terraform-google-modules · apeabody · Oct 28, 2024 · Oct 14, 2024 · Oct 15, 2024 · Oct 15, 2024
@@ -63,6 +63,7 @@ For the cloudbuild submodule, see the README [cloudbuild](./modules/cloudbuild).
 | org\_id | GCP Organization ID | `string` | n/a | yes |
 | org\_project\_creators | Additional list of members to have project creator role accross the organization. Prefix of group: user: or serviceAccount: is required. | `list(string)` | `[]` | no |
 | parent\_folder | GCP parent folder ID in the form folders/{id} | `string` | `""` | no |
+| project\_deletion\_policy | The deletion policy for the project created. | `string` | `"PREVENT"` | no |
 | project\_id | Custom project ID to use for project created. If not supplied, the default id is {project\_prefix}-seed-{random suffix}. | `string` | `""` | no |
 | project\_labels | Labels to apply to the project. | `map(string)` | `{}` | no |
 | project\_prefix | Name prefix to use for projects created. | `string` | `"cft"` | no |

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-timeout: 4200s
+timeout: 5400s
 steps:
 - id: swap-module-refs
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'

@@ -40,3 +40,43 @@ The endpoint that is used to trigger a build was replaced with a new one that al
 ```
  # module.cloudbuilder.google_workflows_workflow.builder will be updated in-place
 ```
+
+## Google Cloud Provider Project deletion_policy
+
+The `deletion_policy` for [project-factory](https://github.com/terraform-google-modules/terraform-google-project-factory) module now defaults to `"PREVENT"` rather than `"DELETE"`.
+This aligns with the behavior in Google Cloud Platform Provider v6+.
+To maintain the old behavior in the projects created within the modules you can set the new variable `project_deletion_policy = "DELETE"`.
+
+### Bootstrap main module
+
+```diff
+module "bootstrap" {
+  source  = "terraform-google-modules/bootstrap/google"
+- version = "~> 8.0"
++ version = "~> 9.0"
+
++ project_deletion_policy = "DELETE"
+```
+
+### Cloud Build sub module
+
+```diff
+module "cloudbuild" {
+  source  = "terraform-google-modules/bootstrap/google//modules/cloudbuild"
+- version = "~> 8.0"
++ version = "~> 9.0"
+
++ project_deletion_policy = "DELETE"
+```
+
+
+### Cloud Build Source sub module
+
+```diff
+module "tf_cloudbuild_source" {
+  source  = "terraform-google-modules/bootstrap/google//modules/tf_cloudbuild_source"
+- version = "~> 8.0"
++ version = "~> 9.0"
+
++ project_deletion_policy = "DELETE"
+```
@@ -14,6 +14,7 @@ This example combines the Organization bootstrap module with the Cloud Build sub
 | group\_org\_admins | Google Group for GCP Organization Administrators | `string` | n/a | yes |
 | org\_id | GCP Organization ID | `string` | n/a | yes |
 | org\_project\_creators | Additional list of members to have project creator role accross the organization. Prefix of group: user: or serviceAccount: is required. | `list(string)` | `[]` | no |
+| project\_deletion\_policy | The deletion policy for the project created. | `string` | `"PREVENT"` | no |
 | project\_prefix | Name prefix to use for projects created. | `string` | `"cft"` | no |
 
 ## Outputs

@@ -31,6 +31,7 @@ module "seed_bootstrap" {
   sa_enable_impersonation = true
   project_prefix          = var.project_prefix
   force_destroy           = var.force_destroy
+  project_deletion_policy = var.project_deletion_policy
 }
 
 module "cloudbuild_bootstrap" {
@@ -47,4 +48,5 @@ module "cloudbuild_bootstrap" {
   terraform_state_bucket  = module.seed_bootstrap.gcs_bucket_tfstate
   project_prefix          = var.project_prefix
   force_destroy           = var.force_destroy
+  project_deletion_policy = var.project_deletion_policy
 }
@@ -57,3 +57,9 @@ variable "force_destroy" {
   type        = bool
   default     = false
 }
+
+variable "project_deletion_policy" {
+  description = "The deletion policy for the project created."
+  type        = string
+  default     = "PREVENT"
+}
@@ -15,7 +15,7 @@
  */
 
 module "github_connection" {
-  source = "terraform-google-modules/bootstrap/google//modules/cloudbuild_repo_connection"
+  source  = "terraform-google-modules/bootstrap/google//modules/cloudbuild_repo_connection"
   version = "~> 9.0"
 
   project_id = var.project_id

@@ -16,7 +16,7 @@
 
 module "enabled_google_apis" {
   source  = "terraform-google-modules/project-factory/google//modules/project_services"
-  version = "~> 15.0"
+  version = "~> 17.0"
 
   project_id                  = var.project_id
   disable_services_on_destroy = false

@@ -16,7 +16,7 @@
 
 module "enabled_google_apis" {
   source  = "terraform-google-modules/project-factory/google//modules/project_services"
-  version = "~> 15.0"
+  version = "~> 17.0"
 
   project_id                  = var.project_id
   disable_services_on_destroy = false

