test: Add TF configs for SSM

Author: Camila-B

e2e/testinfra/terraform/common/registries.tf

@@ -32,3 +32,13 @@ resource "google_artifact_registry_repository" "gar" {
   description   = "A private AR repository used for Config Sync e2e tests"
   format        = "DOCKER"
 }
+
+resource "google_secure_source_manager_instance" "ssm-instance" {
+    location = "us-central1"
+    instance_id = "ssm-instance"
+
+    # Prevent accidental deletions.
+    lifecycle {
+      prevent_destroy = "true"
+    }
+}

e2e/testinfra/terraform/common/service_accounts.tf

@@ -19,23 +19,34 @@ module "e2e-csr-reader-sa" {
   gcp_sa_id = "e2e-test-csr-reader"
   gcp_sa_display_name = "Test CSR Reader"
   gcp_sa_description = "Service account used to read from Cloud Source Repositories"
-  role = "roles/source.reader"
+  role = ["roles/source.reader"]
 }
 
 module "e2e-gar-reader-sa" {
   source = "../modules/service_account"
   gcp_sa_id = "e2e-test-ar-reader"
   gcp_sa_display_name = "Test GAR Reader"
   gcp_sa_description = "Service account used to read from Artifact Registry"
-  role = "roles/artifactregistry.reader"
+  role = ["roles/artifactregistry.reader"]
 }
 
 module "e2e-gcr-reader-sa" {
   source = "../modules/service_account"
   gcp_sa_id = "e2e-test-gcr-reader"
   gcp_sa_display_name = "Test GCR Reader"
   gcp_sa_description = "Service account used to read from Container Registry"
-  role = "roles/storage.objectViewer"
+  role = ["roles/storage.objectViewer"]
+}
+
+ module "e2e-ssm-reader-sa" {
+  source = "../modules/service_account"
+  gcp_sa_id = "e2e-ssm-reader-sa"
+  gcp_sa_display_name = "Test SSM Reader"
+  gcp_sa_description = "Service account used to read from Secure Source Manager Repositories"
+  role    = [
+    "roles/securesourcemanager.repoReader",
+    "roles/securesourcemanager.instanceAccessor",
+  ]
 }
 
 data "google_project" "project" {

e2e/testinfra/terraform/common/services.tf

@@ -24,7 +24,8 @@ resource "google_project_service" "services" {
     "container.googleapis.com",
     "compute.googleapis.com",
     "monitoring.googleapis.com",
-    "logging.googleapis.com"
+    "logging.googleapis.com",
+    "securesourcemanager.googleapis.com"
   ])
   service = each.value
   disable_on_destroy = false

e2e/testinfra/terraform/main.tf

@@ -18,7 +18,7 @@ terraform {
   required_providers {
     google = {
       source = "hashicorp/google"
-      version = "4.36.0"
+      version = "6.43.0"
     }
   }
   backend "gcs" {

e2e/testinfra/terraform/modules/service_account/service_account.tf

@@ -84,7 +84,9 @@ resource "google_service_account_iam_member" "k8s_sa_binding" {
 }
 
 resource "google_project_iam_member" "gcp_sa_role" {
-  role    = var.role
+  for_each = toset(var.role)
+
+  role    = each.value
   member  = "serviceAccount:${google_service_account.gcp_sa.email}"
   project = data.google_project.project.id
 }

e2e/testinfra/terraform/modules/service_account/variables.tf

@@ -30,6 +30,6 @@ variable "gcp_sa_description" {
 }
 
 variable "role" {
-  type = string
-  description = "The GCP project role to grant to the GCP service account"
+  type = list(string)
+  description = "The GCP project roles to grant to the GCP service account"
 }

e2e/testinfra/terraform/prow/registries.tf

@@ -31,4 +31,4 @@ resource "google_artifact_registry_repository" "ar-public" {
 //  repository = google_artifact_registry_repository.ar-public.name
 //  role = "roles/artifactregistry.reader"
 //  member = "allUsers"
-//}
+//}