diff --git a/README.md b/README.md index b83ba57a..89d5913f 100644 --- a/README.md +++ b/README.md @@ -63,6 +63,7 @@ For the cloudbuild submodule, see the README [cloudbuild](./modules/cloudbuild). | org\_id | GCP Organization ID | `string` | n/a | yes | | org\_project\_creators | Additional list of members to have project creator role accross the organization. Prefix of group: user: or serviceAccount: is required. | `list(string)` | `[]` | no | | parent\_folder | GCP parent folder ID in the form folders/{id} | `string` | `""` | no | +| project\_deletion\_policy | The deletion policy for the project created. | `string` | `"PREVENT"` | no | | project\_id | Custom project ID to use for project created. If not supplied, the default id is {project\_prefix}-seed-{random suffix}. | `string` | `""` | no | | project\_labels | Labels to apply to the project. | `map(string)` | `{}` | no | | project\_prefix | Name prefix to use for projects created. | `string` | `"cft"` | no | diff --git a/build/int.cloudbuild.yaml b/build/int.cloudbuild.yaml index 2c030caf..78fba45e 100644 --- a/build/int.cloudbuild.yaml +++ b/build/int.cloudbuild.yaml @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -timeout: 4200s +timeout: 5400s steps: - id: swap-module-refs name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' diff --git a/docs/upgrading_to_v9.0.md b/docs/upgrading_to_v9.0.md index 55139076..39c00770 100644 --- a/docs/upgrading_to_v9.0.md +++ b/docs/upgrading_to_v9.0.md @@ -40,3 +40,43 @@ The endpoint that is used to trigger a build was replaced with a new one that al ``` # module.cloudbuilder.google_workflows_workflow.builder will be updated in-place ``` + +## Google Cloud Provider Project deletion_policy + +The `deletion_policy` for [project-factory](https://github.com/terraform-google-modules/terraform-google-project-factory) module now defaults to `"PREVENT"` rather than `"DELETE"`. +This aligns with the behavior in Google Cloud Platform Provider v6+. +To maintain the old behavior in the projects created within the modules you can set the new variable `project_deletion_policy = "DELETE"`. + +### Bootstrap main module + +```diff +module "bootstrap" { + source = "terraform-google-modules/bootstrap/google" +- version = "~> 8.0" ++ version = "~> 9.0" + ++ project_deletion_policy = "DELETE" +``` + +### Cloud Build sub module + +```diff +module "cloudbuild" { + source = "terraform-google-modules/bootstrap/google//modules/cloudbuild" +- version = "~> 8.0" ++ version = "~> 9.0" + ++ project_deletion_policy = "DELETE" +``` + + +### Cloud Build Source sub module + +```diff +module "tf_cloudbuild_source" { + source = "terraform-google-modules/bootstrap/google//modules/tf_cloudbuild_source" +- version = "~> 8.0" ++ version = "~> 9.0" + ++ project_deletion_policy = "DELETE" +``` diff --git a/examples/cloudbuild_enabled/README.md b/examples/cloudbuild_enabled/README.md index 3d00890f..9637fb86 100644 --- a/examples/cloudbuild_enabled/README.md +++ b/examples/cloudbuild_enabled/README.md @@ -14,6 +14,7 @@ This example combines the Organization bootstrap module with the Cloud Build sub | group\_org\_admins | Google Group for GCP Organization Administrators | `string` | n/a | yes | | org\_id | GCP Organization ID | `string` | n/a | yes | | org\_project\_creators | Additional list of members to have project creator role accross the organization. Prefix of group: user: or serviceAccount: is required. | `list(string)` | `[]` | no | +| project\_deletion\_policy | The deletion policy for the project created. | `string` | `"PREVENT"` | no | | project\_prefix | Name prefix to use for projects created. | `string` | `"cft"` | no | ## Outputs diff --git a/examples/cloudbuild_enabled/main.tf b/examples/cloudbuild_enabled/main.tf index b6202e1b..06586fa3 100644 --- a/examples/cloudbuild_enabled/main.tf +++ b/examples/cloudbuild_enabled/main.tf @@ -31,6 +31,7 @@ module "seed_bootstrap" { sa_enable_impersonation = true project_prefix = var.project_prefix force_destroy = var.force_destroy + project_deletion_policy = var.project_deletion_policy } module "cloudbuild_bootstrap" { @@ -47,4 +48,5 @@ module "cloudbuild_bootstrap" { terraform_state_bucket = module.seed_bootstrap.gcs_bucket_tfstate project_prefix = var.project_prefix force_destroy = var.force_destroy + project_deletion_policy = var.project_deletion_policy } diff --git a/examples/cloudbuild_enabled/variables.tf