Merge branch 'master' into renovate/terraform-google-modules-vpc-serv…

…ice-controls-google-6.x

.github/workflows/go-lint.yaml

@@ -37,7 +37,7 @@ jobs:
         folder: [helpers/foundation-deployer]
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           go-version-file: ${{ matrix.folder }}/go.mod
           cache-dependency-path: ${{ matrix.folder }}/go.sum

.github/workflows/go-test.yaml

@@ -39,7 +39,7 @@ jobs:
         folder: [helpers/foundation-deployer]
     steps:
     - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-    - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+    - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
       with:
         go-version-file: ${{ matrix.folder }}/go.mod
         cache-dependency-path: ${{ matrix.folder }}/go.sum

0-bootstrap/modules/tfc-agent-gke/versions.tf

@@ -35,7 +35,7 @@ terraform {
   }
 
   provider_meta "google" {
-    module_name = "blueprints/terraform/terraform-google-tf-cloud-agents:tfc-agent-gke/v4.0.0"
+    module_name = "blueprints/terraform/terraform-google-tf-cloud-agents:tfc-agent-gke/v4.1.0"
   }
 }
 

0-bootstrap/versions.tf

@@ -43,7 +43,7 @@ terraform {
   }
 
   provider_meta "google" {
-    module_name = "blueprints/terraform/terraform-example-foundation:bootstrap/v4.0.0"
+    module_name = "blueprints/terraform/terraform-example-foundation:bootstrap/v4.1.0"
   }
 
 }

1-org/envs/shared/README.md

@@ -9,6 +9,7 @@
 | data\_access\_logs\_enabled | Enable Data Access logs of types DATA\_READ, DATA\_WRITE for all GCP services. Enabling Data Access logs might result in your organization being charged for the additional logs usage. See https://cloud.google.com/logging/docs/audit#data-access The ADMIN\_READ logs are enabled by default. | `bool` | `false` | no |
 | domains\_to\_allow | The list of domains to allow users from in IAM. Used by Domain Restricted Sharing Organization Policy. Must include the domain of the organization you are deploying the foundation. To add other domains you must also grant access to these domains to the Terraform Service Account used in the deploy. | `list(string)` | n/a | yes |
 | enable\_hub\_and\_spoke | Enable Hub-and-Spoke architecture. | `bool` | `false` | no |
+| enable\_scc\_resources\_in\_terraform | Create Security Command Center resources in Terraform. If your organization has newly enabled any preview features for SCC and get an error related to the v2 API, you must set this variable to false because the v2 API does not yet support Terraform resources. See [issue 1189](https://github.com/terraform-google-modules/terraform-example-foundation/issues/1189) for context. | `bool` | `false` | no |
 | enforce\_allowed\_worker\_pools | Whether to enforce the organization policy restriction on allowed worker pools for Cloud Build. | `bool` | `false` | no |
 | essential\_contacts\_domains\_to\_allow | The list of domains that email addresses added to Essential Contacts can have. | `list(string)` | n/a | yes |
 | essential\_contacts\_language | Essential Contacts preferred language for notifications, as a ISO 639-1 language code. See [Supported languages](https://cloud.google.com/resource-manager/docs/managing-notification-contacts#supported-languages) for a list of supported languages. | `string` | `"en"` | no |

1-org/envs/shared/cai_monitoring.tf

@@ -15,11 +15,11 @@
  */
 
 module "cai_monitoring" {
-  source = "../../modules/cai-monitoring"
-
+  source                = "../../modules/cai-monitoring"
+  count                 = var.enable_scc_resources_in_terraform ? 1 : 0
   org_id                = local.org_id
   billing_account       = local.billing_account
   project_id            = module.scc_notifications.project_id
   location              = local.default_region
-  build_service_account = "projects/${module.scc_notifications.project_id}/serviceAccounts/${google_service_account.cai_monitoring_builder.email}"
+  build_service_account = "projects/${module.scc_notifications.project_id}/serviceAccounts/${google_service_account.cai_monitoring_builder[0].email}"
 }

