feat!: add workflow deletion protection to cloud build builder module

terraform-google-modules · Nov 25, 2024 · 6be5c5b · 6be5c5b
1 parent 22a2c59
commit 6be5c5b
Show file tree

Hide file tree

Showing 8 changed files with 40 additions and 7 deletions.
diff --git a/docs/upgrading_to_v10.0.md b/docs/upgrading_to_v10.0.md
@@ -0,0 +1,19 @@
+# Upgrading to v10.0
+
+The v10.0 release of *bootstrap* is a backwards incompatible release.
+
+## Google Cloud Provider Workflow deletion protection
+
+The field `deletion_protection` was added to the [google_workflows_workflow](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/workflows_workflow) resource with default value of `true` in Google Cloud Platform Provider v6+.
+
+To maintain the old behavior in the module [Cloud Build Builder](../modules/tf_cloudbuild_builder/README.md), which creates a workflow, set the new variable `workflow_deletion_protection` to `false`.
+
+
+```diff
+module "tf_cloudbuild_builder" {
+  source  = "terraform-google-modules/bootstrap/google//modules/tf_cloudbuild_builder"
+- version = "~> 9.0"
++ version = "~> 10.0"
+
++ workflow_deletion_protection = false
+```
diff --git a/docs/upgrading_to_v9.0.md b/docs/upgrading_to_v9.0.md
@@ -19,7 +19,7 @@ module "tf_workspace" {
 + trigger_location = "global"
 ```
 
-## Default value for variables `trigger_location` and `gar_repo_location` in module `tf_cloudbuild_builde` were removed
+## Default value for variables `trigger_location` and `gar_repo_location` in module `tf_cloudbuild_builder` were removed
 
 To preserve the resources created before, include the inputs `trigger_location` and `gar_repo_location` with the previous default values in the module call
 

diff --git a/examples/tf_cloudbuild_builder_simple/main.tf b/examples/tf_cloudbuild_builder_simple/main.tf
@@ -25,6 +25,8 @@ module "cloudbuilder" {
   build_timeout       = "1200s"
   # allow logs bucket to be destroyed
   cb_logs_bucket_force_destroy = true
+  # allow workflow to be destroyed
+  workflow_deletion_protection = false
 }
 
 # CSR for storing Dockerfile

diff --git a/examples/tf_cloudbuild_builder_simple_github/main.tf b/examples/tf_cloudbuild_builder_simple_github/main.tf
@@ -42,6 +42,8 @@ module "cloudbuilder" {
 
   # allow logs bucket to be destroyed
   cb_logs_bucket_force_destroy = true
+  # allow workflow to be destroyed
+  workflow_deletion_protection = false
 
   depends_on = [time_sleep.propagation]
 }

diff --git a/examples/tf_cloudbuild_builder_simple_gitlab/main.tf b/examples/tf_cloudbuild_builder_simple_gitlab/main.tf
@@ -42,6 +42,8 @@ module "cloudbuilder" {
 
   # allow logs bucket to be destroyed
   cb_logs_bucket_force_destroy = true
+  # allow workflow to be destroyed
+  workflow_deletion_protection = false
 
   depends_on = [
     time_sleep.propagation,

diff --git a/modules/tf_cloudbuild_builder/README.md b/modules/tf_cloudbuild_builder/README.md
@@ -51,6 +51,7 @@ This module creates:
 | trigger\_name | Name of the Cloud Build trigger building the Terraform builder. | `string` | `"tf-cloud-builder-build"` | no |
 | use\_cloudbuildv2\_repository | Use Cloud Build repository (2nd gen) | `bool` | `false` | no |
 | worker\_pool\_id | Custom private worker pool ID. Format: 'projects/PROJECT\_ID/locations/REGION/workerPools/PRIVATE\_POOL\_ID'. | `string` | `""` | no |
+| workflow\_deletion\_protection | Whether Terraform will be prevented from destroying the workflow. When the field is set to true or unset in Terraform state, a `terraform apply` or `terraform destroy` that would delete the workflow will fail. When the field is set to false, deleting the workflow is allowed. | `bool` | `true` | no |
 | workflow\_name | Name of the workflow managing builds. | `string` | `"terraform-runner-workflow"` | no |
 | workflow\_region | The region of the workflow. | `string` | `"us-central1"` | no |
 | workflow\_sa | Custom SA email to be used by the workflow. Defaults to being created if empty. | `string` | `""` | no |

diff --git a/modules/tf_cloudbuild_builder/variables.tf b/modules/tf_cloudbuild_builder/variables.tf
@@ -43,6 +43,12 @@ variable "workflow_sa" {
   default     = ""
 }
 
+variable "workflow_deletion_protection" {
+  description = "Whether Terraform will be prevented from destroying the workflow. When the field is set to true or unset in Terraform state, a `terraform apply` or `terraform destroy` that would delete the workflow will fail. When the field is set to false, deleting the workflow is allowed."
+  type        = bool
+  default     = true
+}
+
 variable "cloudbuild_sa" {
   description = "Custom SA email to be used by the CloudBuild trigger. Defaults to being created if empty."
   type        = string

diff --git a/modules/tf_cloudbuild_builder/workflow.tf b/modules/tf_cloudbuild_builder/workflow.tf
@@ -36,12 +36,13 @@ resource "google_service_account" "workflow_sa" {
 }
 
 resource "google_workflows_workflow" "builder" {
-  project         = var.project_id
-  name            = var.workflow_name
-  region          = var.workflow_region
-  description     = "Workflow for triggering TF Runner builds. Managed by Terraform."
-  service_account = local.workflow_sa
-  source_contents = local.rendered_workflow_config
+  project             = var.project_id
+  name                = var.workflow_name
+  region              = var.workflow_region
+  description         = "Workflow for triggering TF Runner builds. Managed by Terraform."
+  service_account     = local.workflow_sa
+  source_contents     = local.rendered_workflow_config
+  deletion_protection = var.workflow_deletion_protection
 }
 
 # Allow Workflow SA to trigger workflow via scheduler