Expand testing to cover G Suite functionality

[morgante]

The tests currently don't make it easy to test G Suite-related functionality in the module.

We should add fixtures to consistently exercise the create_group and API/SA group functionalities.

[morgante]

We also need tests covering the various scenarios documented here.

[thefirstofthe300]

Just to reiterate, the scenarios that need to be tested are:

• Pass in a group_name, and create_group = false => grant the roles to the group
• Pass in a group_name and create_group = true => create the given group name and grant it the required roles
• Don't pass in a group_name and create_group = true => creates a group named project_name-editors and grants it the required roles.
• Don't pass in a group_name and create_group = false => no group roles granted

Also

• Pass in sa_group => default service account is part of given G Suite group

[aaron-lane]

We will need to alter the test setup to support a long-lived service account, or identify an alternative approach to satisfy the authentication requirements of the G Suite provider.

[morgante]

Here's how I suggest we tackle this:

• In the test-org, create a new folder+project for project-factory that includes creating a service account and applies the correct permissions, roughly mirroring the existing setup/ content
• In the setup/ stage of this repo, remove the project creation and and simply use google_service_account_key to grab the key from the pre-created service account

[aaron-lane]

I think that sounds like a good approach. I suggest that we maintain the setup configuration so contributors can continue to easily create a test environment for the minimal suite, and push the exceptional logic in to the build configuration file. May be add a separate "full-ci-setup" configuration which does what you propose.

[morgante]

Sure, we could have a separate folder which behaves similarly but is only used for CI.