From 9678d8c3f8a30f40611e03bf563cc66e9751334f Mon Sep 17 00:00:00 2001
From: Daniel Andrade <dandrade@ciandt.com>
Date: Mon, 25 Nov 2024 15:15:53 -0300
Subject: [PATCH] feat!: add workflow deletion protection to cloud build
 builder module (#329)

---
 docs/upgrading_to_v10.0.md                    | 19 +++++++++++++++++++
 docs/upgrading_to_v9.0.md                     |  2 +-
 examples/tf_cloudbuild_builder_simple/main.tf |  2 ++
 .../main.tf                                   |  2 ++
 .../main.tf                                   |  2 ++
 modules/tf_cloudbuild_builder/README.md       |  1 +
 modules/tf_cloudbuild_builder/variables.tf    |  6 ++++++
 modules/tf_cloudbuild_builder/workflow.tf     | 13 +++++++------
 8 files changed, 40 insertions(+), 7 deletions(-)
 create mode 100644 docs/upgrading_to_v10.0.md

diff --git a/docs/upgrading_to_v10.0.md b/docs/upgrading_to_v10.0.md
new file mode 100644
index 00000000..28284d12
--- /dev/null
+++ b/docs/upgrading_to_v10.0.md
@@ -0,0 +1,19 @@
+# Upgrading to v10.0
+
+The v10.0 release of *bootstrap* is a backwards incompatible release.
+
+## Google Cloud Provider Workflow deletion protection
+
+The field `deletion_protection` was added to the [google_workflows_workflow](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/workflows_workflow) resource with default value of `true` in Google Cloud Platform Provider v6+.
+
+To maintain the old behavior in the module [Cloud Build Builder](../modules/tf_cloudbuild_builder/README.md), which creates a workflow, set the new variable `workflow_deletion_protection` to `false`.
+
+
+```diff
+module "tf_cloudbuild_builder" {
+  source  = "terraform-google-modules/bootstrap/google//modules/tf_cloudbuild_builder"
+- version = "~> 9.0"
++ version = "~> 10.0"
+
++ workflow_deletion_protection = false
+```
diff --git a/docs/upgrading_to_v9.0.md b/docs/upgrading_to_v9.0.md
index 39c00770..31a9caf5 100644
--- a/docs/upgrading_to_v9.0.md
+++ b/docs/upgrading_to_v9.0.md
@@ -19,7 +19,7 @@ module "tf_workspace" {
 + trigger_location = "global"
 ```
 
-## Default value for variables `trigger_location` and `gar_repo_location` in module `tf_cloudbuild_builde` were removed
+## Default value for variables `trigger_location` and `gar_repo_location` in module `tf_cloudbuild_builder` were removed
 
 To preserve the resources created before, include the inputs `trigger_location` and `gar_repo_location` with the previous default values in the module call
 
diff --git a/examples/tf_cloudbuild_builder_simple/main.tf b/examples/tf_cloudbuild_builder_simple/main.tf
index a881819d..6b794a18 100644
--- a/examples/tf_cloudbuild_builder_simple/main.tf
+++ b/examples/tf_cloudbuild_builder_simple/main.tf
@@ -25,6 +25,8 @@ module "cloudbuilder" {
   build_timeout       = "1200s"
   # allow logs bucket to be destroyed
   cb_logs_bucket_force_destroy = true
+  # allow workflow to be destroyed
+  workflow_deletion_protection = false
 }
 
 # CSR for storing Dockerfile
diff --git a/examples/tf_cloudbuild_builder_simple_github/main.tf b/examples/tf_cloudbuild_builder_simple_github/main.tf
index ea6bdd84..239c63e0 100644
--- a/examples/tf_cloudbuild_builder_simple_github/main.tf
+++ b/examples/tf_cloudbuild_builder_simple_github/main.tf
@@ -42,6 +42,8 @@ module "cloudbuilder" {
 
   # allow logs bucket to be destroyed
   cb_logs_bucket_force_destroy = true
+  # allow workflow to be destroyed
+  workflow_deletion_protection = false
 
   depends_on = [time_sleep.propagation]
 }
diff --git a/examples/tf_cloudbuild_builder_simple_gitlab/main.tf b/examples/tf_cloudbuild_builder_simple_gitlab/main.tf
