: examples/it_simple_with_sa_creation
- name: mig_stateful
location: examples/mig_stateful
- name: multiple_interfaces
@@ -96,7 +98,9 @@ spec:
- roles/compute.admin
- roles/compute.networkAdmin
- roles/iam.serviceAccountUser
+ - roles/iam.serviceAccountAdmin
- roles/compute.instanceAdmin
+ - roles/resourcemanager.projectIamAdmin
services:
- cloudresourcemanager.googleapis.com
- storage-api.googleapis.com
diff --git a/modules/compute_disk_snapshot/metadata.yaml b/modules/compute_disk_snapshot/metadata.yaml
index fbc58658..47906d3b 100644
--- a/modules/compute_disk_snapshot/metadata.yaml
+++ b/modules/compute_disk_snapshot/metadata.yaml
@@ -54,6 +54,8 @@ spec:
location: examples/umig/full
- name: healthcheck
location: examples/mig/healthcheck
+ - name: it_simple_with_sa_creation
+ location: examples/it_simple_with_sa_creation
- name: mig_stateful
location: examples/mig_stateful
- name: multiple_interfaces
@@ -162,7 +164,9 @@ spec:
- roles/compute.admin
- roles/compute.networkAdmin
- roles/iam.serviceAccountUser
+ - roles/iam.serviceAccountAdmin
- roles/compute.instanceAdmin
+ - roles/resourcemanager.projectIamAdmin
services:
- cloudresourcemanager.googleapis.com
- storage-api.googleapis.com
diff --git a/modules/compute_instance/metadata.yaml b/modules/compute_instance/metadata.yaml
index 40e86640..30eed246 100644
--- a/modules/compute_instance/metadata.yaml
+++ b/modules/compute_instance/metadata.yaml
@@ -54,6 +54,8 @@ spec:
location: examples/umig/full
- name: healthcheck
location: examples/mig/healthcheck
+ - name: it_simple_with_sa_creation
+ location: examples/it_simple_with_sa_creation
- name: mig_stateful
location: examples/mig_stateful
- name: multiple_interfaces
@@ -173,7 +175,9 @@ spec:
- roles/compute.admin
- roles/compute.networkAdmin
- roles/iam.serviceAccountUser
+ - roles/iam.serviceAccountAdmin
- roles/compute.instanceAdmin
+ - roles/resourcemanager.projectIamAdmin
services:
- cloudresourcemanager.googleapis.com
- storage-api.googleapis.com
diff --git a/modules/instance_template/README.md b/modules/instance_template/README.md
index d502b066..951bc85c 100644
--- a/modules/instance_template/README.md
+++ b/modules/instance_template/README.md
@@ -21,6 +21,7 @@ See the [simple](../../examples/instance_template/simple) for a usage example.
| automatic\_restart | (Optional) Specifies whether the instance should be automatically restarted if it is terminated by Compute Engine (not terminated by a user). | `bool` | `true` | no |
| can\_ip\_forward | Enable IP forwarding, for NAT instances for example | `string` | `"false"` | no |
| confidential\_instance\_type | Defines the confidential computing technology the instance uses. If this is set to "SEV\_SNP", var.min\_cpu\_platform will be automatically set to "AMD Milan". See https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance#confidential_instance_type. | `string` | `null` | no |
+| create\_service\_account | Create a new service account to attach to the instance. This is alternate to providing the service\_account input variable. Please provide the service\_account input if setting this to false. | `bool` | `true` | no |
| description | The template's description | `string` | `""` | no |
| disk\_encryption\_key | The id of the encryption key that is stored in Google Cloud KMS to use to encrypt all the disks on this instance | `string` | `null` | no |
| disk\_labels | Labels to be assigned to boot disk, provided as a map | `map(string)` | `{}` | no |
@@ -47,7 +48,8 @@ See the [simple](../../examples/instance_template/simple) for a usage example.
