Merge branch 'main' into main

docs/upgrading_to_cloud_run_v2_v0.14.0_from_v0.13.0.md

@@ -0,0 +1,67 @@
+# Upgrading to cloud-run v2 v0.14.0 from v0.13.0
+
+The cloud-run/v2 release v0.14.0 is backward incompatible.
+
+## Google Cloud Provider deletion_policy
+
+Terraform Google Provider 6.0.0 [added a new field](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/version_6_upgrade) to prevent deletion of some resources.
+
+### Projects
+
+The `deletion_policy` for projects now defaults to `"PREVENT"` rather than `"DELETE"`.
+This aligns with the behavior in Google Cloud Platform Provider v6+.
+To maintain the old behavior set `project_deletion_policy = "DELETE"` in the modules [service-project-factory](../modules/service-project-factory/) and [secure-serverless-harness](../modules/secure-serverless-harness/README.md)
+
+```diff
+  module "secure-serverless-harness" {
+-   version          = "~> 0.13.0"
++   version          = "~> 0.14.0"
+
++   project_deletion_policy    = "DELETE"
+}
+```
+
+### Folder
+
+The `deletion_protection` for folders was added and defaults to `true`.
+This aligns with the behavior in Google Cloud Platform Provider v6+.
+To maintain the old behavior set `folder_deletion_protection = false` in the module [secure-serverless-harness](../modules/secure-serverless-harness/README.md).
+
+```diff
+  module "secure-serverless-harness" {
+-   version          = "~> 0.13.0"
++   version          = "~> 0.14.0"
+
++   folder_deletion_protection = false
+}
+```
+
+### Cloud Run v2 Job
+
+The `deletion_protection` for Cloud Run v2 Jobs was added and defaults to `true`.
+This aligns with the behavior in Google Cloud Platform Provider v6+.
+To maintain the old behavior set `cloud_run_deletion_protection = false` in the module [job-exec](../modules/job-exec/README.md).
+
+```diff
+  module "job-exec" {
+-   version          = "~> 0.13.0"
++   version          = "~> 0.14.0"
+
++   cloud_run_deletion_protection = false
+}
+```
+
+### Cloud Run v2 Service
+
+The `deletion_protection` for Cloud Run v2 Services was added and defaults to `true`.
+This aligns with the behavior in Google Cloud Platform Provider v6+.
+To maintain the old behavior set `cloud_run_deletion_protection = false` in the module [v2](../modules/v2/README.md).
+
+```diff
+  module "v2" {
+-   version          = "~> 0.13.0"
++   version          = "~> 0.14.0"
+
++   cloud_run_deletion_protection = false
+}
+```

examples/secure_cloud_run_standalone/main.tf

@@ -28,7 +28,7 @@ resource "random_id" "random_folder_suffix" {
 
 module "secure_harness" {
   source  = "GoogleCloudPlatform/cloud-run/google//modules/secure-serverless-harness"
-  version = "~> 0.13"
+  version = "~> 0.14"
 
   billing_account                             = var.billing_account
   security_project_name                       = "prj-kms-secure-cloud-run"
@@ -51,6 +51,8 @@ module "secure_harness" {
   egress_policies                             = var.egress_policies
   ingress_policies                            = var.ingress_policies
   base_serverless_api                         = "run.googleapis.com"
+  project_deletion_policy                     = "DELETE"
+  folder_deletion_protection                  = false
 }
 
 resource "null_resource" "copy_image" {

examples/simple_job_exec/main.tf

@@ -16,11 +16,13 @@
 
 module "job" {
   source  = "GoogleCloudPlatform/cloud-run/google//modules/job-exec"
-  version = "~> 0.13"
+  version = "~> 0.14"
 
   project_id = var.project_id
   name       = "simple-job"
   location   = "us-central1"
   image      = "us-docker.pkg.dev/cloudrun/container/job"
   exec       = true
+
+  cloud_run_deletion_protection = var.cloud_run_deletion_protection
 }

