From fd9125a9ba2709c26dfedd83291bf54e1828f830 Mon Sep 17 00:00:00 2001
From: Pujan Shah <pujan.shah@occrp.org>
Date: Mon, 17 Mar 2025 14:48:13 +0100
Subject: [PATCH 01/15] feat: Add support for autokey in postgres module

---
 examples/postgresql-ha/main.tf  |  1 +
 modules/postgresql/README.md    |  1 +
 modules/postgresql/main.tf      | 13 ++++++++++++-
 modules/postgresql/variables.tf |  6 ++++++
 test/setup/iam.tf               |  1 +
 test/setup/main.tf              | 17 +++++++++++++++++
 6 files changed, 38 insertions(+), 1 deletion(-)

diff --git a/examples/postgresql-ha/main.tf b/examples/postgresql-ha/main.tf
index 3fbcc667..ab39b07e 100644
--- a/examples/postgresql-ha/main.tf
+++ b/examples/postgresql-ha/main.tf
@@ -48,6 +48,7 @@ module "pg" {
   maintenance_window_hour         = 12
   maintenance_window_update_track = "stable"
 
+  use_autokey         = true
   deletion_protection = false
 
   database_flags = [{ name = "autovacuum", value = "off" }]
diff --git a/modules/postgresql/README.md b/modules/postgresql/README.md
index 600d709d..b761c0d3 100644
--- a/modules/postgresql/README.md
+++ b/modules/postgresql/README.md
@@ -170,6 +170,7 @@ module "pg" {
 | secondary\_zone | The preferred zone for the replica instance, it should be something like: `us-central1-a`, `us-east1-c`. | `string` | `null` | no |
 | tier | The tier for the Cloud SQL instance. | `string` | `"db-f1-micro"` | no |
 | update\_timeout | The optional timout that is applied to limit long database updates. | `string` | `"30m"` | no |
+| use\_autokey | Enable the use of autokeys from Google Cloud KMS for CMEK. This requires autokey already configured in the project. | `bool` | `false` | no |
 | user\_deletion\_policy | The deletion policy for the user. Setting ABANDON allows the resource to be abandoned rather than deleted. This is useful for Postgres, where users cannot be deleted from the API if they have been granted SQL roles. Possible values are: "ABANDON". | `string` | `null` | no |
 | user\_labels | The key/value labels for the Cloud SQL instances. | `map(string)` | `{}` | no |
 | user\_name | The name of the default user | `string` | `"default"` | no |
diff --git a/modules/postgresql/main.tf b/modules/postgresql/main.tf
index 4adf4e4d..f4943ac3 100644
--- a/modules/postgresql/main.tf
+++ b/modules/postgresql/main.tf
@@ -45,6 +45,8 @@ locals {
   connector_enforcement = var.connector_enforcement ? "REQUIRED" : "NOT_REQUIRED"
 
   database_name = var.enable_default_db ? var.db_name : (length(var.additional_databases) > 0 ? var.additional_databases[0].name : "")
+
+  encryption_key = (var.encryption_key_name != null && var.use_autokey) ? google_kms_key_handle.default[0].kms_key : null
 }
 
 resource "random_id" "suffix" {
@@ -60,7 +62,7 @@ resource "google_sql_database_instance" "default" {
   database_version    = can(regex("\\d", substr(var.database_version, 0, 1))) ? format("POSTGRES_%s", var.database_version) : replace(var.database_version, substr(var.database_version, 0, 8), "POSTGRES")
   maintenance_version = var.maintenance_version
   region              = var.region
-  encryption_key_name = var.encryption_key_name
+  encryption_key_name = local.encryption_key
   deletion_protection = var.deletion_protection
   root_password       = var.root_password
 
@@ -211,6 +213,15 @@ resource "google_sql_database_instance" "default" {
   depends_on = [null_resource.module_depends_on]
 }
 