1-org/envs/shared/iam.tf

@@ -169,7 +169,7 @@ resource "google_organization_iam_member" "org_scc_admin" {
 }
 
 resource "google_project_iam_member" "project_scc_admin" {
-  count   = var.gcp_groups.scc_admin != null ? 1 : 0
+  count   = var.gcp_groups.scc_admin != null && var.enable_scc_resources_in_terraform ? 1 : 0
   project = module.scc_notifications.project_id
   role    = "roles/securitycenter.adminEditor"
   member  = "group:${var.gcp_groups.scc_admin}"
@@ -191,11 +191,12 @@ resource "google_project_iam_member" "kms_admin" {
 
 resource "google_project_iam_member" "cai_monitoring_builder" {
   project = module.scc_notifications.project_id
-  for_each = toset([
-    "roles/logging.logWriter",
-    "roles/storage.objectViewer",
-    "roles/artifactregistry.writer",
-  ])
+  for_each = toset(var.enable_scc_resources_in_terraform ?
+    [
+      "roles/logging.logWriter",
+      "roles/storage.objectViewer",
+      "roles/artifactregistry.writer",
+  ] : [])
   role   = each.key
-  member = "serviceAccount:${google_service_account.cai_monitoring_builder.email}"
+  member = "serviceAccount:${google_service_account.cai_monitoring_builder[0].email}"
 }

1-org/envs/shared/outputs.tf

@@ -75,7 +75,7 @@ output "interconnect_project_number" {
 }
 
 output "scc_notifications_project_id" {
-  value       = module.scc_notifications.project_id
+  value       = try(module.scc_notifications.project_id, null)
   description = "The SCC notifications project ID"
 }
 
@@ -140,21 +140,21 @@ output "shared_vpc_projects" {
 }
 
 output "cai_monitoring_artifact_registry" {
-  value       = module.cai_monitoring.artifact_registry_name
+  value       = try(module.cai_monitoring[0].artifact_registry_name, null)
   description = "CAI Monitoring Cloud Function Artifact Registry name."
 }
 
 output "cai_monitoring_asset_feed" {
-  value       = module.cai_monitoring.asset_feed_name
+  value       = try(module.cai_monitoring[0].asset_feed_name, null)
   description = "CAI Monitoring Cloud Function Organization Asset Feed name."
 }
 
 output "cai_monitoring_bucket" {
-  value       = module.cai_monitoring.bucket_name
+  value       = try(module.cai_monitoring[0].bucket_name, null)
   description = "CAI Monitoring Cloud Function Source Bucket name."
 }
 
 output "cai_monitoring_topic" {
-  value       = module.cai_monitoring.topic_name
+  value       = try(module.cai_monitoring[0].topic_name, null)
   description = "CAI Monitoring Cloud Function Pub/Sub Topic name."
 }

1-org/envs/shared/sa.tf

@@ -16,6 +16,7 @@
 
 resource "google_service_account" "cai_monitoring_builder" {
   project                      = module.scc_notifications.project_id
+  count                        = var.enable_scc_resources_in_terraform ? 1 : 0
   account_id                   = "cai-monitoring-builder"
   description                  = "Cloud Functions has an underlying dependency on Cloud Build and other services. This service account allows Cloud Build to provision the necessary resources for Cloud Functions."
   create_ignore_already_exists = true

1-org/envs/shared/scc_notification.tf

@@ -19,21 +19,24 @@
 *****************************************/
 
 resource "google_pubsub_topic" "scc_notification_topic" {
+  count   = var.enable_scc_resources_in_terraform ? 1 : 0
   name    = "top-scc-notification"
   project = module.scc_notifications.project_id
 }
 
 resource "google_pubsub_subscription" "scc_notification_subscription" {
+  count   = var.enable_scc_resources_in_terraform ? 1 : 0
   name    = "sub-scc-notification"
-  topic   = google_pubsub_topic.scc_notification_topic.name
+  topic   = google_pubsub_topic.scc_notification_topic[0].name
   project = module.scc_notifications.project_id
 }
 