@@ -14,6 +14,7 @@ This example demonstrates the simplest usage of the GCP organization bootstrap m
 | org\_id | GCP Organization ID | `string` | n/a | yes |
 | org\_project\_creators | Additional list of members to have project creator role accross the organization. Prefix of group: user: or serviceAccount: is required. | `list(string)` | `[]` | no |
 | parent | GCP parent folder id of form folders/{id} | `string` | n/a | yes |
+| project\_deletion\_policy | The deletion policy for the project created. | `string` | `"PREVENT"` | no |
 | project\_prefix | Name prefix to use for projects created. | `string` | `"cft"` | no |
 
 ## Outputs

@@ -22,12 +22,13 @@ module "seed_bootstrap" {
   source  = "terraform-google-modules/bootstrap/google"
   version = "~> 8.0"
 
-  org_id               = var.org_id
-  parent_folder        = var.parent
-  billing_account      = var.billing_account
-  group_org_admins     = var.group_org_admins
-  group_billing_admins = var.group_billing_admins
-  default_region       = var.default_region
-  org_project_creators = var.org_project_creators
-  project_prefix       = var.project_prefix
+  org_id                  = var.org_id
+  parent_folder           = var.parent
+  billing_account         = var.billing_account
+  group_org_admins        = var.group_org_admins
+  group_billing_admins    = var.group_billing_admins
+  default_region          = var.default_region
+  org_project_creators    = var.org_project_creators
+  project_prefix          = var.project_prefix
+  project_deletion_policy = var.project_deletion_policy
 }
@@ -56,3 +56,9 @@ variable "project_prefix" {
   default     = "cft"
   type        = string
 }
+
+variable "project_deletion_policy" {
+  description = "The deletion policy for the project created."
+  type        = string
+  default     = "PREVENT"
+}
@@ -13,6 +13,7 @@ This example demonstrates the simplest usage of the GCP organization bootstrap m
 | group\_org\_admins | Google Group for GCP Organization Administrators | `string` | n/a | yes |
 | org\_id | GCP Organization ID | `string` | n/a | yes |
 | org\_project\_creators | Additional list of members to have project creator role accross the organization. Prefix of group: user: or serviceAccount: is required. | `list(string)` | `[]` | no |
+| project\_deletion\_policy | The deletion policy for the project created. | `string` | `"PREVENT"` | no |
 | project\_prefix | Name prefix to use for projects created. | `string` | `"cft"` | no |
 
 ## Outputs

@@ -22,11 +22,12 @@ module "seed_bootstrap" {
   source  = "terraform-google-modules/bootstrap/google"
   version = "~> 8.0"
 
-  org_id               = var.org_id
-  billing_account      = var.billing_account
-  group_org_admins     = var.group_org_admins
-  group_billing_admins = var.group_billing_admins
-  default_region       = var.default_region
-  org_project_creators = var.org_project_creators
-  project_prefix       = var.project_prefix
+  org_id                  = var.org_id
+  billing_account         = var.billing_account
+  group_org_admins        = var.group_org_admins
+  group_billing_admins    = var.group_billing_admins
+  default_region          = var.default_region
+  org_project_creators    = var.org_project_creators
+  project_prefix          = var.project_prefix
+  project_deletion_policy = var.project_deletion_policy
 }
@@ -51,3 +51,9 @@ variable "project_prefix" {
   default     = "cft"
   type        = string
 }
+
+variable "project_deletion_policy" {
+  description = "The deletion policy for the project created."
+  type        = string
+  default     = "PREVENT"
+}
@@ -16,7 +16,7 @@
 
 module "enabled_google_apis" {
   source  = "terraform-google-modules/project-factory/google//modules/project_services"
-  version = "~> 15.0"
+  version = "~> 17.0"
 
   project_id                  = var.project_id
   disable_services_on_destroy = false

@@ -16,7 +16,7 @@
 
 module "enabled_google_apis" {
   source  = "terraform-google-modules/project-factory/google//modules/project_services"
-  version = "~> 15.0"
+  version = "~> 17.0"
 
   project_id                  = var.project_id
   disable_services_on_destroy = false

@@ -16,7 +16,7 @@
 
 module "enabled_google_apis" {
   source  = "terraform-google-modules/project-factory/google//modules/project_services"
-  version = "~> 15.0"
+  version = "~> 17.0"
 
   project_id                  = var.project_id
   disable_services_on_destroy = false

@@ -53,6 +53,8 @@ module "cloudbuilder" {
 
   # allow logs bucket to be destroyed
   cb_logs_bucket_force_destroy = true
+
+  depends_on = [module.enabled_google_apis]
 }
 
 // Create a secret containing the personal access token and grant permissions to the Service Agent.