b/examples/cloudbuild_enabled/variables.tf index 20c2b2d9..ba78cb77 100644 --- a/examples/cloudbuild_enabled/variables.tf +++ b/examples/cloudbuild_enabled/variables.tf @@ -57,3 +57,9 @@ variable "force_destroy" { type = bool default = false } + +variable "project_deletion_policy" { + description = "The deletion policy for the project created." + type = string + default = "PREVENT" +} diff --git a/examples/cloudbuild_repo_connection_github/main.tf b/examples/cloudbuild_repo_connection_github/main.tf index c0280d26..10eecfe5 100644 --- a/examples/cloudbuild_repo_connection_github/main.tf +++ b/examples/cloudbuild_repo_connection_github/main.tf @@ -15,7 +15,7 @@ */ module "github_connection" { - source = "terraform-google-modules/bootstrap/google//modules/cloudbuild_repo_connection" + source = "terraform-google-modules/bootstrap/google//modules/cloudbuild_repo_connection" version = "~> 9.0" project_id = var.project_id diff --git a/examples/im_cloudbuild_workspace_github/apis.tf b/examples/im_cloudbuild_workspace_github/apis.tf index ab21511c..67bca188 100644 --- a/examples/im_cloudbuild_workspace_github/apis.tf +++ b/examples/im_cloudbuild_workspace_github/apis.tf @@ -16,7 +16,7 @@ module "enabled_google_apis" { source = "terraform-google-modules/project-factory/google//modules/project_services" - version = "~> 15.0" + version = "~> 17.0" project_id = var.project_id disable_services_on_destroy = false diff --git a/examples/im_cloudbuild_workspace_gitlab/apis.tf b/examples/im_cloudbuild_workspace_gitlab/apis.tf index bdf4910c..6a85dac2 100644 --- a/examples/im_cloudbuild_workspace_gitlab/apis.tf +++ b/examples/im_cloudbuild_workspace_gitlab/apis.tf @@ -16,7 +16,7 @@ module "enabled_google_apis" { source = "terraform-google-modules/project-factory/google//modules/project_services" - version = "~> 15.0" + version = "~> 17.0" project_id = var.project_id disable_services_on_destroy = false diff --git a/examples/simple-folder/README.md b/examples/simple-folder/README.md index 718a435c..2fa29f83 100644 --- a/examples/simple-folder/README.md +++ b/examples/simple-folder/README.md @@ -14,6 +14,7 @@ This example demonstrates the simplest usage of the GCP organization bootstrap m | org\_id | GCP Organization ID | `string` | n/a | yes | | org\_project\_creators | Additional list of members to have project creator role accross the organization. Prefix of group: user: or serviceAccount: is required. | `list(string)` | `[]` | no | | parent | GCP parent folder id of form folders/{id} | `string` | n/a | yes | +| project\_deletion\_policy | The deletion policy for the project created. | `string` | `"PREVENT"` | no | | project\_prefix | Name prefix to use for projects created. | `string` | `"cft"` | no | ## Outputs diff --git a/examples/simple-folder/main.tf b/examples/simple-folder/main.tf index 8dac870a..683e7fc7 100644 --- a/examples/simple-folder/main.tf +++ b/examples/simple-folder/main.tf @@ -22,12 +22,13 @@ module "seed_bootstrap" { source = "terraform-google-modules/bootstrap/google" version = "~> 8.0" - org_id = var.org_id - parent_folder = var.parent - billing_account = var.billing_account - group_org_admins = var.group_org_admins - group_billing_admins = var.group_billing_admins - default_region = var.default_region - org_project_creators = var.org_project_creators - project_prefix = var.project_prefix + org_id = var.org_id + parent_folder = var.parent + billing_account = var.billing_account + group_org_admins = var.group_org_admins + group_billing_admins = var.group_billing_admins + default_region = var.default_region + org_project_creators = var.org_project_creators + project_prefix = var.project_prefix + project_deletion_policy = var.project_deletion_policy } diff --git a/examples/simple-folder/variables.tf b/examples/simple-folder/variables.tf index b49fe45a..c0ca00e0 100644 --- a/examples/simple-folder/variables.tf +++ b/examples/simple-folder/variables.tf @@ -56,3 +56,9 @@ variable "project_prefix" { default = "cft" type = string } + +variable "project_deletion_policy" { + description = "The deletion policy for the project created." + type = string + default = "PREVENT" +} diff --git a/examples/simple/README.md b/examples/simple/README.md index 2d624d88..f0488845 100644 --- a/examples/simple/README.md +++ b/examples/simple/README.md @@ -13,6 +13,7 @@ This example demonstrates the simplest usage of the