examples/simple_job_exec/variables.tf

@@ -18,3 +18,9 @@ variable "project_id" {
   description = "The project ID to deploy to"
   type        = string
 }
+
+variable "cloud_run_deletion_protection" {
+  type        = bool
+  description = "This field prevents Terraform from destroying or recreating the Cloud Run v2 Jobs and Services"
+  default     = true
+}

examples/v2/README.md

@@ -18,6 +18,7 @@ This example assumes that below mentioned prerequisites are in place before cons
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| cloud\_run\_deletion\_protection | This field prevents Terraform from destroying or recreating the Cloud Run v2 Jobs and Services | `bool` | `true` | no |
 | project\_id | The project ID to deploy to | `string` | n/a | yes |
 
 ## Outputs

examples/v2/main.tf

@@ -16,11 +16,14 @@
 
 module "cloud_run_v2" {
   source  = "GoogleCloudPlatform/cloud-run/google//modules/v2"
-  version = "~> 0.13"
+  version = "~> 0.14"
 
   service_name = "ci-cloud-run-v2"
   project_id   = var.project_id
   location     = "us-central1"
+
+  cloud_run_deletion_protection = var.cloud_run_deletion_protection
+
   containers = [
     {
       container_image = "us-docker.pkg.dev/cloudrun/container/hello"

examples/v2/variables.tf

@@ -18,3 +18,9 @@ variable "project_id" {
   description = "The project ID to deploy to"
   type        = string
 }
+
+variable "cloud_run_deletion_protection" {
+  type        = bool
+  description = "This field prevents Terraform from destroying or recreating the Cloud Run v2 Jobs and Services"
+  default     = true
+}

modules/job-exec/README.md

@@ -36,6 +36,7 @@ Functional examples are included in the
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | argument | Arguments passed to the ENTRYPOINT command, include these only if image entrypoint needs arguments | `list(string)` | `[]` | no |
+| cloud\_run\_deletion\_protection | This field prevents Terraform from destroying or recreating the Cloud Run v2 Jobs and Services | `bool` | `true` | no |
 | container\_command | Leave blank to use the ENTRYPOINT command defined in the container image, include these only if image entrypoint should be overwritten | `list(string)` | `[]` | no |
 | env\_secret\_vars | Environment variables (Secret Manager) | <pre>list(object({<br>    name = string<br>    value_source = set(object({<br>      secret_key_ref = object({<br>        secret  = string<br>        version = optional(string, "latest")<br>      })<br>    }))<br>  }))</pre> | `[]` | no |
 | env\_vars | Environment variables (cleartext) | <pre>list(object({<br>    value = string<br>    name  = string<br>  }))</pre> | `[]` | no |

modules/job-exec/main.tf

@@ -21,6 +21,8 @@ resource "google_cloud_run_v2_job" "job" {
   launch_stage = var.launch_stage
   labels       = var.labels
 
+  deletion_protection = var.cloud_run_deletion_protection
+
   template {
     labels      = var.labels
     parallelism = var.parallelism

modules/job-exec/variables.tf

@@ -158,3 +158,9 @@ variable "timeout" {
     error_message = "The value must be a duration in seconds with up to nine fractional digits, ending with 's'. Example: \"3.5s\"."
   }
 }
+
+variable "cloud_run_deletion_protection" {
+  type        = bool
+  description = "This field prevents Terraform from destroying or recreating the Cloud Run v2 Jobs and Services"
+  default     = true
+}

modules/job-exec/versions.tf

@@ -24,7 +24,7 @@ terraform {
     }
     google = {
       source  = "hashicorp/google"
-      version = "< 6"
+      version = "< 7"
     }
   }
   provider_meta "google" {

modules/secure-cloud-run-core/loadbalancer.tf

@@ -19,8 +19,9 @@ locals {
 }
 
 module "lb-http" {
-  source                          = "GoogleCloudPlatform/lb-http/google//modules/serverless_negs"
-  version                         = "~> 11.0"
+  source  = "GoogleCloudPlatform/lb-http/google//modules/serverless_negs"
+  version = "~> 12.0"
+
   name                            = var.lb_name
   project                         = var.project_id
   ssl                             = true

