feat(deps): Update Terraform Google Provider to v6 (major)

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Pending
google (source)	required_provider	major	>= 3.53, < 6 -> >= 3.53, < 7	6.1.0
google-beta (source)	required_provider	major	>= 3.53, < 6 -> >= 3.53, < 7	6.1.0

---

Release Notes

hashicorp/terraform-provider-google (google)

v6.0.1

Compare Source

BREAKING CHANGES:

• sql: removed settings.ip_configuration.require_ssl from google_sql_database_instance in favor of settings.ip_configuration.ssl_mode. This field was intended to be removed in 6.0.0. (#​19263)

v6.0.0

Compare Source

Terraform Google Provider 6.0.0 Upgrade Guide

BREAKING CHANGES:

• provider: changed provider labels to add the goog-terraform-provisioned: true label by default. (#​19190)
• activedirectory: added deletion_protection field to google_active_directory_domain resource. This field defaults to true, preventing accidental deletions. To delete the resource, you must first set deletion_protection = false before destroying the resource. (#​18906)
• alloydb: removed network in google_alloy_db_cluster. Use network_config.network instead. (#​19181)
• bigquery: added client-side validation to prevent table view creation if schema contains required fields for google_bigquery_table resource (#​18767)
• bigquery: removed allow_resource_tags_on_deletion from google_bigquery_table. Resource tags are now always allowed on table deletion. (#​19077)
• bigqueryreservation: removed multi_region_auxiliary from google_bigquery_reservation (#​18922)
• billing: revised the format of id for google_billing_project_info (#​18823)
• cloudrunv2: added deletion_protection field to google_cloudrunv2_service. This field defaults to true, preventing accidental deletions. To delete the resource, you must first set deletion_protection = false before destroying the resource.(#​19019)
• cloudrunv2: changed liveness_probe to no longer infer a default value from api on google_cloud_run_v2_service. Removing this field and applying the change will now remove liveness probe from the Cloud Run service. (#​18764)
• cloudrunv2: retyped containers.env to SET from ARRAY for google_cloud_run_v2_service and google_cloud_run_v2_job. (#​18855)
• composer: ip_allocation_policy = [] in google_composer_environment is no longer valid configuration. Removing the field from configuration should not produce a diff. (#​19207)
• compute: added new required field enabled in google_compute_backend_service and google_compute_region_backend_service (#​18772)
• compute: changed certifcate_id in google_compute_managed_ssl_certificate to correctly be output only. (#​19069)
• compute: revised and in some cases removed default values of connection_draining_timeout_sec, balancing_mode and outlier_detection in google_compute_region_backend_service and google_compute_backend_service. (#​18720)
• compute: revised the format of id for compute_network_endpoints (#​18844)
• compute: guest_accelerator = [] is no longer valid configuration in google_compute_instance. To explicitly set an empty list of objects, set guest_accelerator.count = 0. (#​19207)
• compute: google_compute_instance_from_template and google_compute_instance_from_machine_image network_interface.alias_ip_range, network_interface.access_config, attached_disk, guest_accelerator, service_account, scratch_disk can no longer be set to an empty block []. Removing the fields from configuration should not produce a diff. (#​19207)
• compute: secondary_ip_ranges = [] in google_compute_subnetwork is no longer valid configuration. To set an explicitly empty list, use send_secondary_ip_range_if_empty and completely remove secondary_ip_range from config. (#​19207)
• container: made advanced_datapath_observability_config.enable_relay required in google_container_cluster (#​19060)
• container: removed deprecated field advanced_datapath_observability_config.relay_mode from google_container_cluster resource. Users are expected to use enable_relay field instead. (#​19060)
• container: three label-related fields are now in google_container_cluster resource. resource_labels field is non-authoritative and only manages the labels defined by the users on the resource through Terraform. The new output-only terraform_labels field merges the labels defined by the users on the resource through Terraform and the default labels configured on the provider. The new output-only effective_labels field lists all of labels present on the resource in GCP, including the labels configured through Terraform, the system, and other clients. (#​19062)