+resource "google_kms_key_handle" "default" {
+  count                  = var.use_autokey ? 1 : 0
+  provider               = google-beta
+  project                = var.project_id
+  name                   = local.instance_name
+  location               = coalesce(var.region, provider::google::region_from_zone(var.zone))
+  resource_type_selector = "sqladmin.googleapis.com/Instance"
+}
+
 resource "google_sql_database" "default" {
   count           = var.enable_default_db ? 1 : 0
   name            = var.db_name
diff --git a/modules/postgresql/variables.tf b/modules/postgresql/variables.tf
index 05e44f1d..c3eb59bd 100644
--- a/modules/postgresql/variables.tf
+++ b/modules/postgresql/variables.tf
@@ -456,3 +456,9 @@ variable "database_integration_roles" {
   type        = list(string)
   default     = []
 }
+
+variable "use_autokey" {
+  description = "Enable the use of autokeys from Google Cloud KMS for CMEK. This requires autokey already configured in the project."
+  type        = bool
+  default     = false
+}
diff --git a/test/setup/iam.tf b/test/setup/iam.tf
index 745def5f..b5eb48c2 100644
--- a/test/setup/iam.tf
+++ b/test/setup/iam.tf
@@ -17,6 +17,7 @@
 locals {
   int_required_roles = [
     "roles/cloudkms.admin",
+    "roles/cloudkms.autokeyAdmin",
     "roles/cloudkms.cryptoKeyEncrypterDecrypter",
     "roles/cloudscheduler.admin",
     "roles/cloudsql.admin",
diff --git a/test/setup/main.tf b/test/setup/main.tf
index cf85e563..50045b1e 100644
--- a/test/setup/main.tf
+++ b/test/setup/main.tf
@@ -54,3 +54,20 @@ resource "google_project_service_identity" "workflos_sa" {
   project  = module.project.project_id
   service  = "workflows.googleapis.com"
 }
+
+# Using same project for autokey, not ideal but should be fine for testing
+module "autokey" {
+  source                         = "GoogleCloudPlatform/autokey/google"
+  version                        = "1.1.1"
+  billing_account                = var.billing_account
+  organization_id                = var.org_id
+  create_new_folder              = false
+  folder_id                      = var.folder_id
+  create_new_autokey_key_project = false
+  autokey_key_project_name       = module.project.project_name
+  autokey_key_project_id         = module.project.project_id
+  parent_folder_id               = ""
+  autokey_folder_users           = [google_service_account.int_test.member]
+  autokey_project_kms_admins     = [google_service_account.int_test.member]
+  autokey_folder_admins          = []
+}

From 966ad2594f4b28b63276c9b581b62baaa06a78b4 Mon Sep 17 00:00:00 2001
From: Pujan Shah <pujan.shah@occrp.org>
Date: Mon, 17 Mar 2025 17:06:41 +0100
Subject: [PATCH 02/15] fix: variable precedence for encryption key

---
 modules/postgresql/main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/postgresql/main.tf b/modules/postgresql/main.tf
index f4943ac3..c0f12312 100644
--- a/modules/postgresql/main.tf
+++ b/modules/postgresql/main.tf
@@ -46,7 +46,7 @@ locals {
 
   database_name = var.enable_default_db ? var.db_name : (length(var.additional_databases) > 0 ? var.additional_databases[0].name : "")
 
-  encryption_key = (var.encryption_key_name != null && var.use_autokey) ? google_kms_key_handle.default[0].kms_key : null
+  encryption_key = var.encryption_key_name != null ? var.encryption_key_name : var.use_autokey ? google_kms_key_handle.default[0].kms_key : null
 }
 
 resource "random_id" "suffix" {

From f223b277ead02aa347dc0a70da1406bb692f649f Mon Sep 17 00:00:00 2001
From: Pujan Shah <pujan.shah@occrp.org>
Date: Mon, 17 Mar 2025 17:37:24 +0100
Subject: [PATCH 03/15] fix: update zone calculation

---
 modules/postgresql/main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/postgresql/main.tf b/modules/postgresql/main.tf
index c0f12312..a70e5526 100644
--- a/modules/postgresql/main.tf
+++ b/modules/postgresql/main.tf
@@ -218,7 +218,7 @@ resource "google_kms_key_handle" "default" {
   provider               = google-beta
   project                = var.project_id
   name                   = local.instance_name
-  location               = coalesce(var.region, provider::google::region_from_zone(var.zone))
+  location               = coalesce(var.region, join("-", slice(split("-", var.zone), 0, 2)))
   resource_type_selector = "sqladmin.googleapis.com/Instance"
 }
 

