From 3312703a81091f25bb7c2c104c04a29620206685 Mon Sep 17 00:00:00 2001 From: Daniel Andrade Date: Tue, 5 Nov 2024 19:06:00 -0300 Subject: [PATCH] fix!: upgrade modules to use provider v6 (#257) Co-authored-by: Andrew Peabody --- ...ng_to_cloud_run_v2_v0.14.0_from_v0.13.0.md | 67 +++++++++++++++++++ examples/secure_cloud_run_standalone/main.tf | 4 +- examples/simple_job_exec/main.tf | 4 +- examples/simple_job_exec/variables.tf | 6 ++ examples/v2/README.md | 1 + examples/v2/main.tf | 5 +- examples/v2/variables.tf | 6 ++ modules/job-exec/README.md | 1 + modules/job-exec/main.tf | 2 + modules/job-exec/variables.tf | 6 ++ modules/job-exec/versions.tf | 2 +- modules/secure-cloud-run-core/loadbalancer.tf | 5 +- modules/secure-cloud-run-core/versions.tf | 4 +- modules/secure-cloud-run-security/versions.tf | 4 +- modules/secure-cloud-run/main.tf | 4 +- modules/secure-cloud-run/versions.tf | 4 +- modules/secure-serverless-harness/README.md | 2 + modules/secure-serverless-harness/main.tf | 20 ++++-- .../secure-serverless-harness/variables.tf | 12 ++++ modules/secure-serverless-harness/versions.tf | 4 +- modules/secure-serverless-net/network.tf | 14 ++-- modules/secure-serverless-net/versions.tf | 4 +- modules/service-project-factory/main.tf | 7 +- modules/service-project-factory/variables.tf | 6 ++ modules/service-project-factory/versions.tf | 4 +- modules/v2/README.md | 1 + modules/v2/main.tf | 2 + modules/v2/variables.tf | 6 ++ modules/v2/versions.tf | 4 +- test/fixtures/secure_cloud_run/harness.tf | 6 +- test/setup/main.tf | 3 +- test/setup/outputs.tf | 4 ++ versions.tf | 4 +- 33 files changed, 184 insertions(+), 44 deletions(-) create mode 100644 docs/upgrading_to_cloud_run_v2_v0.14.0_from_v0.13.0.md diff --git a/docs/upgrading_to_cloud_run_v2_v0.14.0_from_v0.13.0.md b/docs/upgrading_to_cloud_run_v2_v0.14.0_from_v0.13.0.md new file mode 100644 index 00000000..883d574e --- /dev/null +++ b/docs/upgrading_to_cloud_run_v2_v0.14.0_from_v0.13.0.md @@ -0,0 +1,67 @@ +# Upgrading to cloud-run v2 v0.14.0 from v0.13.0 + +The cloud-run/v2 release v0.14.0 is backward incompatible. + +## Google Cloud Provider deletion_policy + +Terraform Google Provider 6.0.0 [added a new field](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/version_6_upgrade) to prevent deletion of some resources. + +### Projects + +The `deletion_policy` for projects now defaults to `"PREVENT"` rather than `"DELETE"`. +This aligns with the behavior in Google Cloud Platform Provider v6+. +To maintain the old behavior set `project_deletion_policy = "DELETE"` in the modules [service-project-factory](../modules/service-project-factory/) and [secure-serverless-harness](../modules/secure-serverless-harness/README.md) + +```diff + module "secure-serverless-harness" { +- version = "~> 0.13.0" ++ version = "~> 0.14.0" + ++ project_deletion_policy = "DELETE" +} +``` + +### Folder + +The `deletion_protection` for folders was added and defaults to `true`. +This aligns with the behavior in Google Cloud Platform Provider v6+. +To maintain the old behavior set `folder_deletion_protection = false` in the module [secure-serverless-harness](../modules/secure-serverless-harness/README.md). + +```diff + module "secure-serverless-harness" { +- version = "~> 0.13.0" ++ version = "~> 0.14.0" + ++ folder_deletion_protection = false +} +``` + +### Cloud Run v2 Job + +The `deletion_protection` for Cloud Run v2 Jobs was added and defaults to `true`. +This aligns with the behavior in Google Cloud Platform Provider v6+. +To maintain the old behavior set `cloud_run_deletion_protection = false` in the module [job-exec](../modules/job-exec/README.md). + +```diff + module "job-exec" { +- version = "~> 0.13.0" ++ version = "~> 0.14.0" + ++ cloud_run_deletion_protection = false +} +``` + +### Cloud Run v2 Service + +The `deletion_protection` for Cloud Run v2 Services was added and defaults to `true`. +This aligns with the behavior in Google Cloud Platform Provider v6+. +To maintain the old behavior set `cloud_run_deletion_protection = false` in the module [v2](../modules/v2/README.md). + +```diff + module "v2" { +- version = "~> 0.13.0" ++ version = "~> 0.14.0" + ++ cloud_run_deletion_protection = false +} +``` diff --git a/examples/secure_cloud_run_standalone/main.tf