• container: made three fields resource_labels, terraform_labels, and effective_labels be present in google_container_cluster datasources. All three fields will have all of labels present on the resource in GCP including the labels configured through Terraform, the system, and other clients, equivalent to effective_labels on the resource. (#​19062)
• container: guest_accelerator = [] is no longer valid configuration in google_container_cluster and google_container_node_pool. To explicitly set an empty list of objects, set guest_accelerator.count = 0. (#​19207)
• container: guest_accelerator.gpu_driver_installation_config = [] and guest_accelerator.gpu_sharing_config = [] are no longer valid configuration in google_container_cluster and google_container_node_pool. Removing the fields from configuration should not produce a diff. (#​19207)
• datastore: removed google_datastore_index in favor of google_firestore_index (#​19160)
• edgenetwork: three label-related fields are now in google_edgenetwork_network and google_edgenetwork_subnet resources. labels field is non-authoritative and only manages the labels defined by the users on the resource through Terraform. The new output-only terraform_labels field merges the labels defined by the users on the resource through Terraform and the default labels configured on the provider. The new output-only effective_labels field lists all of labels present on the resource in GCP, including the labels configured through Terraform, the system, and other clients. (#​19062)
• identityplatform: removed resource google_identity_platform_project_default_config in favor of google_identity_platform_project_config (#​18992)
• pubsub: allowed schema_settings in google_pubsub_topic to be removed (#​18631)
• integrations: removed create_sample_workflows and provision_gmek from google_integrations_client (#​19148)
• redis: added a deletion_protection_enabled field to the google_redis_cluster resource. This field defaults to true, preventing accidental deletions. To delete the resource, you must first set deletion_protection_enabled = false before destroying the resource. (#​19173)
• resourcemanager: added deletion_protection field to google_folder to make deleting them require an explicit intent. Folder resources now cannot be destroyed unless deletion_protection = false is set for the resource. (#​19021)
• resourcemanager: made deletion_policy in google_project 'PREVENT' by default. This makes deleting them require an explicit intent. google_project resources cannot be destroyed unless deletion_policy is set to 'ABANDON' or 'DELETE' for the resource. (#​19114)
• sql: removed settings.ip_configuration.require_ssl in google_sql_database_instance. Please use settings.ip_configuration.ssl_mode instead. (#​18843)
• storage: removed no_age field from lifecycle_rule.condition in the google_storage_bucket resource (#​19048)
• vpcaccess: removed default values for min_throughput and min_instances fields on google_vpc_access_connector and made them default to values returned from the API when not provided by users (#​18697)
• vpcaccess: added a conflicting fields restriction between min_throughput and min_instances fields on google_vpc_access_connector (#​18697)
• vpcaccess: added a conflicting fields restriction between max_throughput and max_instances fields on google_vpc_access_connector (#​18697)
• workstation: defaulted host.gce_instance.disable_ssh to true for google_workstations_workstation_config (#​19101)
  IMPROVEMENTS:
• compute: added fields reserved_internal_range and secondary_ip_ranges[].reserved_internal_range to google_compute_subnetwork resource (#​19151)
• compute: changed the behavior of name_prefix in multiple Compute resources to allow for a longer max length of 54 characters. See the upgrade guide and resource documentation for more details. (#​19152)
  BUG FIXES:
• compute: fixed an issue regarding sending enabled field by default for null iap message in google_compute_backend_service and google_compute_region_backend_service (#​18772)

