diff --git a/Makefile b/Makefile
index d1016f2..95ee585 100644
--- a/Makefile
+++ b/Makefile
@@ -62,7 +62,7 @@ docker_test_integration:
 		-e SERVICE_ACCOUNT_JSON \
 		-v "$(CURDIR)":/workspace \
 		$(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \
-		/usr/local/bin/test_integration.sh
+		cft test run all
 
 # Execute lint tests within the docker container
 .PHONY: docker_test_lint
diff --git a/test/setup/iam.tf b/test/setup/iam.tf
index 05c4f7e..fd4bef3 100644
--- a/test/setup/iam.tf
+++ b/test/setup/iam.tf
@@ -46,28 +46,54 @@ locals {
     ]
   }
 
-  int_required_roles = concat([
+  extra_roles_for_tests = {
+    /*
     "roles/memorystore.admin",
     "roles/redis.admin",
     "roles/memcache.admin",
     "roles/cloudkms.admin",
-  ], flatten(values(local.per_module_roles)))
+    */
+  }
+
+  // A list of items like:
+  // { module_name = "x", role = "role1"}
+  // { module_name = "x", role = "role2"}
+  // { module_name = "y", role = "role3"}
+  module_role_combinations = flatten(
+    [for module_name, _ in module.project :
+      [for role in setunion(local.per_module_roles[module_name], lookup(local.extra_roles_for_tests, module_name, [])) : {
+        module_name = module_name
+        role        = role
+        }
+      ]
+    ]
+  )
 }
 
 resource "google_service_account" "int_test" {
-  project      = module.project.project_id
+  for_each = module.project
+
+  project      = each.value.project_id
   account_id   = "ci-account"
   display_name = "ci-account"
 }
 
 resource "google_project_iam_member" "int_test" {
-  count = length(local.int_required_roles)
+  for_each = {
+    for combination in local.module_role_combinations :
+    "${combination.module_name}.${combination.role}" => {
+      service_account = google_service_account.int_test[combination.module_name]
+      role            = combination.role
+    }
+  }
 
-  project = module.project.project_id
-  role    = local.int_required_roles[count.index]
-  member  = "serviceAccount:${google_service_account.int_test.email}"
+  project = each.value.service_account.project
+  role    = each.value.role
+  member  = "serviceAccount:${each.value.service_account.email}"
 }
 
 resource "google_service_account_key" "int_test" {
-  service_account_id = google_service_account.int_test.id
+  for_each = module.project
+
+  service_account_id = google_service_account.int_test[each.key].id
 }
diff --git a/test/setup/main.tf b/test/setup/main.tf
index 614e8be..c37705e 100644
--- a/test/setup/main.tf
+++ b/test/setup/main.tf
@@ -39,9 +39,23 @@ locals {
       "cloudresourcemanager.googleapis.com",
     ]
   }
+  extra_services_for_tests = {
+    /*
+    "serviceconsumermanagement.googleapis.com",
+    "networkconnectivity.googleapis.com",
+    "compute.googleapis.com",
+    "memorystore.googleapis.com",
+    */
+  }
+  per_module_test_services = {
+    for module, services in local.per_module_services :
+    module => setunion(services, lookup(local.extra_services_for_tests, module, []))
+  }
 }
 
 module "project" {
+  for_each = local.per_module_test_services
+
   source  = "terraform-google-modules/project-factory/google"
   version = "~> 18.0"
 
@@ -54,12 +68,7 @@ module "project" {
   auto_create_network     = true
   deletion_policy         = "DELETE"
 
-  activate_apis = concat([
-    "serviceconsumermanagement.googleapis.com",
-    "networkconnectivity.googleapis.com",
-    "compute.googleapis.com",
-    "memorystore.googleapis.com",
-  ], flatten(values(local.per_module_services)))
+  activate_apis = each.value
 }
 
 
diff --git a/test/setup/outputs.tf b/test/setup/outputs.tf
index a21fbc2..6d80c91 100644
--- a/test/setup/outputs.tf
+++ b/test/setup/outputs.tf
@@ -14,19 +14,18 @@
  * limitations under the License.
  */
 
-output "project_id" {
-  value = module.project.project_id
+// project_ids_per_module is resolved to `project_id` by the tft test framework.
+output "project_ids_per_module" {
+  value = {
+    for module_name, v in module.project : module_name => v.project_id
+  }
 }
 
-output "sa_key" {
-  value     = google_service_account_key.int_test.private_key
+// `sa_keys_per_module` is resolved to `sa_key` by the tft test framework.
+output "sa_keys_per_module" {
+  value = {
+    for module_name, v in google_service_account_key.int_test : module_name => v.private_key
+  }
   sensitive = true
 }
 
-output "sa_email" {
-  value = google_service_account.int_test.email
-}
-
-output "parent_id" {
-  value = var.org_id
-}