b/examples/secure_cloud_run_standalone/main.tf index bdf2491a..9db27d4c 100644 --- a/examples/secure_cloud_run_standalone/main.tf +++ b/examples/secure_cloud_run_standalone/main.tf @@ -28,7 +28,7 @@ resource "random_id" "random_folder_suffix" { module "secure_harness" { source = "GoogleCloudPlatform/cloud-run/google//modules/secure-serverless-harness" - version = "~> 0.13" + version = "~> 0.14" billing_account = var.billing_account security_project_name = "prj-kms-secure-cloud-run" @@ -51,6 +51,8 @@ module "secure_harness" { egress_policies = var.egress_policies ingress_policies = var.ingress_policies base_serverless_api = "run.googleapis.com" + project_deletion_policy = "DELETE" + folder_deletion_protection = false } resource "null_resource" "copy_image" { diff --git a/examples/simple_job_exec/main.tf b/examples/simple_job_exec/main.tf index 41c68457..8cb77c7d 100644 --- a/examples/simple_job_exec/main.tf +++ b/examples/simple_job_exec/main.tf @@ -16,11 +16,13 @@ module "job" { source = "GoogleCloudPlatform/cloud-run/google//modules/job-exec" - version = "~> 0.13" + version = "~> 0.14" project_id = var.project_id name = "simple-job" location = "us-central1" image = "us-docker.pkg.dev/cloudrun/container/job" exec = true + + cloud_run_deletion_protection = var.cloud_run_deletion_protection } diff --git a/examples/simple_job_exec/variables.tf b/examples/simple_job_exec/variables.tf index f355dcfd..df08153c 100644 --- a/examples/simple_job_exec/variables.tf +++ b/examples/simple_job_exec/variables.tf @@ -18,3 +18,9 @@ variable "project_id" { description = "The project ID to deploy to" type = string } + +variable "cloud_run_deletion_protection" { + type = bool + description = "This field prevents Terraform from destroying or recreating the Cloud Run v2 Jobs and Services" + default = true +} diff --git a/examples/v2/README.md b/examples/v2/README.md index 5298a056..44c04b3d 100644 --- a/examples/v2/README.md +++ b/examples/v2/README.md @@ -18,6 +18,7 @@ This example assumes that below mentioned prerequisites are in place before cons | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| cloud\_run\_deletion\_protection | This field prevents Terraform from destroying or recreating the Cloud Run v2 Jobs and Services | `bool` | `true` | no | | project\_id | The project ID to deploy to | `string` | n/a | yes | ## Outputs diff --git a/examples/v2/main.tf b/examples/v2/main.tf index f2a623d6..89659bcd 100644 --- a/examples/v2/main.tf +++ b/examples/v2/main.tf @@ -16,11 +16,14 @@ module "cloud_run_v2" { source = "GoogleCloudPlatform/cloud-run/google//modules/v2" - version = "~> 0.13" + version = "~> 0.14" service_name = "ci-cloud-run-v2" project_id = var.project_id location = "us-central1" + + cloud_run_deletion_protection = var.cloud_run_deletion_protection + containers = [ { container_image = "us-docker.pkg.dev/cloudrun/container/hello" diff --git a/examples/v2/variables.tf b/examples/v2/variables.tf index f284ef4d..4b5ed2d3 100644 --- a/examples/v2/variables.tf +++ b/examples/v2/variables.tf @@ -18,3 +18,9 @@ variable "project_id" { description = "The project ID to deploy to" type = string } + +variable "cloud_run_deletion_protection" { + type = bool + description = "This field prevents Terraform from destroying or recreating the Cloud Run v2 Jobs and Services" + default = true +} diff --git a/modules/job-exec/README.md b/modules/job-exec/README.md index a9e0e353..430236ac 100644 --- a/modules/job-exec/README.md +++ b/modules/job-exec/README.md @@ -36,6 +36,7 @@ Functional examples are included in the | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | argument | Arguments passed to the ENTRYPOINT command, include these only if image entrypoint needs arguments | `list(string)` | `[]` | no | +| cloud\_run\_deletion\_protection | This field prevents Terraform from destroying or recreating the Cloud Run v2 Jobs and Services | `bool` | `true` | no | | container\_command | Leave blank to use the ENTRYPOINT command defined in the container image, include these only if image entrypoint should be overwritten | `list(string)` | `[]` | no | | env\_secret\_vars | Environment variables (Secret Manager) | 
list(object({
    name = string
    value_source = set(object({