From 89ab10c01b951eb80a53a5f90cbe0a9dca17aeb2 Mon Sep 17 00:00:00 2001
From: Pujan Shah <pujan.shah@occrp.org>
Date: Tue, 18 Mar 2025 10:22:08 +0100
Subject: [PATCH 04/15] feat: update folder configuration

---
 test/setup/main.tf | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/test/setup/main.tf b/test/setup/main.tf
index 50045b1e..7cc5d299 100644
--- a/test/setup/main.tf
+++ b/test/setup/main.tf
@@ -21,7 +21,7 @@ module "project" {
   name              = "ci-sql-db"
   random_project_id = "true"
   org_id            = var.org_id
-  folder_id         = var.folder_id
+  folder_id         = google_folder.autokey_folder.folder_id
   billing_account   = var.billing_account
   deletion_policy   = "DELETE"
 
@@ -55,6 +55,13 @@ resource "google_project_service_identity" "workflos_sa" {
   service  = "workflows.googleapis.com"
 }
 
+resource "google_folder" "autokey_folder" {
+  provider     = google-beta
+  display_name = "ci-sql-db-folder"
+  parent       = "folders/${var.folder_id}"
+  deletion_protection = false
+}
+
 # Using same project for autokey, not ideal but should be fine for testing
 module "autokey" {
   source                         = "GoogleCloudPlatform/autokey/google"
@@ -62,12 +69,12 @@ module "autokey" {
   billing_account                = var.billing_account
   organization_id                = var.org_id
   create_new_folder              = false
-  folder_id                      = var.folder_id
-  create_new_autokey_key_project = false
-  autokey_key_project_name       = module.project.project_name
-  autokey_key_project_id         = module.project.project_id
+  folder_id                      = google_folder.autokey_folder.folder_id
+  create_new_autokey_key_project = true
+  autokey_key_project_name       = "ci-sql-db-autokey"
+  autokey_key_project_id         = ""
   parent_folder_id               = ""
   autokey_folder_users           = [google_service_account.int_test.member]
   autokey_project_kms_admins     = [google_service_account.int_test.member]
-  autokey_folder_admins          = []
+  autokey_folder_admins          = [google_service_account.int_test.member]
 }

From f6e1ef94be5938dac0016d9277bf797e43574a1d Mon Sep 17 00:00:00 2001
From: Pujan Shah <pujan.shah@occrp.org>
Date: Tue, 18 Mar 2025 10:23:16 +0100
Subject: [PATCH 05/15] fix: linting issue

---
 test/setup/main.tf | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/test/setup/main.tf b/test/setup/main.tf
index 7cc5d299..2a4f5f74 100644
--- a/test/setup/main.tf
+++ b/test/setup/main.tf
@@ -56,9 +56,9 @@ resource "google_project_service_identity" "workflos_sa" {
 }
 
 resource "google_folder" "autokey_folder" {
-  provider     = google-beta
-  display_name = "ci-sql-db-folder"
-  parent       = "folders/${var.folder_id}"
+  provider            = google-beta
+  display_name        = "ci-sql-db-folder"
+  parent              = "folders/${var.folder_id}"
   deletion_protection = false
 }
 

From 647670d6b1f1f4972c1125fe4cb7676be8bb80fa Mon Sep 17 00:00:00 2001
From: Pujan Shah <pujan.shah@occrp.org>
Date: Tue, 18 Mar 2025 12:51:02 +0100
Subject: [PATCH 06/15] feat: update project module version to 18.0

---
 test/setup/main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/setup/main.tf b/test/setup/main.tf
index 2a4f5f74..f081ecd1 100644
--- a/test/setup/main.tf
+++ b/test/setup/main.tf
@@ -16,7 +16,7 @@
 
 module "project" {
   source  = "terraform-google-modules/project-factory/google"
-  version = "~> 17.0"
+  version = "~> 18.0"
 
   name              = "ci-sql-db"
   random_project_id = "true"

From b4b38d144aec6a8d1567c377a66ad8c285c0e801 Mon Sep 17 00:00:00 2001
From: Pujan Shah <pujan.shah@occrp.org>
Date: Tue, 18 Mar 2025 13:05:52 +0100
Subject: [PATCH 07/15] feat: refactor autokey setup to use individual
 resources