 resource "google_scc_notification_config" "scc_notification_config" {
+  count        = var.enable_scc_resources_in_terraform ? 1 : 0
   config_id    = var.scc_notification_name
   organization = local.org_id
   description  = "SCC Notification for all active findings"
-  pubsub_topic = google_pubsub_topic.scc_notification_topic.id
+  pubsub_topic = google_pubsub_topic.scc_notification_topic[0].id
 
   streaming_config {
     filter = var.scc_notification_filter

1-org/envs/shared/variables.tf

@@ -20,6 +20,12 @@ variable "enable_hub_and_spoke" {
   default     = false
 }
 
+variable "enable_scc_resources_in_terraform" {
+  description = "Create Security Command Center resources in Terraform. If your organization has newly enabled any preview features for SCC and get an error related to the v2 API, you must set this variable to false because the v2 API does not yet support Terraform resources. See [issue 1189](https://github.com/terraform-google-modules/terraform-example-foundation/issues/1189) for context."
+  type        = bool
+  default     = false
+}
+
 variable "domains_to_allow" {
   description = "The list of domains to allow users from in IAM. Used by Domain Restricted Sharing Organization Policy. Must include the domain of the organization you are deploying the foundation. To add other domains you must also grant access to these domains to the Terraform Service Account used in the deploy."
   type        = list(string)

1-org/envs/shared/versions.tf

@@ -31,10 +31,10 @@ terraform {
   }
 
   provider_meta "google" {
-    module_name = "blueprints/terraform/terraform-example-foundation:org/v4.0.0"
+    module_name = "blueprints/terraform/terraform-example-foundation:org/v4.1.0"
   }
 
   provider_meta "google-beta" {
-    module_name = "blueprints/terraform/terraform-example-foundation:org/v4.0.0"
+    module_name = "blueprints/terraform/terraform-example-foundation:org/v4.1.0"
   }
 }

1-org/modules/cai-monitoring/versions.tf

@@ -19,11 +19,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 3.77"
+      version = ">= 3.77, <=5.37"
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 3.77"
+      version = ">= 3.77, <=5.37"
     }
     random = {
       source = "hashicorp/random"

2-environments/modules/env_baseline/versions.tf

@@ -28,10 +28,10 @@ terraform {
   }
 
   provider_meta "google" {
-    module_name = "blueprints/terraform/terraform-example-foundation:environments/v4.0.0"
+    module_name = "blueprints/terraform/terraform-example-foundation:environments/v4.1.0"
   }
 
   provider_meta "google-beta" {
-    module_name = "blueprints/terraform/terraform-example-foundation:environments/v4.0.0"
+    module_name = "blueprints/terraform/terraform-example-foundation:environments/v4.1.0"
   }
 }

3-networks-dual-svpc/README.md

@@ -59,7 +59,7 @@ For an overview of the architecture and the parts, see the
 The purpose of this step is to:
 
 - Set up the global [DNS Hub](https://cloud.google.com/blog/products/networking/cloud-forwarding-peering-and-zones).
-- Set up base and restricted Hubs and it corresponding Spokes. With default DNS, NAT (optional), Private Service networking, VPC Service Controls (optional), on-premises Dedicated or Partner Interconnect, and baseline firewall rules for each environment.
+- Set up base and restricted shared VPCs with default DNS, NAT (optional), Private Service networking, VPC Service Controls (optional), on-premises Dedicated or Partner Interconnect, and baseline firewall rules for each environment.
 
 ## Prerequisites
 

3-networks-dual-svpc/modules/base_env/versions.tf

@@ -28,10 +28,10 @@ terraform {
   }
 
   provider_meta "google" {
-    module_name = "blueprints/terraform/terraform-example-foundation:networks-dual-svpc/v4.0.0"
+    module_name = "blueprints/terraform/terraform-example-foundation:networks-dual-svpc/v4.1.0"
   }
 
   provider_meta "google-beta" {
-    module_name = "blueprints/terraform/terraform-example-foundation:networks-dual-svpc/v4.0.0"
+    module_name = "blueprints/terraform/terraform-example-foundation:networks-dual-svpc/v4.1.0"
   }
 }