      secret_key_ref = object({
        secret  = string
        version = optional(string, "latest")
      })
    }))
  }))
| `[]` | no | | env\_vars | Environment variables (cleartext) | 
list(object({
    value = string
    name  = string
  }))
| `[]` | no | diff --git a/modules/job-exec/main.tf b/modules/job-exec/main.tf index 717491d7..d1039119 100644 --- a/modules/job-exec/main.tf +++ b/modules/job-exec/main.tf @@ -21,6 +21,8 @@ resource "google_cloud_run_v2_job" "job" { launch_stage = var.launch_stage labels = var.labels + deletion_protection = var.cloud_run_deletion_protection + template { labels = var.labels parallelism = var.parallelism diff --git a/modules/job-exec/variables.tf b/modules/job-exec/variables.tf index dc485c0a..ecf2d79d 100644 --- a/modules/job-exec/variables.tf +++ b/modules/job-exec/variables.tf @@ -158,3 +158,9 @@ variable "timeout" { error_message = "The value must be a duration in seconds with up to nine fractional digits, ending with 's'. Example: \"3.5s\"." } } + +variable "cloud_run_deletion_protection" { + type = bool + description = "This field prevents Terraform from destroying or recreating the Cloud Run v2 Jobs and Services" + default = true +} diff --git a/modules/job-exec/versions.tf b/modules/job-exec/versions.tf index d386aafc..d1578137 100644 --- a/modules/job-exec/versions.tf +++ b/modules/job-exec/versions.tf @@ -24,7 +24,7 @@ terraform { } google = { source = "hashicorp/google" - version = "< 6" + version = "< 7" } } provider_meta "google" { diff --git a/modules/secure-cloud-run-core/loadbalancer.tf b/modules/secure-cloud-run-core/loadbalancer.tf index 5023c5fa..d1b563ae 100644 --- a/modules/secure-cloud-run-core/loadbalancer.tf +++ b/modules/secure-cloud-run-core/loadbalancer.tf @@ -19,8 +19,9 @@ locals { } module "lb-http" { - source = "GoogleCloudPlatform/lb-http/google//modules/serverless_negs" - version = "~> 11.0" + source = "GoogleCloudPlatform/lb-http/google//modules/serverless_negs" + version = "~> 12.0" + name = var.lb_name project = var.project_id ssl = true diff --git a/modules/secure-cloud-run-core/versions.tf b/modules/secure-cloud-run-core/versions.tf index 6000cf7b..ae4ce341 100644 --- a/modules/secure-cloud-run-core/versions.tf +++ b/modules/secure-cloud-run-core/versions.tf @@ -20,11 +20,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "< 6" + version = "< 7" } google-beta = { source = "hashicorp/google-beta" - version = "< 6" + version = "< 7" } random = { source = "hashicorp/random" diff --git a/modules/secure-cloud-run-security/versions.tf b/modules/secure-cloud-run-security/versions.tf index 3a382e43..70e268c7 100644 --- a/modules/secure-cloud-run-security/versions.tf +++ b/modules/secure-cloud-run-security/versions.tf @@ -20,11 +20,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "< 6" + version = "< 7" } google-beta = { source = "hashicorp/google-beta" - version = "< 6" + version = "< 7" } } diff --git a/modules/secure-cloud-run/main.tf b/modules/secure-cloud-run/main.tf index acce7cbe..de8308b3 100644 --- a/modules/secure-cloud-run/main.tf +++ b/modules/secure-cloud-run/main.tf @@ -16,7 +16,7 @@ module "serverless_project_apis" { source = "terraform-google-modules/project-factory/google//modules/project_services" - version = "~> 15.0" + version = "~> 17.0" project_id = var.serverless_project_id disable_services_on_destroy = false @@ -32,7 +32,7 @@ module "serverless_project_apis" { module "vpc_project_apis" { source = "terraform-google-modules/project-factory/google//modules/project_services" - version = "~> 15.0" + version = "~> 17.0" project_id = var.vpc_project_id disable_services_on_destroy = false diff --git a/modules/secure-cloud-run/versions.tf b/modules/secure-cloud-run/versions.tf index ac50ac95..6c968311 100644 --- a/modules/secure-cloud-run/versions.tf +++ b/modules/secure-cloud-run/versions.tf @@ -20,11 +20,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "< 6" + version = "< 7" } google-beta = { source = "hashicorp/google-beta" - version = "< 6" + version = "< 7" } } diff --git a/modules/secure-serverless-harness/README.md b/modules/secure-serverless-harness/README.md index ae592941..789016cb 100644 --- a/modules/secure-serverless-harness/README.md +++ b/modules/secure-serverless-harness/README.md @@ -63,6 +63,7 @@ module "secure_cloud_run_harness" { | dns\_enable\_logging | Toggle DNS logging for VPC DNS. | `bool` | `true` | no | | egress\_policies | A list of all [egress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#egress-rules-reference), each list object has a `from` and `to` value that describes egress\_from and egress\_to.