---
 test/setup/main.tf | 74 ++++++++++++++++++++++++++++++++++++----------
 1 file changed, 59 insertions(+), 15 deletions(-)

diff --git a/test/setup/main.tf b/test/setup/main.tf
index f081ecd1..af42a681 100644
--- a/test/setup/main.tf
+++ b/test/setup/main.tf
@@ -62,19 +62,63 @@ resource "google_folder" "autokey_folder" {
   deletion_protection = false
 }
 
-# Using same project for autokey, not ideal but should be fine for testing
-module "autokey" {
-  source                         = "GoogleCloudPlatform/autokey/google"
-  version                        = "1.1.1"
-  billing_account                = var.billing_account
-  organization_id                = var.org_id
-  create_new_folder              = false
-  folder_id                      = google_folder.autokey_folder.folder_id
-  create_new_autokey_key_project = true
-  autokey_key_project_name       = "ci-sql-db-autokey"
-  autokey_key_project_id         = ""
-  parent_folder_id               = ""
-  autokey_folder_users           = [google_service_account.int_test.member]
-  autokey_project_kms_admins     = [google_service_account.int_test.member]
-  autokey_folder_admins          = [google_service_account.int_test.member]
+resource "google_project" "key_project" {
+  provider        = google-beta
+  project_id      = "ci-sql-db-autokey"
+  name            = "ci-sql-db-autokey"
+  folder_id       = google_folder.autokey_folder.folder_id
+  billing_account = var.billing_account
+  depends_on      = [google_folder.autokey_folder]
+  deletion_policy = "DELETE"
+}
+
+resource "google_project_service" "kms_api_service" {
+  provider                   = google-beta
+  service                    = "cloudkms.googleapis.com"
+  project                    = google_project.key_project.project_id
+  disable_on_destroy         = false
+  disable_dependent_services = true
+  depends_on                 = [google_project.key_project]
+}
+
+resource "time_sleep" "wait_enable_service_api" {
+  depends_on      = [google_project_service.kms_api_service]
+  create_duration = "30s"
+}
+
+resource "google_project_service_identity" "kms_service_agent" {
+  provider   = google-beta
+  service    = "cloudkms.googleapis.com"
+  project    = google_project.key_project.number
+  depends_on = [time_sleep.wait_enable_service_api]
+}
+
+resource "time_sleep" "wait_service_agent" {
+  depends_on      = [google_project_service_identity.kms_service_agent]
+  create_duration = "10s"
+}
+
+resource "google_project_iam_member" "autokey_project_admin" {
+  provider   = google-beta
+  project    = google_project.key_project.project_id
+  role       = "roles/cloudkms.admin"
+  member     = "serviceAccount:service-${google_project.key_project.number}@gcp-sa-cloudkms.iam.gserviceaccount.com"
+  depends_on = [time_sleep.wait_service_agent]
+}
+
+resource "time_sleep" "wait_srv_acc_permissions" {
+  create_duration = "10s"
+  depends_on      = [google_project_iam_member.autokey_project_admin]
+}
+
+resource "google_kms_autokey_config" "autokey_config" {
+  provider    = google-beta
+  folder      = google_folder.autokey_folder.folder_id
+  key_project = "projects/${google_project.key_project.project_id}"
+  depends_on  = [time_sleep.wait_srv_acc_permissions]
+}
+
+resource "time_sleep" "wait_autokey_config" {
+  create_duration = "10s"
+  depends_on      = [google_kms_autokey_config.autokey_config]
 }

From e48e57e7980d1057c595883328aca55bb58c9aea Mon Sep 17 00:00:00 2001
From: Pujan Shah <pujan.shah@occrp.org>
Date: Wed, 19 Mar 2025 14:19:13 +0100
Subject: [PATCH 08/15] feat: migrate to module-based project setup for autokey

---
 test/setup/main.tf | 39 ++++++++++++++++++---------------------
 1 file changed, 18 insertions(+), 21 deletions(-)

diff --git a/test/setup/main.tf b/test/setup/main.tf
index af42a681..0c5dd3db 100644
--- a/test/setup/main.tf
+++ b/test/setup/main.tf
@@ -62,34 +62,31 @@ resource "google_folder" "autokey_folder" {
   deletion_protection = false
 }
 