3-networks-dual-svpc/modules/base_shared_vpc/versions.tf

@@ -28,10 +28,10 @@ terraform {
   }
 
   provider_meta "google" {
-    module_name = "blueprints/terraform/terraform-example-foundation:base_shared_vpc/v4.0.0"
+    module_name = "blueprints/terraform/terraform-example-foundation:base_shared_vpc/v4.1.0"
   }
 
   provider_meta "google-beta" {
-    module_name = "blueprints/terraform/terraform-example-foundation:base_shared_vpc/v4.0.0"
+    module_name = "blueprints/terraform/terraform-example-foundation:base_shared_vpc/v4.1.0"
   }
 }

3-networks-dual-svpc/modules/dedicated_interconnect/versions.tf

@@ -28,10 +28,10 @@ terraform {
   }
 
   provider_meta "google" {
-    module_name = "blueprints/terraform/terraform-example-foundation:dedicated_interconnect/v4.0.0"
+    module_name = "blueprints/terraform/terraform-example-foundation:dedicated_interconnect/v4.1.0"
   }
 
   provider_meta "google-beta" {
-    module_name = "blueprints/terraform/terraform-example-foundation:dedicated_interconnect/v4.0.0"
+    module_name = "blueprints/terraform/terraform-example-foundation:dedicated_interconnect/v4.1.0"
   }
 }

3-networks-dual-svpc/modules/hierarchical_firewall_policy/versions.tf

@@ -31,10 +31,10 @@ terraform {
   }
 
   provider_meta "google" {
-    module_name = "blueprints/terraform/terraform-example-foundation:hierarchical_firewall_policy/v4.0.0"
+    module_name = "blueprints/terraform/terraform-example-foundation:hierarchical_firewall_policy/v4.1.0"
   }
 
   provider_meta "google-beta" {
-    module_name = "blueprints/terraform/terraform-example-foundation:hierarchical_firewall_policy/v4.0.0"
+    module_name = "blueprints/terraform/terraform-example-foundation:hierarchical_firewall_policy/v4.1.0"
   }
 }

3-networks-dual-svpc/modules/partner_interconnect/versions.tf

@@ -28,10 +28,10 @@ terraform {
   }
 
   provider_meta "google" {
-    module_name = "blueprints/terraform/terraform-example-foundation:partner_interconnect/v4.0.0"
+    module_name = "blueprints/terraform/terraform-example-foundation:partner_interconnect/v4.1.0"
   }
 
   provider_meta "google-beta" {
-    module_name = "blueprints/terraform/terraform-example-foundation:partner_interconnect/v4.0.0"
+    module_name = "blueprints/terraform/terraform-example-foundation:partner_interconnect/v4.1.0"
   }
 }

3-networks-dual-svpc/modules/restricted_shared_vpc/versions.tf

@@ -31,10 +31,10 @@ terraform {
   }
 
   provider_meta "google" {
-    module_name = "blueprints/terraform/terraform-example-foundation:restricted_shared_vpc/v4.0.0"
+    module_name = "blueprints/terraform/terraform-example-foundation:restricted_shared_vpc/v4.1.0"
   }
 
   provider_meta "google-beta" {
-    module_name = "blueprints/terraform/terraform-example-foundation:restricted_shared_vpc/v4.0.0"
+    module_name = "blueprints/terraform/terraform-example-foundation:restricted_shared_vpc/v4.1.0"
   }
 }

3-networks-hub-and-spoke/modules/base_env/versions.tf

@@ -28,10 +28,10 @@ terraform {
   }
 
   provider_meta "google" {
-    module_name = "blueprints/terraform/terraform-example-foundation:networks-hub-and-spoke/v4.0.0"
+    module_name = "blueprints/terraform/terraform-example-foundation:networks-hub-and-spoke/v4.1.0"
   }
 
   provider_meta "google-beta" {
-    module_name = "blueprints/terraform/terraform-example-foundation:networks-hub-and-spoke/v4.0.0"
+    module_name = "blueprints/terraform/terraform-example-foundation:networks-hub-and-spoke/v4.1.0"
   }
 }