index 164408e4..b84e9406 100644
--- a/examples/tf_cloudbuild_builder_simple_gitlab/main.tf
+++ b/examples/tf_cloudbuild_builder_simple_gitlab/main.tf
@@ -42,6 +42,8 @@ module "cloudbuilder" {
 
   # allow logs bucket to be destroyed
   cb_logs_bucket_force_destroy = true
+  # allow workflow to be destroyed
+  workflow_deletion_protection = false
 
   depends_on = [
     time_sleep.propagation,
diff --git a/modules/tf_cloudbuild_builder/README.md b/modules/tf_cloudbuild_builder/README.md
index 212b1c14..3819d7a9 100644
--- a/modules/tf_cloudbuild_builder/README.md
+++ b/modules/tf_cloudbuild_builder/README.md
@@ -51,6 +51,7 @@ This module creates:
 | trigger\_name | Name of the Cloud Build trigger building the Terraform builder. | `string` | `"tf-cloud-builder-build"` | no |
 | use\_cloudbuildv2\_repository | Use Cloud Build repository (2nd gen) | `bool` | `false` | no |
 | worker\_pool\_id | Custom private worker pool ID. Format: 'projects/PROJECT\_ID/locations/REGION/workerPools/PRIVATE\_POOL\_ID'. | `string` | `""` | no |
+| workflow\_deletion\_protection | Whether Terraform will be prevented from destroying the workflow. When the field is set to true or unset in Terraform state, a `terraform apply` or `terraform destroy` that would delete the workflow will fail. When the field is set to false, deleting the workflow is allowed. | `bool` | `true` | no |
 | workflow\_name | Name of the workflow managing builds. | `string` | `"terraform-runner-workflow"` | no |
 | workflow\_region | The region of the workflow. | `string` | `"us-central1"` | no |
 | workflow\_sa | Custom SA email to be used by the workflow. Defaults to being created if empty. | `string` | `""` | no |
diff --git a/modules/tf_cloudbuild_builder/variables.tf b/modules/tf_cloudbuild_builder/variables.tf
index d858815d..1dc6ebe2 100644
--- a/modules/tf_cloudbuild_builder/variables.tf
+++ b/modules/tf_cloudbuild_builder/variables.tf
@@ -43,6 +43,12 @@ variable "workflow_sa" {
   default     = ""
 }
 
+variable "workflow_deletion_protection" {
+  description = "Whether Terraform will be prevented from destroying the workflow. When the field is set to true or unset in Terraform state, a `terraform apply` or `terraform destroy` that would delete the workflow will fail. When the field is set to false, deleting the workflow is allowed."
+  type        = bool
+  default     = true
+}
+
 variable "cloudbuild_sa" {
   description = "Custom SA email to be used by the CloudBuild trigger. Defaults to being created if empty."
   type        = string
diff --git a/modules/tf_cloudbuild_builder/workflow.tf b/modules/tf_cloudbuild_builder/workflow.tf
index e021d55e..2d494c6a 100644
--- a/modules/tf_cloudbuild_builder/workflow.tf
+++ b/modules/tf_cloudbuild_builder/workflow.tf
@@ -36,12 +36,13 @@ resource "google_service_account" "workflow_sa" {
 }
 
 resource "google_workflows_workflow" "builder" {
-  project         = var.project_id
-  name            = var.workflow_name
-  region          = var.workflow_region
-  description     = "Workflow for triggering TF Runner builds. Managed by Terraform."
-  service_account = local.workflow_sa
-  source_contents = local.rendered_workflow_config
+  project             = var.project_id
+  name                = var.workflow_name
+  region              = var.workflow_region
+  description         = "Workflow for triggering TF Runner builds. Managed by Terraform."
+  service_account     = local.workflow_sa
+  source_contents     = local.rendered_workflow_config
+  deletion_protection = var.workflow_deletion_protection
 }
 
 # Allow Workflow SA to trigger workflow via scheduler