| project\_id | The GCP project ID | `string` | n/a | yes |
| region | Region where the instance template should be created. | `string` | n/a | yes |
| resource\_policies | A list of self\_links of resource policies to attach to the instance. Modifying this list will cause the instance to recreate. Currently a max of 1 resource policy is supported. | `list(string)` | `[]` | no |
-| service\_account | Service account to attach to the instance. See https://www.terraform.io/docs/providers/google/r/compute_instance_template#service_account. | object({
email = string
scopes = optional(set(string), ["cloud-platform"])
}) | n/a | yes |
+| service\_account | Service account to attach to the instance. See https://www.terraform.io/docs/providers/google/r/compute_instance_template#service_account. | object({
email = string
scopes = optional(set(string), ["cloud-platform"])
}) | `null` | no |
+| service\_account\_project\_roles | Roles to grant to the newly created cloud run SA in specified project. Should be used with create\_service\_account set to true and no input for service\_account | `list(string)` | `[]` | no |
| shielded\_instance\_config | Not used unless enable\_shielded\_vm is true. Shielded VM configuration for the instance. | object({
enable_secure_boot = bool
enable_vtpm = bool
enable_integrity_monitoring = bool
}) | {
"enable_integrity_monitoring": true,
"enable_secure_boot": true,
"enable_vtpm": true
} | no |
| source\_image | Source disk image. If neither source\_image nor source\_image\_family is specified, defaults to the latest public Rocky Linux 9 optimized for GCP image. | `string` | `""` | no |
| source\_image\_family | Source image family. If neither source\_image nor source\_image\_family is specified, defaults to the latest public Rocky Linux 9 optimized for GCP image. | `string` | `"rocky-linux-9-optimized-gcp"` | no |
@@ -69,6 +71,7 @@ See the [simple](../../examples/instance_template/simple) for a usage example.
| name | Name of instance template |
| self\_link | Self-link of instance template |
| self\_link\_unique | Unique self-link of instance template (recommended output to use instead of self\_link) |
+| service\_account\_info | Service account id and email |
| tags | Tags that will be associated with instance(s) |
diff --git a/modules/instance_template/main.tf b/modules/instance_template/main.tf
index 5c5917bb..46579867 100644
--- a/modules/instance_template/main.tf
+++ b/modules/instance_template/main.tf
@@ -63,6 +63,43 @@ locals {
# must be true when preemtible or spot is true
var.preemptible || var.spot ? true : false
)
+
+ service_account = (
+ var.service_account != null
+ ? var.service_account
+ : (
+ var.create_service_account
+ ? { email : google_service_account.sa[0].email, scopes : ["cloud-platform"] }
+ : null
+ )
+ )
+ create_service_account = var.create_service_account ? var.service_account == null : false
+
+ service_account_prefix = substr("${var.name_prefix}-${var.region}", 0, 27)
+ service_account_output = local.create_service_account ? {
+ id = google_service_account.sa[0].account_id,
+ email = google_service_account.sa[0].email,
+ member = google_service_account.sa[0].member
+ } : {}
+}
+
+# Service account
+resource "google_service_account" "sa" {
+ provider = google-beta
+ count = local.create_service_account ? 1 : 0
+
+ project = var.project_id
+ account_id = "${local.service_account_prefix}-sa"
+ display_name = "Service account for ${var.name_prefix} in ${var.region}"
+}
+
+resource "google_project_iam_member" "roles" {
+ provider = google-beta
+ for_each = toset(distinct(var.service_account_project_roles))
+
+ project = var.project_id
+ role = each.value
+ member = "serviceAccount:${local.service_account.email}"
}
####################
@@ -111,7 +148,7 @@ resource "google_compute_instance_template" "tpl" {
}
dynamic "service_account" {
- for_each = var.service_account == null ? [] : [var.service_account]
+ for_each = local.service_account == null ? [] : [local.service_account]
content {
email = lookup(service_account.value, "email", null)
scopes = lookup(service_account.value, "scopes", null)
diff --git a/modules/instance_template/metadata.display.yaml b/modules/instance_template/metadata.display.yaml
index 90917235..bac451ca 100644
--- a/modules/instance_template/metadata.display.yaml
+++ b/modules/instance_template/metadata.display.yaml
@@ -58,6 +58,10 @@ spec:
confidential_instance_type:
name: confidential_instance_type
title: Confidential Instance Type
+ create_service_account:
+ name: create_service_account
+ title: Create Service Account
+ level: 1
description:
name: description
title: Description
@@ -158,6 +162,9 @@ spec:
service_account:
name: service_account
title: Service Account
+ service_account_project_roles:
+ name: service_account_project_roles
+ title: Service Account Project Roles
shielded_instance_config:
name: shielded_instance_config
title: Shielded Instance Config
@@ -171,6 +178,7 @@ spec:
source_image_project:
name: source_image_project
title: Source Image Project
+ level: 1
spot:
name: spot
title: Spot
diff --git a/modules/instance_template/metadata.yaml b/modules/instance_template/metadata.yaml
index 0cb961b6..e1d03df3 100644
--- a/modules/instance_template/metadata.yaml
+++ b/modules/instance_template/metadata.yaml
@@ -54,6 +54,8 @@ spec:
location: examples/umig/full
- name: healthcheck
location: examples/mig/healthcheck
+ - name: it_simple_with_sa_creation
+ location: examples/it_simple_with_sa_creation
- name: mig_stateful
location: examples/mig_stateful
- name: multiple_interfaces
@@ -292,7 +294,6 @@ spec:
email = string
scopes = optional(set(string), ["cloud-platform"])
})
- required: true
connections:
- source:
source: github.com/terraform-google-modules/terraform-google-service-accounts//modules/simple-sa
@@ -300,6 +301,35 @@ spec:
spec:
outputExpr: email
inputPath: email
+ - name: create_service_account
+ description: Create a new service account to attach to the instance. This is alternate to providing the service_account input variable. Please provide the service_account input if setting this to false.
+ varType: bool
+ defaultValue: true
+ - name: service_account_project_roles
+ description: Roles to grant to the newly created cloud run SA in specified project. Should be used with create_service_account set to true and no input for service_account
+ varType: list(string)
+ defaultValue: []
+ connections:
+ - source:
+ source: github.com/terraform-google-modules/terraform-google-sql-db//modules/postgresql
+ version: ">= 23.0"
+ spec:
+ outputExpr: "[\"roles/cloudsql.instanceUser\", \"roles/cloudsql.client\"]"
+ - source:
+ source: github.com/terraform-google-modules/terraform-google-sql-db//modules/mysql
+ version: ">= 23.0"
+ spec:
+ outputExpr: "[\"roles/cloudsql.instanceUser\", \"roles/cloudsql.client\"]"
+ - source:
+ source: github.com/terraform-google-modules/terraform-google-memorystore
+ version: ">= 12.0"
+ spec:
+ outputExpr: "[\"roles/redis.editor\"]"
+ - source:
+ source: github.com/terraform-google-modules/terraform-google-project-factory//modules/project_services
+ version: ">= 17.1.0"
+ spec:
+ outputExpr: "[\"roles/aiplatform.user\"]"
- name: enable_shielded_vm
description: Whether to enable the Shielded VM configuration on the instance. Note that the instance image must support Shielded VMs. See https://cloud.google.com/compute/docs/images
varType: bool
@@ -365,6 +395,13 @@ spec:
- name: self_link_unique
description: Unique self-link of instance template (recommended output to use instead of self_link)
type: string
+ - name: service_account_info
+ description: Service account id and email
+ type:
+ - object
+ - email: string
+ id: string
+ member: string
- name: tags
description: Tags that will be associated with instance(s)
type:
@@ -377,7 +414,9 @@ spec:
- roles/compute.admin
- roles/compute.networkAdmin
- roles/iam.serviceAccountUser
+ - roles/iam.serviceAccountAdmin
- roles/compute.instanceAdmin
+ - roles/resourcemanager.projectIamAdmin
services:
- cloudresourcemanager.googleapis.com
- storage-api.googleapis.com
diff --git a/modules/instance_template/outputs.tf b/modules/instance_template/outputs.tf
index aea1b3d7..0171fb9c 100644
--- a/modules/instance_template/outputs.tf
+++ b/modules/instance_template/outputs.tf
@@ -33,3 +33,8 @@ output "tags" {
description = "Tags that will be associated with instance(s)"
value = google_compute_instance_template.tpl.tags
}
+
+output "service_account_info" {
+ description = "Service account id and email"
+ value = local.service_account_output
+}
diff --git a/modules/instance_template/variables.tf b/modules/instance_template/variables.tf
index 1819c27b..69a6d3e1 100644
--- a/modules/instance_template/variables.tf
+++ b/modules/instance_template/variables.tf
@@ -328,6 +328,19 @@ variable "service_account" {
scopes = optional(set(string), ["cloud-platform"])
})
description = "Service account to attach to the instance. See https://www.terraform.io/docs/providers/google/r/compute_instance_template#service_account."
