fix(INT-6706): check service account key in validateInvocationConfig

src/getStepStartStateExtraTests.test.ts

@@ -1,16 +1,11 @@
-import {
-  createMockExecutionContext,
-  Recording,
-} from '@jupiterone/integration-sdk-testing';
+import { createMockExecutionContext } from '@jupiterone/integration-sdk-testing';
 import { validateStepStartStates } from '@jupiterone/integration-sdk-runtime/dist/src/execution/validation';
-import { IntegrationConfig, invocationConfig } from '.';
+import { invocationConfig } from '.';
 import { integrationConfig } from '../test/config';
 import {
   getMatchRequestsBy,
-  setupGoogleCloudRecording,
   withGoogleCloudRecording,
 } from '../test/recording';
-import getStepStartStates from './getStepStartStates';
 import {
   STEP_IAM_BINDINGS,
   STEP_CREATE_BASIC_ROLES,
@@ -24,57 +19,46 @@ import { STEP_IAM_CUSTOM_ROLES, STEP_IAM_MANAGED_ROLES } from './steps/iam';
  */
 
 describe('createStartStatesBasedOnServiceAccountProject', () => {
-  let recording: Recording;
-
-  beforeEach(() => {
-    recording = setupGoogleCloudRecording({
-      directory: __dirname,
-      name: 'getStepStartStatesExtraTests',
-    });
-  });
-
-  afterEach(async () => {
-    await recording.stop();
-  });
-
   test('When the config.projectId is different from the config.serviceAccountKeyConfig.project_id, the Service Account Project will be used in determining `google_iam_binding` and `google_iam_role` steps.', async () => {
-    const context = createMockExecutionContext<IntegrationConfig>({
-      instanceConfig: {
-        projectId: 'j1-gc-integration-dev-nested', // Project that doesn't have Cloud Asset API enabled and is in the same org as j1-gc-integration-dev-v3
-        // Temporary tweak to make this test pass since its recording has been updated from the new organization/v3
-        serviceAccountKeyFile: integrationConfig.serviceAccountKeyFile.replace(
-          'j1-gc-integration-dev-v2',
-          'j1-gc-integration-dev-v3',
-        ),
-        serviceAccountKeyConfig: {
-          ...integrationConfig.serviceAccountKeyConfig,
-          project_id: 'j1-gc-integration-dev-v3',
+    await withGoogleCloudRecording(
+      {
+        directory: __dirname,
+        name: 'getStepStartStatesExtraTests',
+        options: {
+          matchRequestsBy: getMatchRequestsBy(integrationConfig),
         },
       },
-    });
-
-    const stepStartStates = await getStepStartStates(context);
-
-    expect(stepStartStates).toMatchObject({
-      [STEP_IAM_BINDINGS]: {
-        disabled: false,
-      },
-      [STEP_CREATE_BASIC_ROLES]: {
-        disabled: false,
-      },
-      [STEP_CREATE_BINDING_ANY_RESOURCE_RELATIONSHIPS]: {
-        disabled: false,
-      },
-      [STEP_CREATE_API_SERVICE_ANY_RESOURCE_RELATIONSHIPS]: {
-        disabled: false,
-      },
-      [STEP_IAM_CUSTOM_ROLES]: {
-        disabled: false,
-      },
-      [STEP_IAM_MANAGED_ROLES]: {
-        disabled: false,
+      async () => {
+        const stepStartStates = await invocationConfig.getStepStartStates?.(
+          createMockExecutionContext({
+            instanceConfig: {
+              ...integrationConfig,
+              projectId: 'j1-gc-integration-dev-nested',
+            },
+          }),
+        );
+        expect(stepStartStates).toMatchObject({
+          [STEP_IAM_BINDINGS]: {
+            disabled: false,
+          },
+          [STEP_CREATE_BASIC_ROLES]: {
+            disabled: false,
+          },
+          [STEP_CREATE_BINDING_ANY_RESOURCE_RELATIONSHIPS]: {
+            disabled: false,
+          },
+          [STEP_CREATE_API_SERVICE_ANY_RESOURCE_RELATIONSHIPS]: {
+            disabled: false,
+          },
+          [STEP_IAM_CUSTOM_ROLES]: {
+            disabled: false,
+          },
+          [STEP_IAM_MANAGED_ROLES]: {
+            disabled: false,
+          },
+        });
       },
-    });
+    );
   });
 });
 

src/getStepStartStates.ts

@@ -166,6 +166,7 @@ import { IntegrationConfig, SerializedIntegrationConfig } from './types';
 import { deserializeIntegrationConfig } from './utils/integrationConfig';
 import { isMasterOrganizationInstance } from './utils/isMasterOrganizationInstance';
 import { isSingleProjectInstance } from './utils/isSingleProjectInstance';
+import { Client } from './google-cloud/client';
 
 function makeStepStartStates(
   stepIds: string[],
@@ -188,12 +189,35 @@ export function getOrganizationSteps() {
   ];
 }
 
-function validateInvocationConfig(config: SerializedIntegrationConfig) {
+async function executeTestRequest(config: SerializedIntegrationConfig) {
+  const deserializedIntegrationConfig = deserializeIntegrationConfig(config);
+  const googleClient = new Client({
+    config: deserializedIntegrationConfig,
+  });
+  const authenticatedGoogleClient =
+    await googleClient.getAuthenticatedServiceClient();
+
+  return authenticatedGoogleClient.request({
+    url: `https://iam.googleapis.com/v1/projects/${deserializedIntegrationConfig.serviceAccountKeyConfig.project_id}/serviceAccounts`,
+  });
+}
+
+async function validateInvocationConfig(config: SerializedIntegrationConfig) {
   if (!config.serviceAccountKeyFile) {
     throw new IntegrationValidationError(
       'Missing a required integration config value {serviceAccountKeyFile}',
     );
   }
+
+  if (config.serviceAccountKeyFile) {
+    try {
+      await executeTestRequest(config);
+    } catch (error) {
+      throw new IntegrationValidationError(
+        'Google Service Account key file {serviceAccountKeyFile} is expired or invalid. Please update it the integration configurations.',
+      );
+    }
+  }
 }
 
 export default async function getStepStartStates(
@@ -202,7 +226,7 @@ export default async function getStepStartStates(
   const { instance, logger } = context;
   const { config: serializedIntegrationConfig } = instance;
 
-  validateInvocationConfig(serializedIntegrationConfig);
+  await validateInvocationConfig(serializedIntegrationConfig);
 
   // Override the incoming config with the new config that has parsed service
   // account data