GCP organization bootstrap m | group\_org\_admins | Google Group for GCP Organization Administrators | `string` | n/a | yes | | org\_id | GCP Organization ID | `string` | n/a | yes | | org\_project\_creators | Additional list of members to have project creator role accross the organization. Prefix of group: user: or serviceAccount: is required. | `list(string)` | `[]` | no | +| project\_deletion\_policy | The deletion policy for the project created. | `string` | `"PREVENT"` | no | | project\_prefix | Name prefix to use for projects created. | `string` | `"cft"` | no | ## Outputs diff --git a/examples/simple/main.tf b/examples/simple/main.tf index 041f72ff..dbcd1dc2 100644 --- a/examples/simple/main.tf +++ b/examples/simple/main.tf @@ -22,11 +22,12 @@ module "seed_bootstrap" { source = "terraform-google-modules/bootstrap/google" version = "~> 8.0" - org_id = var.org_id - billing_account = var.billing_account - group_org_admins = var.group_org_admins - group_billing_admins = var.group_billing_admins - default_region = var.default_region - org_project_creators = var.org_project_creators - project_prefix = var.project_prefix + org_id = var.org_id + billing_account = var.billing_account + group_org_admins = var.group_org_admins + group_billing_admins = var.group_billing_admins + default_region = var.default_region + org_project_creators = var.org_project_creators + project_prefix = var.project_prefix + project_deletion_policy = var.project_deletion_policy } diff --git a/examples/simple/variables.tf b/examples/simple/variables.tf index a648cec7..567a4db1 100644 --- a/examples/simple/variables.tf +++ b/examples/simple/variables.tf @@ -51,3 +51,9 @@ variable "project_prefix" { default = "cft" type = string } + +variable "project_deletion_policy" { + description = "The deletion policy for the project created." + type = string + default = "PREVENT" +} diff --git a/examples/tf_cloudbuild_builder_simple/apis.tf b/examples/tf_cloudbuild_builder_simple/apis.tf index ea576bdd..4d381d45 100644 --- a/examples/tf_cloudbuild_builder_simple/apis.tf +++ b/examples/tf_cloudbuild_builder_simple/apis.tf @@ -16,7 +16,7 @@ module "enabled_google_apis" { source = "terraform-google-modules/project-factory/google//modules/project_services" - version = "~> 15.0" + version = "~> 17.0" project_id = var.project_id disable_services_on_destroy = false diff --git a/examples/tf_cloudbuild_builder_simple_github/apis.tf b/examples/tf_cloudbuild_builder_simple_github/apis.tf index 9ca1a473..34a74a41 100644 --- a/examples/tf_cloudbuild_builder_simple_github/apis.tf +++ b/examples/tf_cloudbuild_builder_simple_github/apis.tf @@ -16,7 +16,7 @@ module "enabled_google_apis" { source = "terraform-google-modules/project-factory/google//modules/project_services" - version = "~> 15.0" + version = "~> 17.0" project_id = var.project_id disable_services_on_destroy = false diff --git a/examples/tf_cloudbuild_builder_simple_gitlab/apis.tf b/examples/tf_cloudbuild_builder_simple_gitlab/apis.tf index 9ca1a473..34a74a41 100644 --- a/examples/tf_cloudbuild_builder_simple_gitlab/apis.tf +++ b/examples/tf_cloudbuild_builder_simple_gitlab/apis.tf @@ -16,7 +16,7 @@ module "enabled_google_apis" { source = "terraform-google-modules/project-factory/google//modules/project_services" - version = "~> 15.0" + version = "~> 17.0" project_id = var.project_id disable_services_on_destroy = false diff --git a/examples/tf_cloudbuild_builder_simple_gitlab/main.tf b/examples/tf_cloudbuild_builder_simple_gitlab/main.tf index 27c63b91..58206005 100644 --- a/examples/tf_cloudbuild_builder_simple_gitlab/main.tf +++ b/examples/tf_cloudbuild_builder_simple_gitlab/main.tf @@ -53,6 +53,8 @@ module "cloudbuilder" { # allow logs bucket to be destroyed cb_logs_bucket_force_destroy = true + + depends_on = [module.enabled_google_apis] } // Create a secret containing the personal access token and grant permissions to the Service Agent. diff --git a/examples/tf_cloudbuild_source_simple/README.md b/examples/tf_cloudbuild_source_simple/README.md index 5fa39196..c71e85fe 100644 --- a/examples/tf_cloudbuild_source_simple/README.md +++ b/examples/tf_cloudbuild_source_simple/README.md @@ -11,6 +11,7 @@ This example demonstrates the simplest usage of the [tf_cloudbuild_source](../.. | group\_org\_admins | Google Group for GCP Organization Administrators | `string` | n/a | yes | | org\_id | GCP Organization ID | `string` | n/a | yes | | parent\_folder | The bootstrap parent folder | `string` | `""` | no | +| project\_deletion\_policy | The deletion policy for the project created. | `string` | `"PREVENT"` | no | ## Outputs diff --git a/examples/tf_cloudbuild_source_simple/main.tf b/examples/tf_cloudbuild_source_simple/main.tf index 67775f59..e7127642 100644 --- a/examples/tf_cloudbuild_source_simple/main.tf +++ b/examples/tf_cloudbuild_source_simple/main.tf @@ -18,9 +18,10 @@ module "tf_source" { source = "terraform-google-modules/bootstrap/google//modules/tf_cloudbuild_source" version = "~> 8.0" - org_id = var.org_id - folder_id = var.parent_folder - billing_account = var.billing_account - group_org_admins = var.group_org_admins - buckets_force_destroy = true + org_id = var.org_id + folder_id = var.parent_folder + billing_account = var.billing_account + group_org_admins = var.group_org_admins + buckets_force_destroy = true + project_deletion_policy = var.project_deletion_policy } diff --git a/examples/tf_cloudbuild_source_simple/variables.tf b/examples/tf_cloudbuild_source_simple/variables.tf index e73a4ee1..33ced14f 100644 --- a/examples/tf_cloudbuild_source_simple/variables.tf +++ b/examples/tf_cloudbuild_source_simple/variables.tf @@ -34,3 +34,9 @@ variable "group_org_admins" { description = "Google Group for GCP Organization Administrators" type = string } + +variable "project_deletion_policy" { + description = "The deletion policy for the project created." + type = string + default = "PREVENT" +} diff --git a/examples/tf_cloudbuild_workspace_simple/apis.tf b/examples/tf_cloudbuild_workspace_simple/apis.tf index 5b8585f0..be770f13 100644 --- a/examples/tf_cloudbuild_workspace_simple/apis.tf +++ b/examples/tf_cloudbuild_workspace_simple/apis.tf @@ -16,7 +16,7 @@ module "enabled_google_apis" { source = "terraform-google-modules/project-factory/google//modules/project_services" - version = "~> 15.0" + version = "~> 17.0" project_id = var.project_id disable_services_on_destroy = false diff --git a/examples/tf_cloudbuild_workspace_simple_github/apis.tf b/examples/tf_cloudbuild_workspace_simple_github/apis.tf index 38049631..fb0eb8c0 100644 --- a/examples/tf_cloudbuild_workspace_simple_github/apis.tf +++ b/examples/tf_cloudbuild_workspace_simple_github/apis.tf @@ -16,7 +16,7 @@ module "enabled_google_apis" { source = "terraform-google-modules/project-factory/google//modules/project_services" - version = "~> 15.0" + version = "~> 17.0" project_id = var.project_id disable_services_on_destroy = false diff --git a/examples/tf_cloudbuild_workspace_simple_github/main.tf b/examples/tf_cloudbuild_workspace_simple_github/main.tf index f7587cf9..1155997f 100644 --- a/examples/tf_cloudbuild_workspace_simple_github/main.tf +++ b/examples/tf_cloudbuild_workspace_simple_github/main.tf @@ -61,7 +61,6 @@ module "tf_workspace" { depends_on = [module.enabled_google_apis] } - // Create a secret containing the personal access token and grant permissions to the Service Agent. resource "google_secret_manager_secret" "github_token_secret" { project = var.project_id diff --git a/examples/tf_cloudbuild_workspace_simple_gitlab/apis.tf b/examples/tf_cloudbuild_workspace_simple_gitlab/apis.tf index 38049631..fb0eb8c0 100644 --- a/examples/tf_cloudbuild_workspace_simple_gitlab/apis.tf +++ b/examples/tf_cloudbuild_workspace_simple_gitlab/apis.tf @@ -16,7 +16,7 @@ module "enabled_google_apis" { source = "terraform-google-modules/project-factory/google//modules/project_services" - version = "~> 15.0" + version = "~> 17.0" project_id = var.project_id disable_services_on_destroy = false diff --git a/main.tf b/main.tf index 8f60f715..790c8e31 100644 --- a/main.tf +++ b/main.tf @@ -59,7 +59,7 @@ resource "google_folder_iam_member" "tmp_project_creator" { module "seed_project" { source = "terraform-google-modules/project-factory/google" - version = "~> 15.0" + version = "~> 17.0" name = local.seed_project_id random_project_id = var.random_suffix disable_services_on_destroy = false @@ -70,6 +70,7 @@ module "seed_project" { create_project_sa = false labels = var.project_labels lien = true + deletion_policy = var.project_deletion_policy } module "enable_cross_project_service_account_usage" { @@ -111,7 +112,7 @@ data "google_storage_project_service_account" "gcs_account" { module "kms" { count = var.encrypt_gcs_bucket_tfstate ? 