+ default = null
+}
+
+variable "create_service_account" {
+ type = bool
+ description = "Create a new service account to attach to the instance. This is alternate to providing the service_account input variable. Please provide the service_account input if setting this to false."
+ default = true
+}
+
+variable "service_account_project_roles" {
+ type = list(string)
+ description = "Roles to grant to the newly created cloud run SA in specified project. Should be used with create_service_account set to true and no input for service_account"
+ default = []
}
###########################
diff --git a/modules/mig/metadata.display.yaml b/modules/mig/metadata.display.yaml
index ed38334e..3784d5d2 100644
--- a/modules/mig/metadata.display.yaml
+++ b/modules/mig/metadata.display.yaml
@@ -46,7 +46,6 @@ spec:
autoscaling_mode:
name: autoscaling_mode
title: Autoscaling Mode
- level: 1
enumValueLabels:
- label: "ON"
value: "ON"
@@ -54,6 +53,7 @@ spec:
value: ONLY_SCALE_OUT
- label: "OFF"
value: "OFF"
+ level: 1
autoscaling_scale_in_control:
name: autoscaling_scale_in_control
title: Autoscaling Scale In Control
diff --git a/modules/mig/metadata.yaml b/modules/mig/metadata.yaml
index 211a0dc4..2c610a28 100644
--- a/modules/mig/metadata.yaml
+++ b/modules/mig/metadata.yaml
@@ -54,6 +54,8 @@ spec:
location: examples/umig/full
- name: healthcheck
location: examples/mig/healthcheck
+ - name: it_simple_with_sa_creation
+ location: examples/it_simple_with_sa_creation
- name: mig_stateful
location: examples/mig_stateful
- name: multiple_interfaces
@@ -317,7 +319,9 @@ spec:
- roles/compute.admin
- roles/compute.networkAdmin
- roles/iam.serviceAccountUser
+ - roles/iam.serviceAccountAdmin
- roles/compute.instanceAdmin
+ - roles/resourcemanager.projectIamAdmin
services:
- cloudresourcemanager.googleapis.com
- storage-api.googleapis.com
diff --git a/modules/mig_with_percent/metadata.yaml b/modules/mig_with_percent/metadata.yaml
index 83172d39..972a344c 100644
--- a/modules/mig_with_percent/metadata.yaml
+++ b/modules/mig_with_percent/metadata.yaml
@@ -54,6 +54,8 @@ spec:
location: examples/umig/full
- name: healthcheck
location: examples/mig/healthcheck
+ - name: it_simple_with_sa_creation
+ location: examples/it_simple_with_sa_creation
- name: mig_stateful
location: examples/mig_stateful
- name: multiple_interfaces
@@ -304,7 +306,9 @@ spec:
- roles/compute.admin
- roles/compute.networkAdmin
- roles/iam.serviceAccountUser
+ - roles/iam.serviceAccountAdmin
- roles/compute.instanceAdmin
+ - roles/resourcemanager.projectIamAdmin
services:
- cloudresourcemanager.googleapis.com
- storage-api.googleapis.com
diff --git a/modules/preemptible_and_regular_instance_templates/metadata.yaml b/modules/preemptible_and_regular_instance_templates/metadata.yaml
index 25eada7f..bcf6b03b 100644
--- a/modules/preemptible_and_regular_instance_templates/metadata.yaml
+++ b/modules/preemptible_and_regular_instance_templates/metadata.yaml
@@ -54,6 +54,8 @@ spec:
location: examples/umig/full
- name: healthcheck
location: examples/mig/healthcheck
+ - name: it_simple_with_sa_creation
+ location: examples/it_simple_with_sa_creation
- name: mig_stateful
location: examples/mig_stateful
- name: multiple_interfaces
@@ -204,7 +206,9 @@ spec:
- roles/compute.admin
- roles/compute.networkAdmin
- roles/iam.serviceAccountUser
+ - roles/iam.serviceAccountAdmin
- roles/compute.instanceAdmin