hashicorp/terraform-provider-google-beta (google-beta)

v6.0.1

Compare Source

BREAKING CHANGES:

• sql: removed settings.ip_configuration.require_ssl from google_sql_database_instance in favor of settings.ip_configuration.ssl_mode. This field was intended to be removed in 6.0.0. (#​8043)

v6.0.0

Compare Source

Terraform Google Provider 6.0.0 Upgrade Guide

BREAKING CHANGES:

• provider: changed provider labels to add the goog-terraform-provisioned: true label by default. (#​8004)
• activedirectory: added deletion_protection field to google_active_directory_domain resource. This field defaults to true, preventing accidental deletions. To delete the resource, you must first set deletion_protection = false before destroying the resource. (#​7837)
• alloydb: removed network in google_alloy_db_cluster. Use network_config.network instead. (#​7999)
• billing: revised the format of id for google_billing_project_info (#​7793)
• bigquery: added client-side validation to prevent table view creation if schema contains required fields for google_bigquery_table resource (#​7755)
• bigquery: removed allow_resource_tags_on_deletion from google_bigquery_table. Resource tags are now always allowed on table deletion. (#​7940)
• bigqueryreservation: removed multi_region_auxiliary from google_bigquery_reservation (#​7844)
• cloudrunv2: added deletion_protection field to google_cloudrunv2_service to make deleting them require an explicit intent. This field defaults to true, preventing accidental deletions. To delete the resource, you must first set deletion_protection = false before destroying the resource. (#​7901)
• cloudrunv2: changed liveness_probe to no longer infer a default value from api on google_cloud_run_v2_service. Removing this field and applying the change will now remove liveness probe from the Cloud Run service. (#​7753)
• cloudrunv2: retyped containers.env to SET from ARRAY for google_cloud_run_v2_service and google_cloud_run_v2_job. (#​7812)
• composer: ip_allocation_policy = [] in google_composer_environment is no longer valid configuration. Removing the field from configuration should not produce a diff. (#​8011)
• compute: added new required field enabled in google_compute_backend_service and google_compute_region_backend_service (#​7758)
• compute: revised and in some cases removed default values of connection_draining_timeout_sec, balancing_mode and outlier_detection in google_compute_region_backend_service and google_compute_backend_service. (#​7723)
• compute: updated resource id for compute_network_endpoints (#​7806)
• compute: stopped the certifcate_id field in google_compute_managed_ssl_certificate resource being incorrectly marked as a user-configurable value when it should just be an output. (#​7936)
• compute: guest_accelerator = [] is no longer valid configuration in google_compute_instance. To explicitly set an empty list of objects, set guest_accelerator.count = 0. (#​8011)
• compute: google_compute_instance_from_template and google_compute_instance_from_machine_image network_interface.alias_ip_range, network_interface.access_config, attached_disk, guest_accelerator, service_account, scratch_disk can no longer be set to an empty block []. Removing the fields from configuration should not produce a diff. (#​8011)
• compute: secondary_ip_ranges = [] in google_compute_subnetwork is no longer valid configuration. To set an explicitly empty list, use send_secondary_ip_range_if_empty and completely remove secondary_ip_range from config. (#​8011)
• container: made advanced_datapath_observability_config.enable_relay required in google_container_cluster (#​7930)
• container: removed deprecated field advanced_datapath_observability_config.relay_mode from google_container_cluster resource. Users are expected to use enable_relay field instead. (#​7930)
• container: three label-related fields are now in google_container_cluster resource. resource_labels field is non-authoritative and only manages the labels defined by the users on the resource through Terraform. The new output-only terraform_labels field merges the labels defined by the users on the resource through Terraform and the default labels configured on the provider. The new output-only effective_labels field lists all of labels present on the resource in GCP, including the labels configured through Terraform, the system, and other clients. (#​7932)
• container: made three fields resource_labels, terraform_labels, and effective_labels be present in google_container_cluster datasources. All three fields will have all of labels present on the resource in GCP including the labels configured through Terraform, the system, and other clients, equivalent to effective_labels on the resource. (#​7932)
• container: guest_accelerator = [] is no longer valid configuration in google_container_cluster and google_container_node_pool. To explicitly set an empty list of objects, set guest_accelerator.count = 0. (#​8011)
• container: guest_accelerator.gpu_driver_installation_config = [] and guest_accelerator.gpu_sharing_config = [] are no longer valid configuration in google_container_cluster and google_container_node_pool. Removing the fields from configuration should not produce a diff. (#​8011)
• datastore: removed google_datastore_index in favor of google_firestore_index (#​7987)
• edgenetwork: three label-related fields are now in google_edgenetwork_network and google_edgenetwork_subnet resources. labels field is non-authoritative and only manages the labels defined by the users on the resource through Terraform. The new output-only terraform_labels field merges the labels defined by the users on the resource through Terraform and the default labels configured on the provider. The new output-only effective_labels field lists all of labels present on the resource in GCP, including the labels configured through Terraform, the system, and other clients. (#​7932)
• identityplatform: removed resource google_identity_platform_project_default_config in favor of google_identity_platform_project_config (#​7880)
• integrations: removed create_sample_workflows and provision_gmek from google_integrations_client (#​7977)
• pubsub: allowed schema_settings in google_pubsub_topic to be removed (#​7674)
• redis: added a deletion_protection_enabled field to the google_redis_cluster resource. This field defaults to true, preventing accidental deletions. To delete the resource, you must first set deletion_protection_enabled = false before destroying the resource. (#​7995)
• resourcemanager: added deletion_protection field to google_folder to make deleting them require an explicit intent. Folder resources now cannot be destroyed unless deletion_protection = false is set for the resource. (#​7903)
• resourcemanager: made deletion_policy in google_project 'PREVENT' by default. This makes deleting them require an explicit intent. google_project resources cannot be destroyed unless deletion_policy is set to 'ABANDON' or 'DELETE' for the resource. (#​7946)
• storage: removed no_age field from lifecycle_rule.condition in the google_storage_bucket resource (#​7923)
• sql: removed settings.ip_configuration.require_ssl in google_sql_database_instance. Please use settings.ip_configuration.ssl_mode instead. (#​7804)
• vpcaccess: removed default values for min_throughput and min_instances fields on google_vpc_access_connector and made them default to values returned from the API when not provided by users (#​7709)
• vpcaccess: added a conflicting fields restriction between min_throughput and min_instances fields on google_vpc_access_connector (#​7709)
• vpcaccess: added a conflicting fields restriction between max_throughput and max_instances fields on google_vpc_access_connector (#​7709)
• workstation: defaulted host.gce_instance.disable_ssh to true for google_workstations_workstation_config (#​7946)