1 : 0 source = "terraform-google-modules/kms/google" - version = "~> 2.1" + version = "~> 3.2" project_id = module.seed_project.project_id location = var.default_region diff --git a/modules/cloudbuild/README.md b/modules/cloudbuild/README.md index a34a7c11..4da1356c 100644 --- a/modules/cloudbuild/README.md +++ b/modules/cloudbuild/README.md @@ -65,6 +65,7 @@ Functional examples and sample Cloud Build definitions are included in the [exam | group\_org\_admins | Google Group for GCP Organization Administrators | `string` | n/a | yes | | impersonate\_service\_account | The service account to impersonate while running the gcloud builds submit command. | `string` | `""` | no | | org\_id | GCP Organization ID | `string` | n/a | yes | +| project\_deletion\_policy | The deletion policy for the project created. | `string` | `"PREVENT"` | no | | project\_id | Custom project ID to use for project created. | `string` | `""` | no | | project\_labels | Labels to apply to the project. | `map(string)` | `{}` | no | | project\_prefix | Name prefix to use for projects created. | `string` | `"cft"` | no | diff --git a/modules/cloudbuild/main.tf b/modules/cloudbuild/main.tf index dd80fe69..2381f1ae 100644 --- a/modules/cloudbuild/main.tf +++ b/modules/cloudbuild/main.tf @@ -36,7 +36,7 @@ resource "random_id" "suffix" { module "cloudbuild_project" { source = "terraform-google-modules/project-factory/google" - version = "~> 15.0" + version = "~> 17.0" name = local.cloudbuild_project_id random_project_id = var.random_suffix disable_services_on_destroy = false @@ -45,6 +45,7 @@ module "cloudbuild_project" { billing_account = var.billing_account activate_apis = local.activate_apis labels = var.project_labels + deletion_policy = var.project_deletion_policy } /****************************************** diff --git a/modules/cloudbuild/variables.tf b/modules/cloudbuild/variables.tf index 1101673c..2519e248 100644 --- a/modules/cloudbuild/variables.tf +++ b/modules/cloudbuild/variables.tf @@ -77,6 +77,12 @@ variable "project_id" { type = string } +variable "project_deletion_policy" { + description = "The deletion policy for the project created." + type = string + default = "PREVENT" +} + variable "activate_apis" { description = "List of APIs to enable in the Cloudbuild project." type = list(string) diff --git a/modules/cloudbuild/versions.tf b/modules/cloudbuild/versions.tf index b7d82450..61ba17ab 100644 --- a/modules/cloudbuild/versions.tf +++ b/modules/cloudbuild/versions.tf @@ -21,12 +21,12 @@ terraform { google = { source = "hashicorp/google" # Exclude 4.31.0 for https://github.com/hashicorp/terraform-provider-google/issues/12226 - version = ">= 3.50, != 4.31.0, <6" + version = ">= 3.50, != 4.31.0, <7" } google-beta = { source = "hashicorp/google-beta" # Exclude 4.31.0 for https://github.com/hashicorp/terraform-provider-google/issues/12226 - version = ">= 3.50, != 4.31.0, <6" + version = ">= 3.50, != 4.31.0, <7" } random = { source = "hashicorp/random" diff --git a/modules/cloudbuild_repo_connection/versions.tf b/modules/cloudbuild_repo_connection/versions.tf index 12cf63d4..355d6234 100644 --- a/modules/cloudbuild_repo_connection/versions.tf +++ b/modules/cloudbuild_repo_connection/versions.tf @@ -21,7 +21,7 @@ terraform { google = { source = "hashicorp/google" # Exclude 4.31.0 for https://github.com/hashicorp/terraform-provider-google/issues/12226 - version = ">= 4.17, != 4.31.0, < 6" + version = ">= 4.17, != 4.31.0, < 7" } time = { @@ -37,7 +37,7 @@ terraform { google-beta = { source = "hashicorp/google-beta" # Exclude 4.31.0 for https://github.com/hashicorp/terraform-provider-google/issues/12226 - version = ">= 4.17, != 4.31.0, < 6" + version = ">= 4.17, != 4.31.0, < 7" } } } diff --git a/modules/im_cloudbuild_workspace/cb.tf b/modules/im_cloudbuild_workspace/cb.tf index cdf1f119..03663bab 100644 --- a/modules/im_cloudbuild_workspace/cb.tf +++ b/modules/im_cloudbuild_workspace/cb.tf @@ -123,7 +123,5 @@ resource "google_cloudbuild_trigger" "triggers" { included_files = var.cloudbuild_included_files ignored_files = var.cloudbuild_ignored_files - depends_on = [ - google_project_iam_member.im_sa_roles, - ] + depends_on = [google_project_iam_member.im_sa_roles] } diff --git a/modules/im_cloudbuild_workspace/versions.tf b/modules/im_cloudbuild_workspace/versions.tf index ab515502..5e70d8c1 100644 --- a/modules/im_cloudbuild_workspace/versions.tf +++ b/modules/im_cloudbuild_workspace/versions.tf @@ -21,12 +21,12 @@ terraform { google = { source = "hashicorp/google" # Exclude 4.31.0 for https://github.com/hashicorp/terraform-provider-google/issues/12226 - version = ">= 4.17, != 4.31.0, < 6" + version = ">= 4.17, != 4.31.0, < 7" } google-beta = { source = "hashicorp/google-beta" # Exclude 4.31.0 for https://github.com/hashicorp/terraform-provider-google/issues/12226 - version = ">= 4.17, != 4.31.0, < 6" + version = ">= 4.17, != 4.31.0, < 7" } random = { source = "hashicorp/random" diff --git a/modules/tf_cloudbuild_builder/cb.tf b/modules/tf_cloudbuild_builder/cb.tf index 420e355f..e8458757 100644 --- a/modules/tf_cloudbuild_builder/cb.tf +++ b/modules/tf_cloudbuild_builder/cb.tf @@ -125,7 +125,7 @@ resource "google_project_iam_member" "logs_writer" { # https://cloud.google.com/build/docs/securing-builds/store-manage-build-logs#store-custom-bucket module "bucket" { source = "terraform-google-modules/cloud-storage/google//modules/simple_bucket" - version = "~> 6.0" + version = "~> 8.0" name = local.log_bucket_name project_id = var.project_id diff --git a/modules/tf_cloudbuild_builder/versions.tf b/modules/tf_cloudbuild_builder/versions.tf index c8e138c1..148ded64 100644 --- a/modules/tf_cloudbuild_builder/versions.tf +++ b/modules/tf_cloudbuild_builder/versions.tf @@ -21,12 +21,12 @@ terraform { google = { source = "hashicorp/google" # Exclude 4.31.0 for https://github.com/hashicorp/terraform-provider-google/issues/12226 - version = ">= 3.50, != 4.31.0, < 6" + version = ">= 3.50, != 4.31.0, < 7" } google-beta = { source = "hashicorp/google-beta" # Exclude 4.31.0 for https://github.com/hashicorp/terraform-provider-google/issues/12226 - version = ">= 3.50, != 4.31.0, < 6" + version = ">= 3.50, != 4.31.0, < 7" } } diff --git a/modules/tf_cloudbuild_source/README.md b/modules/tf_cloudbuild_source/README.md index bed8c529..9a5158bc 100644 --- a/modules/tf_cloudbuild_source/README.md +++ b/modules/tf_cloudbuild_source/README.md @@ -38,6 +38,7 @@ This module creates: | group\_org\_admins | Google Group for GCP Organization Administrators | `string` | n/a | yes | | location | Location for build artifacts bucket | `string` | `"us-central1"` | no | | org\_id | GCP Organization ID | `string` | n/a | yes | +| project\_deletion\_policy | The deletion policy for the project created. | `string` | `"PREVENT"` | no | | project\_id | Custom project ID to use for project created. | `string` | `""` | no | | project\_labels | Labels to apply to the project. | `map(string)` | `{}` | no | | storage\_bucket\_labels | Labels to apply to the storage bucket. | `map(string)` | `{}` | no | diff --git a/modules/tf_cloudbuild_source/main.tf b/modules/tf_cloudbuild_source/main.tf index 35142b89..8454a435 100644 --- a/modules/tf_cloudbuild_source/main.tf +++ b/modules/tf_cloudbuild_source/main.tf @@ -33,7 +33,7 @@ locals { module "cloudbuild_project" { source = "terraform-google-modules/project-factory/google" - version = "~> 15.0" + version = "~> 17.0" name = local.cloudbuild_project_id random_project_id = local.use_random_suffix @@ -43,6 +43,7 @@ module "cloudbuild_project" { billing_account = var.billing_account activate_apis = local.activate_apis labels = var.project_labels + deletion_policy = var.project_deletion_policy } // On the first run of cloud build submit, a bucket is automaticaly created with name "[PROJECT_ID]_cloudbuild" @@ -52,7 +53,7 @@ module "cloudbuild_project" { // Creating the bucket beforehand make it is possible to define a custom location. module "cloudbuild_bucket" { source = "terraform-google-modules/cloud-storage/google//modules/simple_bucket" - version = "~> 6.0" + version = "~> 8.0" name = "${module.cloudbuild_project.project_id}_cloudbuild" project_id = module.cloudbuild_project.project_id diff --git a/modules/tf_cloudbuild_source/variables.tf b/modules/tf_cloudbuild_source/variables.tf index 95f58fe3..c91ee4ce 100644 --- a/modules/tf_cloudbuild_source/variables.tf +++ b/modules/tf_cloudbuild_source/variables.tf @@ -31,6 +31,12 @@ variable "project_id" { type = string } +variable "project_deletion_policy" { + description = "The deletion policy for the project created." + type = string + default = "PREVENT" +} + variable "project_labels" { description = "Labels to apply to the project." type = map(string) diff --git a/modules/tf_cloudbuild_source/versions.tf b/modules/tf_cloudbuild_source/versions.tf