-resource "google_project" "key_project" {
-  provider        = google-beta
-  project_id      = "ci-sql-db-autokey"
-  name            = "ci-sql-db-autokey"
-  folder_id       = google_folder.autokey_folder.folder_id
-  billing_account = var.billing_account
-  depends_on      = [google_folder.autokey_folder]
-  deletion_policy = "DELETE"
-}
+module "autokey-project" {
+  source  = "terraform-google-modules/project-factory/google"
+  version = "~> 18.0"
+
+  name              = "ci-sql-db-autokey"
+  random_project_id = "true"
+  org_id            = var.org_id
+  folder_id         = google_folder.autokey_folder.folder_id
+  billing_account   = var.billing_account
+  deletion_policy   = "DELETE"
 
-resource "google_project_service" "kms_api_service" {
-  provider                   = google-beta
-  service                    = "cloudkms.googleapis.com"
-  project                    = google_project.key_project.project_id
-  disable_on_destroy         = false
-  disable_dependent_services = true
-  depends_on                 = [google_project.key_project]
+  activate_apis = [
+    "cloudkms.googleapis.com",
+  ]
 }
 
 resource "time_sleep" "wait_enable_service_api" {
-  depends_on      = [google_project_service.kms_api_service]
+  depends_on      = [module.autokey-project]
   create_duration = "30s"
 }
 
 resource "google_project_service_identity" "kms_service_agent" {
   provider   = google-beta
   service    = "cloudkms.googleapis.com"
-  project    = google_project.key_project.number
+  project    = module.autokey-project.project_id
   depends_on = [time_sleep.wait_enable_service_api]
 }
 
@@ -100,9 +97,9 @@ resource "time_sleep" "wait_service_agent" {
 
 resource "google_project_iam_member" "autokey_project_admin" {
   provider   = google-beta
-  project    = google_project.key_project.project_id
+  project    = module.autokey-project.project_id
   role       = "roles/cloudkms.admin"
-  member     = "serviceAccount:service-${google_project.key_project.number}@gcp-sa-cloudkms.iam.gserviceaccount.com"
+  member     = "serviceAccount:service-${module.autokey-project.project_number}@gcp-sa-cloudkms.iam.gserviceaccount.com"
   depends_on = [time_sleep.wait_service_agent]
 }
 
@@ -114,7 +111,7 @@ resource "time_sleep" "wait_srv_acc_permissions" {
 resource "google_kms_autokey_config" "autokey_config" {
   provider    = google-beta
   folder      = google_folder.autokey_folder.folder_id
-  key_project = "projects/${google_project.key_project.project_id}"
+  key_project = "projects/${module.autokey-project.project_id}"
   depends_on  = [time_sleep.wait_srv_acc_permissions]
 }
 

From f1b4df110c5b8cb5404261fc619a94da940c5306 Mon Sep 17 00:00:00 2001
From: Pujan Shah <pujan.shah@occrp.org>
Date: Wed, 19 Mar 2025 17:36:44 +0100
Subject: [PATCH 09/15] feat: move autokey configuration to example

---
 examples/postgresql-ha/main.tf           | 12 ++++++++++++
 examples/postgresql-ha/variables.tf      | 10 ++++++++++
 test/fixtures/postgresql-ha/main.tf      |  5 ++---
 test/fixtures/postgresql-ha/variables.tf | 10 ++++++++++
 test/setup/main.tf                       | 12 ------------
 test/setup/outputs.tf                    |  8 ++++++++
 6 files changed, 42 insertions(+), 15 deletions(-)