+ - roles/resourcemanager.projectIamAdmin
services:
- cloudresourcemanager.googleapis.com
- storage-api.googleapis.com
diff --git a/modules/umig/metadata.yaml b/modules/umig/metadata.yaml
index 8ca9bf10..faf4faf5 100644
--- a/modules/umig/metadata.yaml
+++ b/modules/umig/metadata.yaml
@@ -54,6 +54,8 @@ spec:
location: examples/umig/full
- name: healthcheck
location: examples/mig/healthcheck
+ - name: it_simple_with_sa_creation
+ location: examples/it_simple_with_sa_creation
- name: mig_stateful
location: examples/mig_stateful
- name: multiple_interfaces
@@ -181,7 +183,9 @@ spec:
- roles/compute.admin
- roles/compute.networkAdmin
- roles/iam.serviceAccountUser
+ - roles/iam.serviceAccountAdmin
- roles/compute.instanceAdmin
+ - roles/resourcemanager.projectIamAdmin
services:
- cloudresourcemanager.googleapis.com
- storage-api.googleapis.com
diff --git a/test/integration/it_simple_with_sa_creation/it_simple_with_sa_creation_test.go b/test/integration/it_simple_with_sa_creation/it_simple_with_sa_creation_test.go
new file mode 100644
index 00000000..9d176efd
--- /dev/null
+++ b/test/integration/it_simple_with_sa_creation/it_simple_with_sa_creation_test.go
@@ -0,0 +1,50 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package it_simple_with_sa_creation
+
+import (
+ "fmt"
+ "testing"
+
+ "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/gcloud"
+ "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft"
+ "github.com/stretchr/testify/assert"
+)
+
+func TestInstanceTemplateSimpleSAModule(t *testing.T) {
+
+ const instanceNamePrefix = "it-simple-sa"
+ const expectedTemplates = 1
+ const expectedServiceAccounts = 1
+
+ instanceSimpleTest := tft.NewTFBlueprintTest(t)
+ instanceSimpleTest.DefineVerify(func(assert *assert.Assertions) {
+ instanceSimpleTest.DefaultVerify(assert)
+
+ projectID := instanceSimpleTest.GetStringOutput("project_id")
+ instanceTemplates := gcloud.Run(t, fmt.Sprintf("compute instance-templates list --project %s --filter name~%s", projectID, instanceNamePrefix))
+ assert.Equal(expectedTemplates, len(instanceTemplates.Array()), fmt.Sprintf("should have %d instance templates", expectedTemplates))
+
+ serviceAccounts := gcloud.Run(t, fmt.Sprintf("iam service-accounts list --project %s --filter email~%s", projectID, instanceNamePrefix))
+ assert.Equal(expectedServiceAccounts, len(serviceAccounts.Array()), fmt.Sprintf("should have %d service accounts", expectedServiceAccounts))
+
+ for _, it := range instanceTemplates.Array() {
+ instanceTemplateName := it.Get("name").String()
+ instanceTemplateServiceAccounts := gcloud.Run(t, fmt.Sprintf("compute instance-templates describe %s --project %s", instanceTemplateName, projectID), gcloud.WithCommonArgs([]string{"--format", "json(properties.serviceAccounts)"}))
+ assert.Contains(instanceTemplateServiceAccounts.String(), instanceNamePrefix, fmt.Sprintf("Instance template service account %s should contain %s", instanceTemplateServiceAccounts.String(), instanceNamePrefix))
+ }
+ })
+ instanceSimpleTest.Test()
+}
diff --git a/test/setup/iam.tf b/test/setup/iam.tf
index 02230449..64c1d6e0 100644
--- a/test/setup/iam.tf
+++ b/test/setup/iam.tf
@@ -19,7 +19,9 @@ locals {
"roles/compute.admin",
"roles/compute.networkAdmin",
"roles/iam.serviceAccountUser",
+ "roles/iam.serviceAccountAdmin",
"roles/compute.instanceAdmin",
+ "roles/resourcemanager.projectIamAdmin",
]
}