index 12061af6..b0ae7d32 100644 --- a/modules/tf_cloudbuild_source/versions.tf +++ b/modules/tf_cloudbuild_source/versions.tf @@ -21,12 +21,12 @@ terraform { google = { source = "hashicorp/google" # Exclude 4.31.0 for https://github.com/hashicorp/terraform-provider-google/issues/12226 - version = ">= 3.50, != 4.31.0, < 6" + version = ">= 3.50, != 4.31.0, < 7" } google-beta = { source = "hashicorp/google-beta" # Exclude 4.31.0 for https://github.com/hashicorp/terraform-provider-google/issues/12226 - version = ">= 3.50, != 4.31.0, < 6" + version = ">= 3.50, != 4.31.0, < 7" } } diff --git a/modules/tf_cloudbuild_workspace/buckets.tf b/modules/tf_cloudbuild_workspace/buckets.tf index 929ded08..918db55a 100644 --- a/modules/tf_cloudbuild_workspace/buckets.tf +++ b/modules/tf_cloudbuild_workspace/buckets.tf @@ -29,7 +29,7 @@ locals { module "artifacts_bucket" { source = "terraform-google-modules/cloud-storage/google//modules/simple_bucket" - version = "~> 6.0" + version = "~> 8.0" name = var.artifacts_bucket_name != "" ? var.artifacts_bucket_name : "${local.default_prefix}-build-artifacts-${var.project_id}" project_id = var.project_id @@ -45,7 +45,7 @@ resource "google_storage_bucket_iam_member" "artifacts_admin" { module "log_bucket" { source = "terraform-google-modules/cloud-storage/google//modules/simple_bucket" - version = "~> 6.0" + version = "~> 8.0" name = var.log_bucket_name != "" ? var.log_bucket_name : "${local.default_prefix}-build-logs-${var.project_id}" project_id = var.project_id @@ -62,7 +62,7 @@ resource "google_storage_bucket_iam_member" "log_admin" { # Custom bucket for storing TF state module "state_bucket" { source = "terraform-google-modules/cloud-storage/google//modules/simple_bucket" - version = "~> 6.0" + version = "~> 8.0" count = var.create_state_bucket ? 1 : 0 name = var.create_state_bucket_name != "" ? var.create_state_bucket_name : "${local.default_prefix}-build-state-${var.project_id}" diff --git a/modules/tf_cloudbuild_workspace/versions.tf b/modules/tf_cloudbuild_workspace/versions.tf index b300f3e7..1dda7923 100644 --- a/modules/tf_cloudbuild_workspace/versions.tf +++ b/modules/tf_cloudbuild_workspace/versions.tf @@ -21,12 +21,12 @@ terraform { google = { source = "hashicorp/google" # Exclude 4.31.0 for https://github.com/hashicorp/terraform-provider-google/issues/12226 - version = ">= 4.17, != 4.31.0, < 6" + version = ">= 4.17, != 4.31.0, < 7" } google-beta = { source = "hashicorp/google-beta" # Exclude 4.31.0 for https://github.com/hashicorp/terraform-provider-google/issues/12226 - version = ">= 4.17, != 4.31.0, < 6" + version = ">= 4.17, != 4.31.0, < 7" } } diff --git a/test/fixtures/cloudbuild_enabled/main.tf b/test/fixtures/cloudbuild_enabled/main.tf index d5755dcb..4a510544 100644 --- a/test/fixtures/cloudbuild_enabled/main.tf +++ b/test/fixtures/cloudbuild_enabled/main.tf @@ -17,12 +17,13 @@ module "cloudbuild_enabled" { source = "../../../examples/cloudbuild_enabled" - org_id = var.org_id - billing_account = var.billing_account - group_org_admins = var.group_org_admins - group_billing_admins = var.group_billing_admins - default_region = var.default_region - project_prefix = "cft-test-cb" - force_destroy = var.force_destroy + org_id = var.org_id + billing_account = var.billing_account + group_org_admins = var.group_org_admins + group_billing_admins = var.group_billing_admins + default_region = var.default_region + project_prefix = "cft-test-cb" + force_destroy = var.force_destroy + project_deletion_policy = var.project_deletion_policy } diff --git a/test/fixtures/cloudbuild_enabled/variables.tf b/test/fixtures/cloudbuild_enabled/variables.tf index d9f0931f..e4c497a8 100644 --- a/test/fixtures/cloudbuild_enabled/variables.tf +++ b/test/fixtures/cloudbuild_enabled/variables.tf @@ -61,3 +61,9 @@ variable "force_destroy" { type = bool default = false } + +variable "project_deletion_policy" { + description = "The deletion policy for the project created." + type = string + default = "PREVENT" +} diff --git a/test/fixtures/simple-folder/main.tf b/test/fixtures/simple-folder/main.tf index a7aa699c..19b7028c 100644 --- a/test/fixtures/simple-folder/main.tf +++ b/test/fixtures/simple-folder/main.tf @@ -17,11 +17,12 @@ module "simple" { source = "../../../examples/simple-folder" - org_id = var.org_id - parent = var.parent_folder - billing_account = var.billing_account - group_org_admins = var.group_org_admins - group_billing_admins = var.group_billing_admins - default_region = var.default_region - project_prefix = "cft-test-fldr" + org_id = var.org_id + parent = var.parent_folder + billing_account = var.billing_account + group_org_admins = var.group_org_admins + group_billing_admins = var.group_billing_admins + default_region = var.default_region + project_prefix = "cft-test-fldr" + project_deletion_policy = var.project_deletion_policy } diff --git a/test/fixtures/simple-folder/variables.tf b/test/fixtures/simple-folder/variables.tf index 29c74cb6..6ff52239 100644 --- a/test/fixtures/simple-folder/variables.tf +++ b/test/fixtures/simple-folder/variables.tf @@ -60,3 +60,9 @@ variable "org_project_creators" { type = list(string) default = [] } + +variable "project_deletion_policy" { + description = "The deletion policy for the project created." + type = string + default = "PREVENT" +} diff --git a/test/fixtures/simple/main.tf b/test/fixtures/simple/main.tf index 1be738a5..d347b97a 100644 --- a/test/fixtures/simple/main.tf +++ b/test/fixtures/simple/main.tf @@ -17,10 +17,11 @@ module "simple" { source = "../../../examples/simple" - org_id = var.org_id - billing_account = var.billing_account - group_org_admins = var.group_org_admins - group_billing_admins = var.group_billing_admins - default_region = var.default_region - project_prefix = "cft-test" + org_id = var.org_id + billing_account = var.billing_account + group_org_admins = var.group_org_admins + group_billing_admins = var.group_billing_admins + default_region = var.default_region + project_prefix = "cft-test" + project_deletion_policy = var.project_deletion_policy } diff --git a/test/fixtures/simple/variables.tf b/test/fixtures/simple/variables.tf index 0285956b..b150d0f7 100644 --- a/test/fixtures/simple/variables.tf +++ b/test/fixtures/simple/variables.tf @@ -55,3 +55,9 @@ variable "org_project_creators" { type = list(string) default = [] } + +variable "project_deletion_policy" { + description = "The deletion policy for the project created." + type = string + default = "PREVENT" +} diff --git a/test/setup/iam.tf b/test/setup/iam.tf index e584775d..f92aa89a 100644 --- a/test/setup/iam.tf +++ b/test/setup/iam.tf @@ -56,3 +56,11 @@ resource "google_project_iam_member" "int_test" { resource "google_service_account_key" "int_test" { service_account_id = google_service_account.int_test.id } + +resource "google_project_iam_member" "cb_service_agent_role" { + project = module.project.project_id + role = "roles/cloudbuild.serviceAgent" + member = "serviceAccount:service-${module.project.project_number}@gcp-sa-cloudbuild.iam.gserviceaccount.com" + + depends_on = [module.project] +} diff --git a/test/setup/main.tf b/test/setup/main.tf index 4f99fd48..ddf9987b 100644 --- a/test/setup/main.tf +++ b/test/setup/main.tf @@ -16,13 +16,14 @@ module "project" { source = "terraform-google-modules/project-factory/google" - version = "~> 15.0" + version = "~> 17.0" name = "ci-bootstrap" random_project_id = true org_id = var.org_id folder_id = var.folder_id billing_account = var.billing_account + deletion_policy = "DELETE" activate_apis = [ "cloudresourcemanager.googleapis.com", @@ -41,8 +42,15 @@ module "project" { activate_api_identities = [ { - api = "cloudbuild.googleapis.com", - roles = ["roles/cloudbuild.builds.builder"] + api = "cloudbuild.googleapis.com", + roles = [ + "roles/cloudbuild.builds.builder", + "roles/cloudbuild.connectionAdmin", + ] + }, + { + api = "workflows.googleapis.com", + roles = ["roles/workflows.serviceAgent"] }, { api = "config.googleapis.com", diff --git a/test/setup/outputs.tf b/test/setup/outputs.tf index 2ff88e2d..3d9d81af 100644 --- a/test/setup/outputs.tf +++ b/test/setup/outputs.tf @@ -59,3 +59,7 @@ output "random_testing_string" { description = "Access the random ID created in setup for labeling other resources." value = random_id.suffix.hex } + +output "project_deletion_policy" { + value = "DELETE" +} diff --git a/variables.tf b/variables.tf index ba53b54d..cbf2d722 100644 --- a/variables.tf +++ b/variables.tf @@ -72,6 +72,12 @@ variable "project_id" { type = string } +variable "project_deletion_policy" { + description = "The deletion policy for the project created." + type = string + default = "PREVENT" +} + variable "activate_apis" { description = "List of APIs to enable in the seed project." type = list(string)