From 149d3af18dcb55926a459cb5a80cfafd816b7643 Mon Sep 17 00:00:00 2001 From: Daniel Andrade Date: Fri, 1 Nov 2024 23:37:04 -0300 Subject: [PATCH 01/10] upgrade modules to user provider v6 --- modules/job-exec/versions.tf | 2 +- modules/secure-cloud-run-core/loadbalancer.tf | 5 +++-- modules/secure-cloud-run-core/versions.tf | 4 ++-- modules/secure-cloud-run-security/versions.tf | 4 ++-- modules/secure-cloud-run/main.tf | 4 ++-- modules/secure-cloud-run/versions.tf | 4 ++-- modules/secure-serverless-harness/README.md | 1 + modules/secure-serverless-harness/main.tf | 15 ++++++++++----- modules/secure-serverless-harness/variables.tf | 6 ++++++ modules/secure-serverless-harness/versions.tf | 4 ++-- modules/secure-serverless-net/versions.tf | 4 ++-- modules/service-project-factory/main.tf | 7 +++++-- modules/service-project-factory/variables.tf | 6 ++++++ modules/service-project-factory/versions.tf | 4 ++-- modules/v2/versions.tf | 4 ++-- test/setup/main.tf | 3 ++- versions.tf | 4 ++-- 17 files changed, 52 insertions(+), 29 deletions(-) diff --git a/modules/job-exec/versions.tf b/modules/job-exec/versions.tf index d386aafc..d1578137 100644 --- a/modules/job-exec/versions.tf +++ b/modules/job-exec/versions.tf @@ -24,7 +24,7 @@ terraform { } google = { source = "hashicorp/google" - version = "< 6" + version = "< 7" } } provider_meta "google" { diff --git a/modules/secure-cloud-run-core/loadbalancer.tf b/modules/secure-cloud-run-core/loadbalancer.tf index 5023c5fa..d1b563ae 100644 --- a/modules/secure-cloud-run-core/loadbalancer.tf +++ b/modules/secure-cloud-run-core/loadbalancer.tf @@ -19,8 +19,9 @@ locals { } module "lb-http" { - source = "GoogleCloudPlatform/lb-http/google//modules/serverless_negs" - version = "~> 11.0" + source = "GoogleCloudPlatform/lb-http/google//modules/serverless_negs" + version = "~> 12.0" + name = var.lb_name project = var.project_id ssl = true diff --git a/modules/secure-cloud-run-core/versions.tf b/modules/secure-cloud-run-core/versions.tf index 6000cf7b..ae4ce341 100644 --- a/modules/secure-cloud-run-core/versions.tf +++ b/modules/secure-cloud-run-core/versions.tf @@ -20,11 +20,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "< 6" + version = "< 7" } google-beta = { source = "hashicorp/google-beta" - version = "< 6" + version = "< 7" } random = { source = "hashicorp/random" diff --git a/modules/secure-cloud-run-security/versions.tf b/modules/secure-cloud-run-security/versions.tf index 3a382e43..70e268c7 100644 --- a/modules/secure-cloud-run-security/versions.tf +++ b/modules/secure-cloud-run-security/versions.tf @@ -20,11 +20,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "< 6" + version = "< 7" } google-beta = { source = "hashicorp/google-beta" - version = "< 6" + version = "< 7" } } diff --git a/modules/secure-cloud-run/main.tf b/modules/secure-cloud-run/main.tf index acce7cbe..de8308b3 100644 --- a/modules/secure-cloud-run/main.tf +++ b/modules/secure-cloud-run/main.tf @@ -16,7 +16,7 @@ module "serverless_project_apis" { source = "terraform-google-modules/project-factory/google//modules/project_services" - version = "~> 15.0" + version = "~> 17.0" project_id = var.serverless_project_id disable_services_on_destroy = false @@ -32,7 +32,7 @@ module "serverless_project_apis" { module "vpc_project_apis" { source = "terraform-google-modules/project-factory/google//modules/project_services" - version = "~> 15.0" + version = "~> 17.0" project_id = var.vpc_project_id disable_services_on_destroy = false diff --git a/modules/secure-cloud-run/versions.tf b/modules/secure-cloud-run/versions.tf index ac50ac95..6c968311 100644 --- a/modules/secure-cloud-run/versions.tf +++ b/modules/secure-cloud-run/versions.tf @@ -20,11 +20,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "< 6" + version = "< 7" } google-beta = { source = "hashicorp/google-beta" - version = "< 6" + version = "< 7" } } diff --git a/modules/secure-serverless-harness/README.md b/modules/secure-serverless-harness/README.md index ae592941..d4111a73 100644 --- a/modules/secure-serverless-harness/README.md +++ b/modules/secure-serverless-harness/README.md @@ -76,6 +76,7 @@ module "secure_cloud_run_harness" { | parent\_folder\_id | The ID of a folder to host the infrastructure created in this module. | `string` | `""` | no | | prevent\_destroy | Set the prevent\_destroy lifecycle attribute on keys. | `bool` | `true` | no | | private\_service\_connect\_ip | The internal IP to be used for the private service connect. | `string` | n/a | yes | +| project\_deletion\_policy | The deletion policy for the project created. | `string` | `"PREVENT"` | no | | region | The region in which the subnetwork will be created. | `string` | n/a | yes | | security\_project\_extra\_apis | The extra APIs to be enabled during security project creation. | `list(string)` | `[]` | no | | security\_project\_name | The name to give the security project. | `string` | n/a | yes | diff --git a/modules/secure-serverless-harness/main.tf b/modules/secure-serverless-harness/main.tf index a7a6b8cd..c2167d09 100644 --- a/modules/secure-serverless-harness/main.tf +++ b/modules/secure-serverless-harness/main.tf @@ -49,9 +49,10 @@ resource "google_folder" "fld_serverless" { } module "network_project" { - count = var.use_shared_vpc ? 