Example: `[{ from={ identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]`

Valid Values:
`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow identities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`
`SRV_NAME` = "`*`" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)
`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions). | 
list(object({
    from = any
    to   = any
  }))
| `[]` | no | | encrypters | List of comma-separated owners for each key declared in set\_encrypters\_for. | `list(string)` | `[]` | no | +| folder\_deletion\_protection | Prevent Terraform from destroying or recreating the folder. | `string` | `true` | no | | ingress\_policies | A list of all [ingress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#ingress-rules-reference), each list object has a `from` and `to` value that describes ingress\_from and ingress\_to.

Example: `[{ from={ sources={ resources=[], access_levels=[] }, identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]`

Valid Values:
`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow identities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`
`SRV_NAME` = "`*`" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)
`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions). | 
list(object({
    from = any
    to   = any
  }))
| `[]` | no | | key\_name | Key name. | `string` | n/a | yes | | key\_protection\_level | The protection level to use when creating a version based on this template. Possible values: ["SOFTWARE", "HSM"]. | `string` | `"HSM"` | no | @@ -76,6 +77,7 @@ module "secure_cloud_run_harness" { | parent\_folder\_id | The ID of a folder to host the infrastructure created in this module. | `string` | `""` | no | | prevent\_destroy | Set the prevent\_destroy lifecycle attribute on keys. | `bool` | `true` | no | | private\_service\_connect\_ip | The internal IP to be used for the private service connect. | `string` | n/a | yes | +| project\_deletion\_policy | The deletion policy for the project created. | `string` | `"PREVENT"` | no | | region | The region in which the subnetwork will be created. | `string` | n/a | yes | | security\_project\_extra\_apis | The extra APIs to be enabled during security project creation. | `list(string)` | `[]` | no | | security\_project\_name | The name to give the security project. | `string` | n/a | yes | diff --git a/modules/secure-serverless-harness/main.tf b/modules/secure-serverless-harness/main.tf index a7a6b8cd..1c7bf23e 100644 --- a/modules/secure-serverless-harness/main.tf +++ b/modules/secure-serverless-harness/main.tf @@ -44,14 +44,16 @@ locals { } resource "google_folder" "fld_serverless" { - display_name = var.serverless_folder_suffix == "" ? "fldr-serverless" : "fldr-serverless-${var.serverless_folder_suffix}" - parent = var.parent_folder_id == "" ? "organizations/${var.org_id}" : "folders/${var.parent_folder_id}" + display_name = var.serverless_folder_suffix == "" ? "fldr-serverless" : "fldr-serverless-${var.serverless_folder_suffix}" + parent = var.parent_folder_id == "" ? "organizations/${var.org_id}" : "folders/${var.parent_folder_id}" + deletion_protection = var.folder_deletion_protection } module "network_project" { - count = var.use_shared_vpc ? 1 : 0 - source = "terraform-google-modules/project-factory/google" - version = "~> 15.0" + source = "terraform-google-modules/project-factory/google" + version = "~> 17.0" + count = var.use_shared_vpc ? 