modules/secure-cloud-run-core/versions.tf

@@ -20,11 +20,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = "< 6"
+      version = "< 7"
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = "< 6"
+      version = "< 7"
     }
     random = {
       source  = "hashicorp/random"

modules/secure-cloud-run-security/versions.tf

@@ -20,11 +20,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = "< 6"
+      version = "< 7"
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = "< 6"
+      version = "< 7"
     }
   }
 

modules/secure-cloud-run/main.tf

@@ -16,7 +16,7 @@
 
 module "serverless_project_apis" {
   source  = "terraform-google-modules/project-factory/google//modules/project_services"
-  version = "~> 15.0"
+  version = "~> 17.0"
 
   project_id                  = var.serverless_project_id
   disable_services_on_destroy = false
@@ -32,7 +32,7 @@ module "serverless_project_apis" {
 
 module "vpc_project_apis" {
   source  = "terraform-google-modules/project-factory/google//modules/project_services"
-  version = "~> 15.0"
+  version = "~> 17.0"
 
   project_id                  = var.vpc_project_id
   disable_services_on_destroy = false

modules/secure-cloud-run/versions.tf

@@ -20,11 +20,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = "< 6"
+      version = "< 7"
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = "< 6"
+      version = "< 7"
     }
   }
 

modules/secure-serverless-harness/README.md

@@ -63,6 +63,7 @@ module "secure_cloud_run_harness" {
 | dns\_enable\_logging | Toggle DNS logging for VPC DNS. | `bool` | `true` | no |
 | egress\_policies | A list of all [egress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#egress-rules-reference), each list object has a `from` and `to` value that describes egress\_from and egress\_to.<br><br>Example: `[{ from={ identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]`<br><br>Valid Values:<br>`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow identities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`<br>`SRV_NAME` = "`*`" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)<br>`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions). | <pre>list(object({<br>    from = any<br>    to   = any<br>  }))</pre> | `[]` | no |
 | encrypters | List of comma-separated owners for each key declared in set\_encrypters\_for. | `list(string)` | `[]` | no |
+| folder\_deletion\_protection | Prevent Terraform from destroying or recreating the folder. | `string` | `true` | no |
 | ingress\_policies | A list of all [ingress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#ingress-rules-reference), each list object has a `from` and `to` value that describes ingress\_from and ingress\_to.<br><br>Example: `[{ from={ sources={ resources=[], access_levels=[] }, identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]`<br><br>Valid Values:<br>`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow identities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`<br>`SRV_NAME` = "`*`" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)<br>`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions). | <pre>list(object({<br>    from = any<br>    to   = any<br>  }))</pre> | `[]` | no |
 | key\_name | Key name. | `string` | n/a | yes |
 | key\_protection\_level | The protection level to use when creating a version based on this template. Possible values: ["SOFTWARE", "HSM"]. | `string` | `"HSM"` | no |
@@ -76,6 +77,7 @@ module "secure_cloud_run_harness" {
 | parent\_folder\_id | The ID of a folder to host the infrastructure created in this module. | `string` | `""` | no |
 | prevent\_destroy | Set the prevent\_destroy lifecycle attribute on keys. | `bool` | `true` | no |
 | private\_service\_connect\_ip | The internal IP to be used for the private service connect. | `string` | n/a | yes |
+| project\_deletion\_policy | The deletion policy for the project created. | `string` | `"PREVENT"` | no |
 | region | The region in which the subnetwork will be created. | `string` | n/a | yes |
 | security\_project\_extra\_apis | The extra APIs to be enabled during security project creation. | `list(string)` | `[]` | no |
 | security\_project\_name | The name to give the security project. | `string` | n/a | yes |