1 : 0 - source = "terraform-google-modules/project-factory/google" - version = "~> 15.0" + source = "terraform-google-modules/project-factory/google" + version = "~> 17.0" + count = var.use_shared_vpc ? 1 : 0 + random_project_id = "true" activate_apis = local.network_apis name = var.network_project_name @@ -60,13 +61,15 @@ module "network_project" { folder_id = google_folder.fld_serverless.name disable_services_on_destroy = var.disable_services_on_destroy + deletion_policy = var.project_deletion_policy enable_shared_vpc_host_project = true } module "security_project" { - source = "terraform-google-modules/project-factory/google" - version = "~> 15.0" + source = "terraform-google-modules/project-factory/google" + version = "~> 17.0" + random_project_id = "true" activate_apis = local.kms_apis name = var.security_project_name @@ -75,6 +78,7 @@ module "security_project" { folder_id = google_folder.fld_serverless.name disable_services_on_destroy = var.disable_services_on_destroy + deletion_policy = var.project_deletion_policy } module "serverless_project" { @@ -89,6 +93,7 @@ module "serverless_project" { folder_name = google_folder.fld_serverless.name project_name = each.value service_account_project_roles = try(var.service_account_project_roles[each.value], []) + project_deletion_policy = var.project_deletion_policy disable_services_on_destroy = var.disable_services_on_destroy } diff --git a/modules/secure-serverless-harness/variables.tf b/modules/secure-serverless-harness/variables.tf index ac62f0ac..9456121b 100644 --- a/modules/secure-serverless-harness/variables.tf +++ b/modules/secure-serverless-harness/variables.tf @@ -238,3 +238,9 @@ variable "time_to_wait_vpc_sc_propagation" { description = "The time to wait VPC-SC propagation when applying and destroying." default = "180s" } + +variable "project_deletion_policy" { + description = "The deletion policy for the project created." + type = string + default = "PREVENT" +} diff --git a/modules/secure-serverless-harness/versions.tf b/modules/secure-serverless-harness/versions.tf index b5f37026..ad596a45 100644 --- a/modules/secure-serverless-harness/versions.tf +++ b/modules/secure-serverless-harness/versions.tf @@ -20,11 +20,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "< 6" + version = "< 7" } google-beta = { source = "hashicorp/google-beta" - version = "< 6" + version = "< 7" } random = { source = "hashicorp/random" diff --git a/modules/secure-serverless-net/versions.tf b/modules/secure-serverless-net/versions.tf index 9cc77c72..f2af504f 100644 --- a/modules/secure-serverless-net/versions.tf +++ b/modules/secure-serverless-net/versions.tf @@ -20,11 +20,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "< 6" + version = "< 7" } google-beta = { source = "hashicorp/google-beta" - version = "< 6" + version = "< 7" } } diff --git a/modules/service-project-factory/main.tf b/modules/service-project-factory/main.tf index 4d4f47f2..04848dd4 100644 --- a/modules/service-project-factory/main.tf +++ b/modules/service-project-factory/main.tf @@ -15,8 +15,9 @@ */ module "serverless_project" { - source = "terraform-google-modules/project-factory/google" - version = "~> 15.0" + source = "terraform-google-modules/project-factory/google" + version = "~> 17.0" + random_project_id = "true" activate_apis = var.activate_apis name = var.project_name @@ -24,6 +25,8 @@ module "serverless_project" { billing_account = var.billing_account folder_id = var.folder_name disable_services_on_destroy = var.disable_services_on_destroy + deletion_policy = var.project_deletion_policy + svpc_host_project_id = var.network_project_id grant_network_role = var.network_project_id != "" ? true : false diff --git a/modules/service-project-factory/variables.tf b/modules/service-project-factory/variables.tf index 3e9cfd27..b95d1fb2 100644 --- a/modules/service-project-factory/variables.tf +++ b/modules/service-project-factory/variables.tf @@ -66,3 +66,9 @@ variable "service_account_project_roles" { description = "Common roles to apply