diff --git a/examples/postgresql-ha/main.tf b/examples/postgresql-ha/main.tf
index ab39b07e..f90fd726 100644
--- a/examples/postgresql-ha/main.tf
+++ b/examples/postgresql-ha/main.tf
@@ -128,4 +128,16 @@ module "pg" {
       random_password = false
     },
   ]
+  depends_on      = [time_sleep.wait_autokey_config]
+}
+
+resource "google_kms_autokey_config" "autokey_config" {
+  provider    = google-beta
+  folder      = var.folder_id
+  key_project = "projects/${var.key_project_id}"
+}
+
+resource "time_sleep" "wait_autokey_config" {
+  create_duration = "10s"
+  depends_on      = [google_kms_autokey_config.autokey_config]
 }
diff --git a/examples/postgresql-ha/variables.tf b/examples/postgresql-ha/variables.tf
index 311f951b..9c8ac7b3 100644
--- a/examples/postgresql-ha/variables.tf
+++ b/examples/postgresql-ha/variables.tf
@@ -30,3 +30,13 @@ variable "pg_ha_external_ip_range" {
   description = "The ip range to allow connecting from/to Cloud SQL"
   default     = "192.10.10.10/32"
 }
+
+variable "key_project_id" {
+  type        = string
+  description = "The project where autokey is setup"
+}
+
+variable "folder_id" {
+  type        = string
+  description = "The folder where project is created"
+}
diff --git a/test/fixtures/postgresql-ha/main.tf b/test/fixtures/postgresql-ha/main.tf
index 7eac8778..9f8e55c4 100644
--- a/test/fixtures/postgresql-ha/main.tf
+++ b/test/fixtures/postgresql-ha/main.tf
@@ -32,7 +32,6 @@ module "example" {
   project_id              = var.project_id
   pg_ha_name              = var.pg_ha_name
   pg_ha_external_ip_range = var.pg_ha_external_ip_range
+  key_project_id          = var.key_project_id
+  folder_id               = var.folder_id
 }
-
-
-
diff --git a/test/fixtures/postgresql-ha/variables.tf b/test/fixtures/postgresql-ha/variables.tf
index 3ad614b3..8fa1bd92 100644
--- a/test/fixtures/postgresql-ha/variables.tf
+++ b/test/fixtures/postgresql-ha/variables.tf
@@ -30,3 +30,13 @@ variable "pg_ha_external_ip_range" {
   description = "The ip range to allow connecting from/to Cloud SQL"
   default     = "192.10.10.10/32"
 }
+
+variable "key_project_id" {
+  type        = string
+  description = "The project where autokey is setup"
+}
+
+variable "folder_id" {
+  type        = string
+  description = "The folder where project is created"
+}
diff --git a/test/setup/main.tf b/test/setup/main.tf
index 0c5dd3db..20f64c75 100644
--- a/test/setup/main.tf
+++ b/test/setup/main.tf
@@ -107,15 +107,3 @@ resource "time_sleep" "wait_srv_acc_permissions" {
   create_duration = "10s"
   depends_on      = [google_project_iam_member.autokey_project_admin]
 }
-
-resource "google_kms_autokey_config" "autokey_config" {
-  provider    = google-beta
-  folder      = google_folder.autokey_folder.folder_id
-  key_project = "projects/${module.autokey-project.project_id}"
-  depends_on  = [time_sleep.wait_srv_acc_permissions]
-}
-
-resource "time_sleep" "wait_autokey_config" {
-  create_duration = "10s"
-  depends_on      = [google_kms_autokey_config.autokey_config]
-}
diff --git a/test/setup/outputs.tf b/test/setup/outputs.tf
index 00f94d05..fa457d24 100644
--- a/test/setup/outputs.tf
+++ b/test/setup/outputs.tf
@@ -32,3 +32,11 @@ output "cloudsql_mysql_sa" {
   value       = google_service_account.cloudsql_mysql_sa.email
   description = "IAM service account user created for Cloud SQL for MySql."
 }
+
+output "key_project_id" {
+  value = module.autokey-project.project_id
+}
+
+output "folder_id" {
+  value = google_folder.autokey_folder.folder_id
+}

From 812e42a6222111005fa23152b558346c025a17df Mon Sep 17 00:00:00 2001
From: Pujan Shah <pujan.shah@occrp.org>
Date: Wed, 19 Mar 2025 21:21:45 +0100
Subject: [PATCH 10/15] feat: remove unused variables from fixture