IMPROVEMENTS:

• compute: added fields reserved_internal_range and secondary_ip_ranges[].reserved_internal_range to google_compute_subnetwork resource (#​7980)
• compute: changed the behavior of name_prefix in multiple Compute resources to allow for a longer max length of 54 characters. See the upgrade guide and resource documentation for more details. (#​7981)

BUG FIXES:

• compute: fixed an issue regarding sending enabled field by default for null iap message in google_compute_backend_service and google_compute_region_backend_service (#​7758)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[dpebot]

/gcbrun

[KimPaow]

We're looking to upgrade our provider to v6 and this is a blocker - could maintainers take a look at merging this?

[victorbiga]

We're looking to upgrade our provider to v6 and this is a blocker - could maintainers take a look at merging this?

same

@apeabody I hope it is ok to tag you here as I see you approved release 7. This PR merge is blocking upgrades for many

[apeabody]

TAL...

│ Error: Unsupported argument
│ 
│   on main.tf line 93, in resource "google_compute_instance_from_template" "bastion_vm":
│   93:     access_config      = var.external_ip ? var.access_config : []
│ 
│ An argument named "access_config" is not expected here. Did you mean to
│ define a block of type "access_config"?

Will require some code changes, need to verify the new minimum TPG as well.

[dpebot]

/gcbrun

[dpebot]

/gcbrun

[dpebot]

/gcbrun

[dpebot]

/gcbrun

[dpebot]

/gcbrun

[wyardley]

@apeabody as mentioned here, seems like the template modules didn't get updated here.

[mwarkentin]

Does this module need to specify a max on the google provider version?

[wyardley]

Major releases may have breaking changes, which might or might not affect this module, so I assume that’s why the module always restricts to less than the current major. Typically I’ve seen the maintainers be pretty quick to add support for new upper versions, especially if the changes test out OK.

[mwarkentin]

Yep, they surely can cause breaking changes, but they also might be fully compatible (and generally I find the breaking changes are relatively minimal.

In our case this is used as a sub-module alongside a bunch of other resources. We needed to upgrade the provider for some new feature support on our GKE cluster in v6 of the provider.

This meant we had to upgrade through multiple major versions of this bastion module as well, for unrelated reasons.

Not a perfect metaphor but if you consider a module similar to a library in a regular programming language, it can be quite frustrating when a module / library is adding their own constraints (unless there's actually something breaking): https://youtu.be/WSVFw-3ssXM?si=i_4VnPESakWjEZ4T