to the Cloud Run service account in the serverless project." default = [] } + +variable "project_deletion_policy" { + description = "The deletion policy for the project created." + type = string + default = "PREVENT" +} diff --git a/modules/service-project-factory/versions.tf b/modules/service-project-factory/versions.tf index 1125f9ca..2af4a5d6 100644 --- a/modules/service-project-factory/versions.tf +++ b/modules/service-project-factory/versions.tf @@ -20,11 +20,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "< 6" + version = "< 7" } google-beta = { source = "hashicorp/google-beta" - version = "< 6" + version = "< 7" } random = { source = "hashicorp/random" diff --git a/modules/v2/versions.tf b/modules/v2/versions.tf index 2d3e12e7..ac7a6f58 100644 --- a/modules/v2/versions.tf +++ b/modules/v2/versions.tf @@ -20,11 +20,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "< 6" + version = "< 7" } google-beta = { source = "hashicorp/google-beta" - version = "< 6" + version = "< 7" } } diff --git a/test/setup/main.tf b/test/setup/main.tf index a1e095e6..bc590b29 100644 --- a/test/setup/main.tf +++ b/test/setup/main.tf @@ -16,7 +16,7 @@ module "project" { source = "terraform-google-modules/project-factory/google" - version = "~> 15.0" + version = "~> 17.0" name = "ci-cloud-run" random_project_id = "true" @@ -24,6 +24,7 @@ module "project" { folder_id = var.folder_id billing_account = var.billing_account default_service_account = "keep" + deletion_policy = "DELETE" activate_apis = [ "cloudresourcemanager.googleapis.com", diff --git a/versions.tf b/versions.tf index b3518ebf..964e0070 100644 --- a/versions.tf +++ b/versions.tf @@ -20,11 +20,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "< 6" + version = "< 7" } google-beta = { source = "hashicorp/google-beta" - version = "< 6" + version = "< 7" } } From 50cc55dc61f8e7333cb16ea3769ac130e4c0f408 Mon Sep 17 00:00:00 2001 From: Daniel Andrade Date: Fri, 1 Nov 2024 23:43:51 -0300 Subject: [PATCH 02/10] add missing project_deletion_policy flag in example --- examples/secure_cloud_run_standalone/main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/examples/secure_cloud_run_standalone/main.tf b/examples/secure_cloud_run_standalone/main.tf index bdf2491a..ab9f7af7 100644 --- a/examples/secure_cloud_run_standalone/main.tf +++ b/examples/secure_cloud_run_standalone/main.tf @@ -51,6 +51,7 @@ module "secure_harness" { egress_policies = var.egress_policies ingress_policies = var.ingress_policies base_serverless_api = "run.googleapis.com" + project_deletion_policy = "DELETE" } resource "null_resource" "copy_image" { From c1824c41cf3374cff02b39977eef82e41737d129 Mon Sep 17 00:00:00 2001 From: Daniel Andrade Date: Mon, 4 Nov 2024 10:19:02 -0300 Subject: [PATCH 03/10] use project-factory v17 in fixture --- test/fixtures/secure_cloud_run/harness.tf | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/test/fixtures/secure_cloud_run/harness.tf b/test/fixtures/secure_cloud_run/harness.tf index 587323f5..a3f9fc2f 100644 --- a/test/fixtures/secure_cloud_run/harness.tf +++ b/test/fixtures/secure_cloud_run/harness.tf @@ -47,13 +47,14 @@ data "terraform_remote_state" "sfb-env-prod" { module "serverless_project" { source = "terraform-google-modules/project-factory/google" - version = "~> 15.0" + version = "~> 17.0" name = "ci-cloud-run" random_project_id = "true" org_id = var.org_id folder_id = local.folder_id billing_account = var.billing_account + deletion_policy = "DELETE" svpc_host_project_id = data.terraform_remote_state.sfb-network-prod.outputs.restricted_host_project_id vpc_service_control_attach_enabled = true @@ -74,13 +75,14 @@ module "serverless_project" { module "kms_project" { source = "terraform-google-modules/project-factory/google" - version = "~> 15.0" + version = "~> 17.0" name = "ci-cloud-run-kms" random_project_id = "true" org_id = var.org_id folder_id = local.folder_id billing_account = var.billing_account + deletion_policy = "DELETE" svpc_host_project_id = data.terraform_remote_state.sfb-network-prod.outputs.restricted_host_project_id vpc_service_control_attach_enabled = true From d4c748f24e689c7892e1b9ff89ee856de43686af Mon Sep 17 00:00:00 2001 From: Daniel Andrade Date: Mon, 4 Nov 2024 10:19:41 -0300 Subject: [PATCH 04/10] add upgrading guide form 0.13 to 0.14 --- ...ing_to_cloud_run_v2_v0.14.0_from_v0.13.0.