---
 test/fixtures/postgresql-ha/main.tf      |  2 --
 test/fixtures/postgresql-ha/variables.tf | 10 ----------
 2 files changed, 12 deletions(-)

diff --git a/test/fixtures/postgresql-ha/main.tf b/test/fixtures/postgresql-ha/main.tf
index 9f8e55c4..db001361 100644
--- a/test/fixtures/postgresql-ha/main.tf
+++ b/test/fixtures/postgresql-ha/main.tf
@@ -32,6 +32,4 @@ module "example" {
   project_id              = var.project_id
   pg_ha_name              = var.pg_ha_name
   pg_ha_external_ip_range = var.pg_ha_external_ip_range
-  key_project_id          = var.key_project_id
-  folder_id               = var.folder_id
 }
diff --git a/test/fixtures/postgresql-ha/variables.tf b/test/fixtures/postgresql-ha/variables.tf
index 8fa1bd92..3ad614b3 100644
--- a/test/fixtures/postgresql-ha/variables.tf
+++ b/test/fixtures/postgresql-ha/variables.tf
@@ -30,13 +30,3 @@ variable "pg_ha_external_ip_range" {
   description = "The ip range to allow connecting from/to Cloud SQL"
   default     = "192.10.10.10/32"
 }
-
-variable "key_project_id" {
-  type        = string
-  description = "The project where autokey is setup"
-}
-
-variable "folder_id" {
-  type        = string
-  description = "The folder where project is created"
-}

From 21d33f3cdff9932d30f2269ecdc37f641643ad50 Mon Sep 17 00:00:00 2001
From: Pujan Shah <pujan.shah@occrp.org>
Date: Thu, 20 Mar 2025 13:36:17 +0100
Subject: [PATCH 11/15] fix: linting issue

---
 examples/postgresql-ha/main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/examples/postgresql-ha/main.tf b/examples/postgresql-ha/main.tf
index f90fd726..8417f58b 100644
--- a/examples/postgresql-ha/main.tf
+++ b/examples/postgresql-ha/main.tf
@@ -128,7 +128,7 @@ module "pg" {
       random_password = false
     },
   ]
-  depends_on      = [time_sleep.wait_autokey_config]
+  depends_on = [time_sleep.wait_autokey_config]
 }
 
 resource "google_kms_autokey_config" "autokey_config" {

From 4c0707ea002cad747783b517014ecef7321b41c3 Mon Sep 17 00:00:00 2001
From: Pujan Shah <pujan.shah@occrp.org>
Date: Thu, 20 Mar 2025 13:39:47 +0100
Subject: [PATCH 12/15] fix: update documentation

---
 examples/postgresql-ha/README.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/examples/postgresql-ha/README.md b/examples/postgresql-ha/README.md
index 1e440507..0ee2835b 100644
--- a/examples/postgresql-ha/README.md
+++ b/examples/postgresql-ha/README.md
@@ -23,6 +23,8 @@ terraform destroy
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| folder\_id | The folder where project is created | `string` | n/a | yes |
+| key\_project\_id | The project where autokey is setup | `string` | n/a | yes |
 | pg\_ha\_external\_ip\_range | The ip range to allow connecting from/to Cloud SQL | `string` | `"192.10.10.10/32"` | no |
 | pg\_ha\_name | The name for Cloud SQL instance | `string` | `"tf-pg-ha"` | no |
 | project\_id | The project to run tests against | `string` | n/a | yes |

From 0b23d31fd7e4d73904375573f232457af4994a4b Mon Sep 17 00:00:00 2001
From: Pujan Shah <pujan.shah@occrp.org>
Date: Fri, 21 Mar 2025 09:25:15 +0100
Subject: [PATCH 13/15] Revert "feat: remove unused variables from fixture"

This reverts commit 812e42a6222111005fa23152b558346c025a17df.
---
 test/fixtures/postgresql-ha/main.tf      |  2 ++
 test/fixtures/postgresql-ha/variables.tf | 10 ++++++++++
 2 files changed, 12 insertions(+)