1 : 0 + random_project_id = "true" activate_apis = local.network_apis name = var.network_project_name @@ -60,13 +62,15 @@ module "network_project" { folder_id = google_folder.fld_serverless.name disable_services_on_destroy = var.disable_services_on_destroy + deletion_policy = var.project_deletion_policy enable_shared_vpc_host_project = true } module "security_project" { - source = "terraform-google-modules/project-factory/google" - version = "~> 15.0" + source = "terraform-google-modules/project-factory/google" + version = "~> 17.0" + random_project_id = "true" activate_apis = local.kms_apis name = var.security_project_name @@ -75,6 +79,7 @@ module "security_project" { folder_id = google_folder.fld_serverless.name disable_services_on_destroy = var.disable_services_on_destroy + deletion_policy = var.project_deletion_policy } module "serverless_project" { @@ -89,6 +94,7 @@ module "serverless_project" { folder_name = google_folder.fld_serverless.name project_name = each.value service_account_project_roles = try(var.service_account_project_roles[each.value], []) + project_deletion_policy = var.project_deletion_policy disable_services_on_destroy = var.disable_services_on_destroy } diff --git a/modules/secure-serverless-harness/variables.tf b/modules/secure-serverless-harness/variables.tf index ac62f0ac..5ab5886c 100644 --- a/modules/secure-serverless-harness/variables.tf +++ b/modules/secure-serverless-harness/variables.tf @@ -238,3 +238,15 @@ variable "time_to_wait_vpc_sc_propagation" { description = "The time to wait VPC-SC propagation when applying and destroying." default = "180s" } + +variable "project_deletion_policy" { + description = "The deletion policy for the project created." + type = string + default = "PREVENT" +} + +variable "folder_deletion_protection" { + description = "Prevent Terraform from destroying or recreating the folder." + type = string + default = true +} diff --git a/modules/secure-serverless-harness/versions.tf b/modules/secure-serverless-harness/versions.tf index b5f37026..ad596a45 100644 --- a/modules/secure-serverless-harness/versions.tf +++ b/modules/secure-serverless-harness/versions.tf @@ -20,11 +20,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "< 6" + version = "< 7" } google-beta = { source = "hashicorp/google-beta" - version = "< 6" + version = "< 7" } random = { source = "hashicorp/random" diff --git a/modules/secure-serverless-net/network.tf b/modules/secure-serverless-net/network.tf index 75d267c9..21792bfe 100644 --- a/modules/secure-serverless-net/network.tf +++ b/modules/secure-serverless-net/network.tf @@ -35,14 +35,12 @@ resource "google_compute_subnetwork" "vpc_subnetwork" { } resource "google_vpc_access_connector" "serverless_connector" { - name = "${var.connector_name}${local.suffix}" - region = var.location - project = var.connector_on_host_project ? var.vpc_project_id : var.serverless_project_id - machine_type = "e2-micro" - min_instances = 2 - max_instances = 10 - min_throughput = 200 - max_throughput = 1000 + name = "${var.connector_name}${local.suffix}" + region = var.location + project = var.connector_on_host_project ? var.vpc_project_id : var.serverless_project_id + machine_type = "e2-micro" + min_instances = 2 + max_instances = 10 subnet { name = local.subnet_name project_id = var.vpc_project_id diff --git a/modules/secure-serverless-net/versions.tf b/modules/secure-serverless-net/versions.tf index 9cc77c72..f2af504f 100644 --- a/modules/secure-serverless-net/versions.tf +++ b/modules/secure-serverless-net/versions.tf @@ -20,11 +20,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "< 6" + version = "< 7" } google-beta = { source = "hashicorp/google-beta" - version = "< 6" + version = "< 7" } } diff --git a/modules/service-project-factory/main.tf b/modules/service-project-factory/main.tf index 4d4f47f2..04848dd4 100644 --- a/modules/service-project-factory/main.tf +++ b/modules/service-project-factory/main.tf @@ -15,8 +15,9 @@ */ module "serverless_project" { - source = "terraform-google-modules/project-factory/google" - version = "~> 15.0" + source = "terraform-google-modules/project-factory/google" + version = "~> 17.0" + random_project_id = "true" activate_apis = var.activate_apis name = var.project_name @@ -24,6 +25,8 @@ module "serverless_project" { billing_account = var.billing_account folder_id = var.folder_name disable_services_on_destroy = var.disable_services_on_destroy + deletion_policy = var.project_deletion_policy + svpc_host_project_id = var.network_project_id grant_network_role = var.network_project_id != "" ? true : false diff --git a/modules/service-project-factory/variables.tf b/modules/service-project-factory/variables.tf index 3e9cfd27..b95d1fb2 100644 --- a/modules/service-project-factory/variables.tf +++ b/modules/service-project-factory/variables.tf @@ -66,3 +66,9 @@ variable "service_account_project_roles" { description = "Common roles to apply to the Cloud Run service account in the serverless project." default = [] } + +variable "project_deletion_policy" { + description = "The deletion policy for the project created." + type = string + default = "PREVENT" +} diff --git a/modules/service-project-factory/versions.tf b/modules/service-project-factory/versions.tf index 1125f9ca..2af4a5d6 100644 --- a/modules/service-project-factory/versions.tf +++ b/modules/service-project-factory/versions.tf @@ -20,11 +20,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "< 6" + version = "< 7" } google-beta = { source = "hashicorp/google-beta" - version = "< 6" + version = "< 7" } random = { source = "hashicorp/random" diff --git a/modules/v2/README.md b/modules/v2/README.md index 0d954b25..a0f1d1e2 100644 --- a/modules/v2/README.md +++ b/modules/v2/README.md @@ -40,6 +40,7 @@ Functional examples are included in the |------|-------------|------|---------|:--------:| | binary\_authorization | Settings for the Binary Authorization feature. | 
object({
    breakglass_justification = optional(bool) # If present, indicates to use Breakglass using this justification. If useDefault is False, then it must be empty. For more information on breakglass, see https://cloud.google.com/binary-authorization/docs/using-breakglass
    use_default              = optional(bool) #If True, indicates to use the default project's binary authorization policy. If False, binary authorization will be disabled.
  })
| `null` | no | | client | Arbitrary identifier for the API client and version identifier | 
object({
    name    = optional(string, null)
    version = optional(string, null)
  })
| `{}` | no | +| cloud\_run\_deletion\_protection | This field prevents Terraform from destroying or recreating the Cloud Run v2 Jobs and Services | `bool` | `true` | no | | containers | Map of container images for the service | 
list(object({
    container_name       = optional(string, null)
    container_image      = string
    working_dir          = optional(string, null)
    depends_on_container = optional(list(string), null)
    container_args       = optional(list(string), null)
    container_command    = optional(list(string), null)
    env_vars             = optional(map(string), {})
    env_secret_vars = optional(map(object({
      secret  = string
      version = string
    })), {})
    volume_mounts = optional(list(object({
      name       = string
      mount_path = string
    })), [])
    ports = optional(object({
      name           = optional(string, "http1")
      container_port = optional(number, 8080)
    }), {})
    resources = optional(object({
      limits = optional(object({
        cpu    = optional(string)
        memory = optional(string)
      }))
      cpu_idle          = optional(bool, true)
      startup_cpu_boost = optional(bool, false)
    }), {})
    startup_probe = optional(object({
      failure_threshold     = optional(number, null)
      initial_delay_seconds = optional(number, null)
      timeout_seconds       = optional(number, null)
      period_seconds        = optional(number, null)
      http_get = optional(object({
        path = optional(string)
        port = optional(string)
        http_headers = optional(list(object({
          name  = string
          value = string
        })), [])
      }), null)
      tcp_socket = optional(object({
        port = optional(number)
      }), null)
      grpc = optional(object({
        port    = optional(number)
        service = optional(string)
      }), null)
    }), null)
    liveness_probe = optional(object({
      failure_threshold     = optional(number, null)
      initial_delay_seconds = optional(number, null)
      timeout_seconds       = optional(number, null)
      period_seconds        = optional(number, null)
      http_get = optional(object({
        path = optional(string)
        port = optional(string)
        http_headers = optional(list(object({
          name  = string
          value = string
        })), null)
      }), null)
      grpc = optional(object({