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 docs/upgrading_to_cloud_run_v2_v0.14.0_from_v0.13.0.md diff --git a/docs/upgrading_to_cloud_run_v2_v0.14.0_from_v0.13.0.md b/docs/upgrading_to_cloud_run_v2_v0.14.0_from_v0.13.0.md new file mode 100644 index 00000000..ccf44620 --- /dev/null +++ b/docs/upgrading_to_cloud_run_v2_v0.14.0_from_v0.13.0.md @@ -0,0 +1,18 @@ +# Upgrading to cloud-run v2 v0.14.0 from v0.13.0 + +The cloud-run/v2 release v0.13.0 is backward incompatible. + +## Google Cloud Provider Project deletion_policy + +The `deletion_policy` for projects now defaults to `"PREVENT"` rather than `"DELETE"`. +This aligns with the behavior in Google Cloud Platform Provider v6+. +To maintain the old behavior you can set `project_deletion_policy = "DELETE"` in the modules that create projects: `service-project-factory` and `secure-serverless-harness`. + +```diff + module "secure-serverless-harness" { +- version = "~> 0.13.0" ++ version = "~> 0.14.0" + ++ project_deletion_policy = "DELETE" +} +``` From 88bbe1d5e3190a3c92d42c6566e7ab8e7f41f459 Mon Sep 17 00:00:00 2001 From: Daniel Andrade Date: Mon, 4 Nov 2024 10:56:41 -0300 Subject: [PATCH 05/10] upgrade version to release v0.14 --- examples/secure_cloud_run_standalone/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/secure_cloud_run_standalone/main.tf b/examples/secure_cloud_run_standalone/main.tf index ab9f7af7..7fa697e0 100644 --- a/examples/secure_cloud_run_standalone/main.tf +++ b/examples/secure_cloud_run_standalone/main.tf @@ -28,7 +28,7 @@ resource "random_id" "random_folder_suffix" { module "secure_harness" { source = "GoogleCloudPlatform/cloud-run/google//modules/secure-serverless-harness" - version = "~> 0.13" + version = "~> 0.14" billing_account = var.billing_account security_project_name = "prj-kms-secure-cloud-run" From 9d2fd569281883aab87f3711600ee66db7c9e5a4 Mon Sep 17 00:00:00 2001 From: Daniel Andrade Date: Mon, 4 Nov 2024 10:57:14 -0300 Subject: [PATCH 06/10] remove min_throughput and max_throughput due to conflict with min_instances and max_instances --- modules/secure-serverless-net/network.tf | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/modules/secure-serverless-net/network.tf b/modules/secure-serverless-net/network.tf index 75d267c9..21792bfe 100644 --- a/modules/secure-serverless-net/network.tf +++ b/modules/secure-serverless-net/network.tf @@ -35,14 +35,12 @@ resource "google_compute_subnetwork" "vpc_subnetwork" { } resource "google_vpc_access_connector" "serverless_connector" { - name = "${var.connector_name}${local.suffix}" - region = var.location - project = var.connector_on_host_project ? var.vpc_project_id : var.serverless_project_id - machine_type = "e2-micro" - min_instances = 2 - max_instances = 10 - min_throughput = 200 - max_throughput = 1000 + name = "${var.connector_name}${local.suffix}" + region = var.location + project = var.connector_on_host_project ? var.vpc_project_id : var.serverless_project_id + machine_type = "e2-micro" + min_instances = 2 + max_instances = 10 subnet { name = local.subnet_name project_id = var.vpc_project_id From 4e2de9b7d5e5414d8daaef083b945cfa724f599e Mon Sep 17 00:00:00 2001 From: Daniel Andrade Date: Mon, 4 Nov 2024 19:21:08 -0300 Subject: [PATCH 07/10] Update docs/upgrading_to_cloud_run_v2_v0.14.0_from_v0.13.0.md Co-authored-by: Andrew Peabody --- docs/upgrading_to_cloud_run_v2_v0.14.0_from_v0.13.0.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/upgrading_to_cloud_run_v2_v0.14.0_from_v0.13.0.md b/docs/upgrading_to_cloud_run_v2_v0.14.0_from_v0.13.0.md index ccf44620..0ee8ca3b 100644 --- a/docs/upgrading_to_cloud_run_v2_v0.14.0_from_v0.13.0.md +++ b/docs/upgrading_to_cloud_run_v2_v0.14.0_from_v0.13.0.md @@ -1,6 +1,6 @@ # Upgrading to cloud-run v2 v0.14.0 from v0.13.0 -The cloud-run/v2 release v0.13.0 is backward incompatible. +The cloud-run/v2 release v0.14.0 is backward incompatible. ## Google Cloud Provider Project deletion_policy From 2be7f95d4be7721726e045d6b5da15b123c03962 Mon Sep 17 00:00:00 2001 From: Daniel Andrade Date: Mon, 4 Nov 2024 19:39:38 -0300 Subject: [PATCH 08/10] add support for configuring deletion_protection in folders --- docs/upgrading_to_cloud_run_v2_v0.14.0_from_v0.13.0.md | 6 ++++-- examples/secure_cloud_run_standalone/main.tf | 1 + modules/secure-serverless-harness/README.md | 1 + modules/secure-serverless-harness/main.tf | 5 +++-- modules/secure-serverless-harness/variables.tf | 6 ++++++ 5 files changed, 15 insertions(+), 4 deletions(-) diff --git a/docs/upgrading_to_cloud_run_v2_v0.14.0_from_v0.13.0.md b/docs/upgrading_to_cloud_run_v2_v0.14.0_from_v0.13.0.md index ccf44620..6394a84a 100644 --- a/docs/upgrading_to_cloud_run_v2_v0.14.0_from_v0.13.0.md +++ b/docs/upgrading_to_cloud_run_v2_v0.14.0_from_v0.13.0.md @@ -5,14 +5,16 @@ The cloud-run/v2 release v0.13.0 is backward incompatible. ## Google Cloud Provider Project deletion_policy The `deletion_policy` for projects now defaults to `"PREVENT"` rather than `"DELETE"`. +The `deletion_protection` for folders now defaults to `true` rather than `false`. This aligns with the behavior in Google Cloud Platform Provider v6+. -To maintain the old behavior you can set `project_deletion_policy = "DELETE"` in the modules that create projects: `service-project-factory` and `secure-serverless-harness`. +To maintain the old behavior set `project_deletion_policy = "DELETE"` in the modules that create projects: `service-project-factory` and `secure-serverless-harness` and set `folder_deletion_protection = false` in the module that creates folders `secure-serverless-harness`. ```diff module "secure-serverless-harness" { - version = "~> 0.13.0" + version = "~> 0.14.0" -+ project_deletion_policy = "DELETE" ++ project_deletion_policy = "DELETE" ++ folder_deletion_protection = false } ``` diff --git a/examples/secure_cloud_run_standalone/main.tf b/examples/secure_cloud_run_standalone/main.tf index 7fa697e0..9db27d4c 100644 --- a/examples/secure_cloud_run_standalone/main.tf +++ b/examples/secure_cloud_run_standalone/main.tf @@ -52,6 +52,7 @@ module "secure_harness" { ingress_policies = var.ingress_policies base_serverless_api = "run.googleapis.com" project_deletion_policy = "DELETE" + folder_deletion_protection = false } resource "null_resource" "copy_image" { diff --git a/modules/secure-serverless-harness/README.md b/modules/secure-serverless-harness/README.md index d4111a73..789016cb 100644 --- a/modules/secure-serverless-harness/README.md +++ b/modules/secure-serverless-harness/README.md @@ -63,6 +63,7 @@ module "secure_cloud_run_harness" { | dns\_enable\_logging | Toggle DNS logging for VPC DNS. | `bool` | `true` | no | | egress\_policies | A list of all [egress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#egress-rules-reference), each list object has a `from` and `to` value that describes egress\_from and egress\_to.

Example: `[{ from={ identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]`

Valid Values:
`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow identities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`
`SRV_NAME` = "`*`" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)
`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions). | 
list(object({
    from = any
    to   = any
  }))
| `[]` | no | | encrypters | List of comma-separated owners for each key declared in set\_encrypters\_for. | `list(string)` | `[]` | no | +| folder\_deletion\_protection | Prevent Terraform from destroying or recreating the folder. | `string` | `true` | no | | ingress\_policies | A list of all [ingress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#ingress-rules-reference), each list object has a `from` and `to` value that describes ingress\_from and ingress\_to.

Example: `[{ from={ sources={ resources=[], access_levels=[] }, identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]`

Valid Values:
`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow identities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`
`SRV_NAME` = "`*`" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)
`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions). | 
list(object({
    from = any
    to   = any
  }))
| `[]` | no | | key\_name | Key name. | `string` | n/a | yes | | key\_protection\_level | The protection level to use when creating a version based on this template. Possible values: ["SOFTWARE", "HSM"]. | `string` | `"HSM"` | no | diff --git a/modules/secure-serverless-harness/main.tf b/modules/secure-serverless-harness/main.tf index c2167d09..1c7bf23e 100644 --- a/modules/secure-serverless-harness/main.tf +++ b/modules/secure-serverless-harness/main.tf @@ -44,8 +44,9 @@ locals { } resource "google_folder" "fld_serverless" { - display_name = var.serverless_folder_suffix == "" ? "fldr-serverless" : "fldr-serverless-${var.serverless_folder_suffix}" - parent = var.parent_folder_id == "" ? "organizations/${var.org_id}" : "folders/${var.parent_folder_id}" + display_name = var.serverless_folder_suffix == "" ? "fldr-serverless" : "fldr-serverless-${var.serverless_folder_suffix}" + parent = var.parent_folder_id == "" ? "organizations/${var.org_id}" : "folders/${var.parent_folder_id}" + deletion_protection = var.folder_deletion_protection } module "network_project" { diff --git a/modules/secure-serverless-harness/variables.tf b/modules/secure-serverless-harness/variables.tf index 9456121b..5ab5886c 100644 --- a/modules/secure-serverless-harness/variables.tf +++ b/modules/secure-serverless-harness/variables.tf @@ -244,3 +244,9 @@ variable "project_deletion_policy" { type = string default = "PREVENT" } + +variable "folder_deletion_protection" { + description = "Prevent Terraform from destroying or recreating the folder." + type = string + default = true +} From 2dc8f48e9d8a9cf0baaff386c40e400ee6e2dcfb Mon Sep 17 00:00:00 2001 From: Daniel Andrade Date: Tue, 5 Nov 2024 15:25:12 -0300 Subject: [PATCH 09/10] add deletion_protection for Cloud Run v2 Jobs and Services --- ...ng_to_cloud_run_v2_v0.14.0_from_v0.13.0.md | 53 +++++++++++++++++-- examples/simple_job_exec/main.tf | 4 +- examples/simple_job_exec/variables.tf | 6 +++ examples/v2/README.md | 1 + examples/v2/main.tf | 5 +- examples/v2/variables.tf | 6 +++ modules/job-exec/README.md | 1 + modules/job-exec/main.tf | 2 + modules/job-exec/variables.tf | 6 +++ modules/v2/README.md | 1 + modules/v2/main.tf | 2 + modules/v2/variables.tf | 6 +++ test/setup/outputs.tf | 4 ++ 13 files changed, 92 insertions(+), 5 deletions(-) diff --git a/docs/upgrading_to_cloud_run_v2_v0.14.0_from_v0.13.0.md b/docs/upgrading_to_cloud_run_v2_v0.14.0_from_v0.13.0.md index 741c663e..28e5feda 100644 --- a/docs/upgrading_to_cloud_run_v2_v0.14.0_from_v0.13.0.md +++ b/docs/upgrading_to_cloud_run_v2_v0.14.0_from_v0.13.0.md @@ -2,12 +2,15 @@ The cloud-run/v2 release v0.14.0 is backward incompatible. -## Google Cloud Provider Project deletion_policy +## Google Cloud Provider deletion_policy + +Terraform Google Provider 6.0.0 [added a new field](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/version_6_upgrade) to prevent deletion of some resources. + +### Projects The `deletion_policy` for projects now defaults to `"PREVENT"` rather than `"DELETE"`. -The `deletion_protection` for folders now defaults to `true` rather than `false`. This aligns with the behavior in Google Cloud Platform Provider v6+. -To maintain the old behavior set `project_deletion_policy = "DELETE"` in the modules that create projects: `service-project-factory` and `secure-serverless-harness` and set `folder_deletion_protection = false` in the module that creates folders `secure-serverless-harness`. +To maintain the old behavior set `project_deletion_policy = "DELETE"` in the modules [service-project-factory](../modules/service-project-factory/) and [secure-serverless-harness](../modules/secure-serverless-harness/README.md) ```diff module "secure-serverless-harness" { @@ -15,6 +18,50 @@ To maintain the old behavior set `project_deletion_policy = "DELETE"` in the mod + version = "~> 0.14.0" + project_deletion_policy = "DELETE" +} +``` + +### Folder + +The `deletion_protection` for folders was added and defaults to `true`. +This aligns with the behavior in Google Cloud Platform Provider v6+. +To maintain the old behavior set `folder_deletion_protection = false` in the module [secure-serverless-harness](../modules/secure-serverless-harness/README.md). + +```diff + module "secure-serverless-harness" { +- version = "~> 0.13.0" ++ version = "~> 0.14.0" + + folder_deletion_protection = false } ``` + +### Cloud Run v2 Job + +The `deletion_protection` for Cloud Run v2 Jobs was added and defaults to `true`. +This aligns with the behavior in Google Cloud Platform Provider v6+. +To maintain the old behavior set `cloud_run_deletion_protection = false` in the module [job-exec](../modules/job-exec/README.md). + +```diff + module "job-exec" { +- version = "~> 0.13.0" ++ version = "~> 0.14.0" + ++ cloud_run_deletion_protection = false +} +``` + +### Cloud Run v2 Service + +The `deletion_protection` for Cloud Run v2 Services was added and defaults to `true`. +This aligns with the behavior in Google Cloud Platform Provider v6+. +To maintain the old behavior set `cloud_run_deletion_protection = false` in the module [v2](../modules/v2/README.md). + +```diff + module "v2" { +- version = "~> 0.13.0" ++ version = "~> 0.14.0" + ++ cloud_run_deletion_protection = false +} +``` \ No newline at end of file diff --git a/examples/simple_job_exec/main.tf b/examples/simple_job_exec/main.tf index 41c68457..8cb77c7d 100644 --- a/examples/simple_job_exec/main.tf +++ b/examples/simple_job_exec/main.tf @@ -16,11 +16,13 @@ module "job" { source = "GoogleCloudPlatform/cloud-run/google//modules/job-exec" - version = "~> 0.13" + version = "~> 0.14" project_id = var.project_id name = "simple-job" location = "us-central1" image = "us-docker.pkg.dev/cloudrun/container/job" exec = true + + cloud_run_deletion_protection = var.cloud_run_deletion_protection } diff --git a/examples/simple_job_exec/variables.tf b/examples/simple_job_exec/variables.tf index f355dcfd..df08153c 100644 --- a/examples/simple_job_exec/variables.tf +++ b/examples/simple_job_exec/variables.tf @@ -18,3 +18,9 @@ variable "project_id" { description = "The project ID to deploy to" type = string } + +variable "cloud_run_deletion_protection" { + type = bool + description = "This field prevents Terraform from destroying or recreating the Cloud Run v2 Jobs and Services" + default = true +} diff --git a/examples/v2/README.md b/examples/v2/README.md index 5298a056..44c04b3d 100644 --- a/examples/v2/README.md +++ b/examples/v2/README.md @@ -18,6 +18,7 @@ This example assumes that below mentioned prerequisites are in place before cons | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| cloud\_run\_deletion\_protection | This field prevents Terraform from destroying or recreating the Cloud Run v2 Jobs and Services | `bool` | `true` | no | | project\_id | The project ID to deploy to | `string` | n/a | yes | ## Outputs diff --git a/examples/v2/main.tf b/examples/v2/main.tf index f2a623d6..89659bcd 100644 --- a/examples/v2/main.tf +++ b/examples/v2/main.tf @@ -16,11 +16,14 @@ module "cloud_run_v2" { source = "GoogleCloudPlatform/cloud-run/google//modules/v2" - version = "~> 0.13" + version = "~> 0.14" service_name = "ci-cloud-run-v2" project_id = var.project_id location = "us-central1" + + cloud_run_deletion_protection = var.cloud_run_deletion_protection + containers = [ { container_image = "us-docker.pkg.dev/cloudrun/container/hello" diff --git a/examples/v2/variables.tf b/examples/v2/variables.tf index f284ef4d..4b5ed2d3 100644 --- a/examples/v2/variables.tf +++ b/examples/v2/variables.tf @@ -18,3 +18,9 @@ variable "project_id" { description = "The project ID to deploy to" type = string } + +variable "cloud_run_deletion_protection" { + type = bool + description = "This field prevents Terraform from destroying or recreating the Cloud Run v2 Jobs and Services" + default = true +} diff --git a/modules/job-exec/README.md b/modules/job-exec/README.md index a9e0e353..430236ac 100644 --- a/modules/job-exec/README.md +++ b/modules/job-exec/README.md @@ -36,6 +36,7 @@ Functional examples are included in the | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | argument | Arguments passed to the ENTRYPOINT command, include these only if image entrypoint needs arguments | `list(string)` | `[]` | no | +| cloud\_run\_deletion\_protection | This field prevents Terraform from destroying or recreating the Cloud Run v2 Jobs and Services | `bool` | `true` | no | | container\_command | Leave blank to use the ENTRYPOINT command defined in the container image, include these only if image entrypoint should be overwritten | `list(string)` | `[]` | no | | env\_secret\_vars | Environment variables (Secret Manager) | 
list(object({
    name = string
    value_source = set(object({
      secret_key_ref = object({
        secret  = string
        version = optional(string, "latest")
      })
    }))
  }))
| `[]` | no | | env\_vars | Environment variables (cleartext) | 
list(object({
    value = string
    name  = string
  }))
| `[]` | no | diff --git a/modules/job-exec/main.tf b/modules/job-exec/main.tf index 717491d7..d1039119 100644 --- a/modules/job-exec/main.tf +++ b/modules/job-exec/main.tf @@ -21,6 +21,8 @@ resource "google_cloud_run_v2_job" "job" { launch_stage = var.launch_stage labels = var.labels + deletion_protection = var.cloud_run_deletion_protection + template { labels = var.labels parallelism = var.parallelism diff --git a/modules/job-exec/variables.tf b/modules/job-exec/variables.tf index dc485c0a..ecf2d79d 100644 --- a/modules/job-exec/variables.tf +++ b/modules/job-exec/variables.tf @@ -158,3 +158,9 @@ variable "timeout" { error_message = "The value must be a duration in seconds with up to nine fractional digits, ending with 's'. Example: \"3.5s\"." } } + +variable "cloud_run_deletion_protection" { + type = bool + description = "This field prevents Terraform from destroying or recreating the Cloud Run v2 Jobs and Services" + default = true +} diff --git a/modules/v2/README.md b/modules/v2/README.md index 0d954b25..a0f1d1e2 100644 --- a/modules/v2/README.md +++ b/modules/v2/README.md @@ -40,6 +40,7 @@ Functional examples are included in the |------|-------------|------|---------|:--------:| | binary\_authorization | Settings for the Binary Authorization feature. | 
object({
    breakglass_justification = optional(bool) # If present, indicates to use Breakglass using this justification. If useDefault is False, then it must be empty. For more information on breakglass, see https://cloud.google.com/binary-authorization/docs/using-breakglass
    use_default              = optional(bool) #If True, indicates to use the default project's binary authorization policy. If False, binary authorization will be disabled.