modules/secure-serverless-harness/main.tf

@@ -44,14 +44,16 @@ locals {
 }
 
 resource "google_folder" "fld_serverless" {
-  display_name = var.serverless_folder_suffix == "" ? "fldr-serverless" : "fldr-serverless-${var.serverless_folder_suffix}"
-  parent       = var.parent_folder_id == "" ? "organizations/${var.org_id}" : "folders/${var.parent_folder_id}"
+  display_name        = var.serverless_folder_suffix == "" ? "fldr-serverless" : "fldr-serverless-${var.serverless_folder_suffix}"
+  parent              = var.parent_folder_id == "" ? "organizations/${var.org_id}" : "folders/${var.parent_folder_id}"
+  deletion_protection = var.folder_deletion_protection
 }
 
 module "network_project" {
-  count             = var.use_shared_vpc ? 1 : 0
-  source            = "terraform-google-modules/project-factory/google"
-  version           = "~> 15.0"
+  source  = "terraform-google-modules/project-factory/google"
+  version = "~> 17.0"
+  count   = var.use_shared_vpc ? 1 : 0
+
   random_project_id = "true"
   activate_apis     = local.network_apis
   name              = var.network_project_name
@@ -60,13 +62,15 @@ module "network_project" {
   folder_id         = google_folder.fld_serverless.name
 
   disable_services_on_destroy = var.disable_services_on_destroy
+  deletion_policy             = var.project_deletion_policy
 
   enable_shared_vpc_host_project = true
 }
 
 module "security_project" {
-  source            = "terraform-google-modules/project-factory/google"
-  version           = "~> 15.0"
+  source  = "terraform-google-modules/project-factory/google"
+  version = "~> 17.0"
+
   random_project_id = "true"
   activate_apis     = local.kms_apis
   name              = var.security_project_name
@@ -75,6 +79,7 @@ module "security_project" {
   folder_id         = google_folder.fld_serverless.name
 
   disable_services_on_destroy = var.disable_services_on_destroy
+  deletion_policy             = var.project_deletion_policy
 }
 
 module "serverless_project" {
@@ -89,6 +94,7 @@ module "serverless_project" {
   folder_name                   = google_folder.fld_serverless.name
   project_name                  = each.value
   service_account_project_roles = try(var.service_account_project_roles[each.value], [])
+  project_deletion_policy       = var.project_deletion_policy
 
   disable_services_on_destroy = var.disable_services_on_destroy
 }

modules/secure-serverless-harness/variables.tf

@@ -238,3 +238,15 @@ variable "time_to_wait_vpc_sc_propagation" {
   description = "The time to wait VPC-SC propagation when applying and destroying."
   default     = "180s"
 }
+
+variable "project_deletion_policy" {
+  description = "The deletion policy for the project created."
+  type        = string
+  default     = "PREVENT"
+}
+
+variable "folder_deletion_protection" {
+  description = "Prevent Terraform from destroying or recreating the folder."
+  type        = string
+  default     = true
+}

modules/secure-serverless-harness/versions.tf

@@ -20,11 +20,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = "< 6"
+      version = "< 7"
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = "< 6"
+      version = "< 7"
     }
     random = {
       source  = "hashicorp/random"

modules/secure-serverless-net/network.tf

@@ -35,14 +35,12 @@ resource "google_compute_subnetwork" "vpc_subnetwork" {
 }
 
 resource "google_vpc_access_connector" "serverless_connector" {
-  name           = "${var.connector_name}${local.suffix}"
-  region         = var.location
-  project        = var.connector_on_host_project ? var.vpc_project_id : var.serverless_project_id
-  machine_type   = "e2-micro"
-  min_instances  = 2
-  max_instances  = 10
-  min_throughput = 200
-  max_throughput = 1000
+  name          = "${var.connector_name}${local.suffix}"
+  region        = var.location
+  project       = var.connector_on_host_project ? var.vpc_project_id : var.serverless_project_id
+  machine_type  = "e2-micro"
+  min_instances = 2
+  max_instances = 10
   subnet {
     name       = local.subnet_name
     project_id = var.vpc_project_id

modules/secure-serverless-net/versions.tf

@@ -20,11 +20,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = "< 6"
+      version = "< 7"
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = "< 6"
+      version = "< 7"
     }
   }