        port    = optional(number)
        service = optional(string)
      }), null)
    }), null)
  }))
| n/a | yes | | create\_service\_account | Create a new service account for cloud run service | `bool` | `true` | no | | custom\_audiences | One or more custom audiences that you want this service to support. Specify each custom audience as the full URL in a string. Refer https://cloud.google.com/run/docs/configuring/custom-audiences | `list(string)` | `null` | no | diff --git a/modules/v2/main.tf b/modules/v2/main.tf index 86b17a00..11239205 100644 --- a/modules/v2/main.tf +++ b/modules/v2/main.tf @@ -57,6 +57,8 @@ resource "google_cloud_run_v2_service" "main" { description = var.description labels = var.service_labels + deletion_protection = var.cloud_run_deletion_protection + template { revision = var.revision labels = var.template_labels diff --git a/modules/v2/variables.tf b/modules/v2/variables.tf index a14c8e6f..8fb549e2 100644 --- a/modules/v2/variables.tf +++ b/modules/v2/variables.tf @@ -320,3 +320,9 @@ variable "service_account_project_roles" { description = "Roles to grant to the newly created cloud run SA in specified project. Should be used with create_service_account set to true and no input for service_account" default = [] } + +variable "cloud_run_deletion_protection" { + type = bool + description = "This field prevents Terraform from destroying or recreating the Cloud Run v2 Jobs and Services" + default = true +} diff --git a/modules/v2/versions.tf b/modules/v2/versions.tf index 2d3e12e7..ac7a6f58 100644 --- a/modules/v2/versions.tf +++ b/modules/v2/versions.tf @@ -20,11 +20,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "< 6" + version = "< 7" } google-beta = { source = "hashicorp/google-beta" - version = "< 6" + version = "< 7" } } diff --git a/test/fixtures/secure_cloud_run/harness.tf b/test/fixtures/secure_cloud_run/harness.tf index 587323f5..a3f9fc2f 100644 --- a/test/fixtures/secure_cloud_run/harness.tf +++ b/test/fixtures/secure_cloud_run/harness.tf @@ -47,13 +47,14 @@ data "terraform_remote_state" "sfb-env-prod" { module "serverless_project" { source = "terraform-google-modules/project-factory/google" - version = "~> 15.0" + version = "~> 17.0" name = "ci-cloud-run" random_project_id = "true" org_id = var.org_id folder_id = local.folder_id billing_account = var.billing_account + deletion_policy = "DELETE" svpc_host_project_id = data.terraform_remote_state.sfb-network-prod.outputs.restricted_host_project_id vpc_service_control_attach_enabled = true @@ -74,13 +75,14 @@ module "serverless_project" { module "kms_project" { source = "terraform-google-modules/project-factory/google" - version = "~> 15.0" + version = "~> 17.0" name = "ci-cloud-run-kms" random_project_id = "true" org_id = var.org_id folder_id = local.folder_id billing_account = var.billing_account + deletion_policy = "DELETE" svpc_host_project_id = data.terraform_remote_state.sfb-network-prod.outputs.restricted_host_project_id vpc_service_control_attach_enabled = true diff --git a/test/setup/main.tf b/test/setup/main.tf index a1e095e6..bc590b29 100644 --- a/test/setup/main.tf +++ b/test/setup/main.tf @@ -16,7 +16,7 @@ module "project" { source = "terraform-google-modules/project-factory/google" - version = "~> 15.0" + version = "~> 17.0" name = "ci-cloud-run" random_project_id = "true" @@ -24,6 +24,7 @@ module "project" { folder_id = var.folder_id billing_account = var.billing_account default_service_account = "keep" + deletion_policy = "DELETE" activate_apis = [ "cloudresourcemanager.googleapis.com", diff --git a/test/setup/outputs.tf b/test/setup/outputs.tf index 0752324b..c4fd0400 100644 --- a/test/setup/outputs.tf +++ b/test/setup/outputs.tf @@ -31,3 +31,7 @@ output "verified_domain_name" { value = [] } +output "cloud_run_deletion_protection" { + description = "This field prevents Terraform from destroying or recreating the Cloud Run Jobs and Services. Set to `false` in integration tests." + value = false +} diff --git a/versions.tf b/versions.tf index b3518ebf..964e0070 100644 --- a/versions.tf +++ b/versions.tf @@ -20,11 +20,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "< 6" + version = "< 7" } google-beta = { source = "hashicorp/google-beta" - version = "< 6" + version = "< 7" } }