  })
| `null` | no | | client | Arbitrary identifier for the API client and version identifier | 
object({
    name    = optional(string, null)
    version = optional(string, null)
  })
| `{}` | no | +| cloud\_run\_deletion\_protection | This field prevents Terraform from destroying or recreating the Cloud Run v2 Jobs and Services | `bool` | `true` | no | | containers | Map of container images for the service | 
list(object({
    container_name       = optional(string, null)
    container_image      = string
    working_dir          = optional(string, null)
    depends_on_container = optional(list(string), null)
    container_args       = optional(list(string), null)
    container_command    = optional(list(string), null)
    env_vars             = optional(map(string), {})
    env_secret_vars = optional(map(object({
      secret  = string
      version = string
    })), {})
    volume_mounts = optional(list(object({
      name       = string
      mount_path = string
    })), [])
    ports = optional(object({
      name           = optional(string, "http1")
      container_port = optional(number, 8080)
    }), {})
    resources = optional(object({
      limits = optional(object({
        cpu    = optional(string)
        memory = optional(string)
      }))
      cpu_idle          = optional(bool, true)
      startup_cpu_boost = optional(bool, false)
    }), {})
    startup_probe = optional(object({
      failure_threshold     = optional(number, null)
      initial_delay_seconds = optional(number, null)
      timeout_seconds       = optional(number, null)
      period_seconds        = optional(number, null)
      http_get = optional(object({
        path = optional(string)
        port = optional(string)
        http_headers = optional(list(object({
          name  = string
          value = string
        })), [])
      }), null)
      tcp_socket = optional(object({
        port = optional(number)
      }), null)
      grpc = optional(object({
        port    = optional(number)
        service = optional(string)
      }), null)
    }), null)
    liveness_probe = optional(object({
      failure_threshold     = optional(number, null)
      initial_delay_seconds = optional(number, null)
      timeout_seconds       = optional(number, null)
      period_seconds        = optional(number, null)
      http_get = optional(object({
        path = optional(string)
        port = optional(string)
        http_headers = optional(list(object({
          name  = string
          value = string
        })), null)
      }), null)
      grpc = optional(object({
        port    = optional(number)
        service = optional(string)
      }), null)
    }), null)
  }))
| n/a | yes | | create\_service\_account | Create a new service account for cloud run service | `bool` | `true` | no | | custom\_audiences | One or more custom audiences that you want this service to support. Specify each custom audience as the full URL in a string. Refer https://cloud.google.com/run/docs/configuring/custom-audiences | `list(string)` | `null` | no | diff --git a/modules/v2/main.tf b/modules/v2/main.tf index 86b17a00..11239205 100644 --- a/modules/v2/main.tf +++ b/modules/v2/main.tf @@ -57,6 +57,8 @@ resource "google_cloud_run_v2_service" "main" { description = var.description labels = var.service_labels + deletion_protection = var.cloud_run_deletion_protection + template { revision = var.revision labels = var.template_labels diff --git a/modules/v2/variables.tf b/modules/v2/variables.tf index a14c8e6f..8fb549e2 100644 --- a/modules/v2/variables.tf +++ b/modules/v2/variables.tf @@ -320,3 +320,9 @@ variable "service_account_project_roles" { description = "Roles to grant to the newly created cloud run SA in specified project. Should be used with create_service_account set to true and no input for service_account" default = [] } + +variable "cloud_run_deletion_protection" { + type = bool + description = "This field prevents Terraform from destroying or recreating the Cloud Run v2 Jobs and Services" + default = true +} diff --git a/test/setup/outputs.tf b/test/setup/outputs.tf index 0752324b..c4fd0400 100644 --- a/test/setup/outputs.tf +++ b/test/setup/outputs.tf @@ -31,3 +31,7 @@ output "verified_domain_name" { value = [] } +output "cloud_run_deletion_protection" { + description = "This field prevents Terraform from destroying or recreating the Cloud Run Jobs and Services. Set to `false` in integration tests." + value = false +} From 96a65504d12b698bc57e84c3d8554ccf6b889a7d Mon Sep 17 00:00:00 2001 From: Daniel Andrade Date: Tue, 5 Nov 2024 17:48:03 -0300 Subject: [PATCH 10/10] lint fix --- docs/upgrading_to_cloud_run_v2_v0.14.0_from_v0.13.0.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/upgrading_to_cloud_run_v2_v0.14.0_from_v0.13.0.md b/docs/upgrading_to_cloud_run_v2_v0.14.0_from_v0.13.0.md index 28e5feda..883d574e 100644 --- a/docs/upgrading_to_cloud_run_v2_v0.14.0_from_v0.13.0.md +++ b/docs/upgrading_to_cloud_run_v2_v0.14.0_from_v0.13.0.md @@ -64,4 +64,4 @@ To maintain the old behavior set `cloud_run_deletion_protection = false` in the + cloud_run_deletion_protection = false } -``` \ No newline at end of file +```