3-networks-hub-and-spoke/modules/base_shared_vpc/versions.tf

@@ -28,10 +28,10 @@ terraform {
   }
 
   provider_meta "google" {
-    module_name = "blueprints/terraform/terraform-example-foundation:base_shared_vpc/v4.0.0"
+    module_name = "blueprints/terraform/terraform-example-foundation:base_shared_vpc/v4.1.0"
   }
 
   provider_meta "google-beta" {
-    module_name = "blueprints/terraform/terraform-example-foundation:base_shared_vpc/v4.0.0"
+    module_name = "blueprints/terraform/terraform-example-foundation:base_shared_vpc/v4.1.0"
   }
 }

3-networks-hub-and-spoke/modules/dedicated_interconnect/versions.tf

@@ -28,10 +28,10 @@ terraform {
   }
 
   provider_meta "google" {
-    module_name = "blueprints/terraform/terraform-example-foundation:dedicated_interconnect/v4.0.0"
+    module_name = "blueprints/terraform/terraform-example-foundation:dedicated_interconnect/v4.1.0"
   }
 
   provider_meta "google-beta" {
-    module_name = "blueprints/terraform/terraform-example-foundation:dedicated_interconnect/v4.0.0"
+    module_name = "blueprints/terraform/terraform-example-foundation:dedicated_interconnect/v4.1.0"
   }
 }

3-networks-hub-and-spoke/modules/hierarchical_firewall_policy/versions.tf

@@ -31,10 +31,10 @@ terraform {
   }
 
   provider_meta "google" {
-    module_name = "blueprints/terraform/terraform-example-foundation:hierarchical_firewall_policy/v4.0.0"
+    module_name = "blueprints/terraform/terraform-example-foundation:hierarchical_firewall_policy/v4.1.0"
   }
 
   provider_meta "google-beta" {
-    module_name = "blueprints/terraform/terraform-example-foundation:hierarchical_firewall_policy/v4.0.0"
+    module_name = "blueprints/terraform/terraform-example-foundation:hierarchical_firewall_policy/v4.1.0"
   }
 }

3-networks-hub-and-spoke/modules/partner_interconnect/versions.tf

@@ -28,10 +28,10 @@ terraform {
   }
 
   provider_meta "google" {
-    module_name = "blueprints/terraform/terraform-example-foundation:partner_interconnect/v4.0.0"
+    module_name = "blueprints/terraform/terraform-example-foundation:partner_interconnect/v4.1.0"
   }
 
   provider_meta "google-beta" {
-    module_name = "blueprints/terraform/terraform-example-foundation:partner_interconnect/v4.0.0"
+    module_name = "blueprints/terraform/terraform-example-foundation:partner_interconnect/v4.1.0"
   }
 }

3-networks-hub-and-spoke/modules/restricted_shared_vpc/versions.tf

@@ -31,10 +31,10 @@ terraform {
   }
 
   provider_meta "google" {
-    module_name = "blueprints/terraform/terraform-example-foundation:restricted_shared_vpc/v4.0.0"
+    module_name = "blueprints/terraform/terraform-example-foundation:restricted_shared_vpc/v4.1.0"
   }
 
   provider_meta "google-beta" {
-    module_name = "blueprints/terraform/terraform-example-foundation:restricted_shared_vpc/v4.0.0"
+    module_name = "blueprints/terraform/terraform-example-foundation:restricted_shared_vpc/v4.1.0"
   }
 }

3-networks-hub-and-spoke/modules/transitivity/versions.tf

@@ -28,10 +28,10 @@ terraform {
   }
 
   provider_meta "google" {
-    module_name = "blueprints/terraform/terraform-example-foundation:transitivity/v4.0.0"
+    module_name = "blueprints/terraform/terraform-example-foundation:transitivity/v4.1.0"
   }
 
   provider_meta "google-beta" {
-    module_name = "blueprints/terraform/terraform-example-foundation:transitivity/v4.0.0"
+    module_name = "blueprints/terraform/terraform-example-foundation:transitivity/v4.1.0"
   }
 }