Comply with the Google Cloud impersonate library

[fgateuil]

Update code to comply with the must-use Google Coud impersonate library.

[fgateuil]

I couldn't find any integration tests to test this new way of using Google impersonation. Could you help me please? Is there any Google Cloud project that I could use? Note that with the one I'm using, it's working fine but it's relatively subjective.
Thanks for the help.

[denis256]

Hi,
I think it will be helpful to create a test for this, maybe create service accounts and try to impersonate, GCP project is defined during tests execution through env variable GOOGLE_CLOUD_PROJECT

[dennislapchenko]

@denis256 @yorinasub17 @fgateuil GCS double impersonation is still big sore thumb :( can I assist you in writing tests to make this pass? Just couple pointers and I'll be happy to speed up this PR.

[denis256]

Hello,
CI job passed so there is regression after changes, local test with impersonate_service_account also worked, I will look if will be possible to enable impersonation for the service account used in integration tests

[fgateuil]

Hi @denis256. Thanks your reply.
Let me know if you need me regarding the impersonation configuration. Even if I don't have any access to the GCP project used by the integration tests, I might help you a bit.

[denis256]

Hi,
I was thinking about basic test like: https://github.com/gruntwork-io/terragrunt/compare/denis-gs-test to track in future that impersonate_service_account will continue to work

[fgateuil]

Hi, I was thinking about basic test like: https://github.com/gruntwork-io/terragrunt/compare/denis-gs-test to track in future that impersonate_service_account will continue to work

Hmmm, @denis256 it's not that simple. To test the impersonate mechanism, some prerequisites are necessary.

Test 1:

• Prerequisites:
  • main_sa_1 owns a single basic (testable) permission/role, let's say roles/editor role for instance to be allowed to create a new GCS bucket;
  • principal_sa_1 owns the Service Account Token Creator permission over main_sa_1 (as explained here);
• Test:
  • Set impersonate_service_account value to principal_sa_1's email;
  • Create a GCS bucket ==> it must succeed.

Test 2:

• Prerequisites:
  • main_sa_2 doesn't own any permission/role so that he isn't allowed to create any GCS bucket;
  • principal_sa_2 owns the Service Account Token Creator permission over main_sa_2;
• Test:
  • Set impersonate_service_account value to principal_sa_2's email;
  • Create a GCS bucket ==> it must fail.

Thus, I need few service accounts and roles preconfigured to be able to test the impersonate mechanism and I'm not convinced it's already the case here.

[yamadayutaka]

Hi @fgateuil , @denis256.
I modified the implementation slightly based on this pull request.
I also implemented the test code.
Could you please check this pull request? #2550