diff --git a/test/fixtures/postgresql-ha/main.tf b/test/fixtures/postgresql-ha/main.tf
index db001361..9f8e55c4 100644
--- a/test/fixtures/postgresql-ha/main.tf
+++ b/test/fixtures/postgresql-ha/main.tf
@@ -32,4 +32,6 @@ module "example" {
   project_id              = var.project_id
   pg_ha_name              = var.pg_ha_name
   pg_ha_external_ip_range = var.pg_ha_external_ip_range
+  key_project_id          = var.key_project_id
+  folder_id               = var.folder_id
 }
diff --git a/test/fixtures/postgresql-ha/variables.tf b/test/fixtures/postgresql-ha/variables.tf
index 3ad614b3..8fa1bd92 100644
--- a/test/fixtures/postgresql-ha/variables.tf
+++ b/test/fixtures/postgresql-ha/variables.tf
@@ -30,3 +30,13 @@ variable "pg_ha_external_ip_range" {
   description = "The ip range to allow connecting from/to Cloud SQL"
   default     = "192.10.10.10/32"
 }
+
+variable "key_project_id" {
+  type        = string
+  description = "The project where autokey is setup"
+}
+
+variable "folder_id" {
+  type        = string
+  description = "The folder where project is created"
+}

From 9c7c0c12209625086641f453cae44736d4b8d845 Mon Sep 17 00:00:00 2001
From: Pujan Shah <pujan.shah@occrp.org>
Date: Mon, 24 Mar 2025 17:19:10 +0100
Subject: [PATCH 14/15] chore: add iam roles for folder and project both

---
 examples/postgresql-ha/outputs.tf | 2 ++
 test/setup/iam.tf                 | 9 +++++++++
 2 files changed, 11 insertions(+)

diff --git a/examples/postgresql-ha/outputs.tf b/examples/postgresql-ha/outputs.tf
index d8cf998d..3bfff467 100644
--- a/examples/postgresql-ha/outputs.tf
+++ b/examples/postgresql-ha/outputs.tf
@@ -29,8 +29,10 @@ output "authorized_network" {
 
 output "replicas" {
   value = module.pg.replicas
+  sensitive = true
 }
 
 output "instances" {
   value = module.pg.instances
+  sensitive = true
 }
diff --git a/test/setup/iam.tf b/test/setup/iam.tf
index b5eb48c2..cf160571 100644
--- a/test/setup/iam.tf
+++ b/test/setup/iam.tf
@@ -46,6 +46,15 @@ resource "google_project_iam_member" "int_test" {
   member  = "serviceAccount:${google_service_account.int_test.email}"
 }
 
+resource "google_folder_iam_member" "int_test" {
+  count = length(local.int_required_roles)
+
+  folder = google_folder.autokey_folder.folder_id
+  role    = local.int_required_roles[count.index]
+  member  = "serviceAccount:${google_service_account.int_test.email}"
+}
+
+
 resource "google_service_account_key" "int_test" {
   service_account_id = google_service_account.int_test.id
 }

From 803af30d8d7e81934c7706702193a22e65bb70f8 Mon Sep 17 00:00:00 2001
From: Pujan Shah <pujan.shah@occrp.org>
Date: Mon, 24 Mar 2025 22:45:02 +0100
Subject: [PATCH 15/15] fix: linting

---
 examples/postgresql-ha/outputs.tf | 4 ++--
 test/setup/iam.tf                 | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/examples/postgresql-ha/outputs.tf b/examples/postgresql-ha/outputs.tf
index 3bfff467..9459bbff 100644
--- a/examples/postgresql-ha/outputs.tf
+++ b/examples/postgresql-ha/outputs.tf
@@ -28,11 +28,11 @@ output "authorized_network" {
 }
 
 output "replicas" {
-  value = module.pg.replicas
+  value     = module.pg.replicas
   sensitive = true
 }
 
 output "instances" {
-  value = module.pg.instances
+  value     = module.pg.instances
   sensitive = true
 }
diff --git a/test/setup/iam.tf b/test/setup/iam.tf
index cf160571..951be51b 100644
--- a/test/setup/iam.tf
+++ b/test/setup/iam.tf
@@ -50,8 +50,8 @@ resource "google_folder_iam_member" "int_test" {
   count = length(local.int_required_roles)
 
   folder = google_folder.autokey_folder.folder_id
-  role    = local.int_required_roles[count.index]
-  member  = "serviceAccount:${google_service_account.int_test.email}"
+  role   = local.int_required_roles[count.index]
+  member = "serviceAccount:${google_service_account.int_test.email}"
 }