@@ -11,6 +11,7 @@ This example demonstrates the simplest usage of the [tf_cloudbuild_source](../..
 | group\_org\_admins | Google Group for GCP Organization Administrators | `string` | n/a | yes |
 | org\_id | GCP Organization ID | `string` | n/a | yes |
 | parent\_folder | The bootstrap parent folder | `string` | `""` | no |
+| project\_deletion\_policy | The deletion policy for the project created. | `string` | `"PREVENT"` | no |
 
 ## Outputs
 

@@ -18,9 +18,10 @@ module "tf_source" {
   source  = "terraform-google-modules/bootstrap/google//modules/tf_cloudbuild_source"
   version = "~> 8.0"
 
-  org_id                = var.org_id
-  folder_id             = var.parent_folder
-  billing_account       = var.billing_account
-  group_org_admins      = var.group_org_admins
-  buckets_force_destroy = true
+  org_id                  = var.org_id
+  folder_id               = var.parent_folder
+  billing_account         = var.billing_account
+  group_org_admins        = var.group_org_admins
+  buckets_force_destroy   = true
+  project_deletion_policy = var.project_deletion_policy
 }
@@ -34,3 +34,9 @@ variable "group_org_admins" {
   description = "Google Group for GCP Organization Administrators"
   type        = string
 }
+
+variable "project_deletion_policy" {
+  description = "The deletion policy for the project created."
+  type        = string
+  default     = "PREVENT"
+}
@@ -16,7 +16,7 @@
 
 module "enabled_google_apis" {
   source  = "terraform-google-modules/project-factory/google//modules/project_services"
-  version = "~> 15.0"
+  version = "~> 17.0"
 
   project_id                  = var.project_id
   disable_services_on_destroy = false

@@ -16,7 +16,7 @@
 
 module "enabled_google_apis" {
   source  = "terraform-google-modules/project-factory/google//modules/project_services"
-  version = "~> 15.0"
+  version = "~> 17.0"
 
   project_id                  = var.project_id
   disable_services_on_destroy = false

@@ -61,7 +61,6 @@ module "tf_workspace" {
   depends_on = [module.enabled_google_apis]
 }
 
-
 // Create a secret containing the personal access token and grant permissions to the Service Agent.
 resource "google_secret_manager_secret" "github_token_secret" {
   project   = var.project_id

@@ -16,7 +16,7 @@
 
 module "enabled_google_apis" {
   source  = "terraform-google-modules/project-factory/google//modules/project_services"
-  version = "~> 15.0"
+  version = "~> 17.0"
 
   project_id                  = var.project_id
   disable_services_on_destroy = false

@@ -59,7 +59,7 @@ resource "google_folder_iam_member" "tmp_project_creator" {
 
 module "seed_project" {
   source                      = "terraform-google-modules/project-factory/google"
-  version                     = "~> 15.0"
+  version                     = "~> 17.0"
   name                        = local.seed_project_id
   random_project_id           = var.random_suffix
   disable_services_on_destroy = false
@@ -70,6 +70,7 @@ module "seed_project" {
   create_project_sa           = false
   labels                      = var.project_labels
   lien                        = true
+  deletion_policy             = var.project_deletion_policy
 }
 
 module "enable_cross_project_service_account_usage" {
@@ -111,7 +112,7 @@ data "google_storage_project_service_account" "gcs_account" {
 module "kms" {
   count   = var.encrypt_gcs_bucket_tfstate ? 1 : 0
   source  = "terraform-google-modules/kms/google"
-  version = "~> 2.1"
+  version = "~> 3.2"
 
   project_id           = module.seed_project.project_id
   location             = var.default_region

@@ -65,6 +65,7 @@ Functional examples and sample Cloud Build definitions are included in the [exam
 | group\_org\_admins | Google Group for GCP Organization Administrators | `string` | n/a | yes |
 | impersonate\_service\_account | The service account to impersonate while running the gcloud builds submit command. | `string` | `""` | no |
 | org\_id | GCP Organization ID | `string` | n/a | yes |
+| project\_deletion\_policy | The deletion policy for the project created. | `string` | `"PREVENT"` | no |
 | project\_id | Custom project ID to use for project created. | `string` | `""` | no |
 | project\_labels | Labels to apply to the project. | `map(string)` | `{}` | no |
 | project\_prefix | Name prefix to use for projects created. | `string` | `"cft"` | no |

@@ -36,7 +36,7 @@ resource "random_id" "suffix" {
 
 module "cloudbuild_project" {
   source                      = "terraform-google-modules/project-factory/google"
-  version                     = "~> 15.0"
+  version                     = "~> 17.0"
   name                        = local.cloudbuild_project_id
   random_project_id           = var.random_suffix
   disable_services_on_destroy = false
@@ -45,6 +45,7 @@ module "cloudbuild_project" {
   billing_account             = var.billing_account
   activate_apis               = local.activate_apis
   labels                      = var.project_labels
+  deletion_policy             = var.project_deletion_policy
 }
 
 /******************************************

@@ -77,6 +77,12 @@ variable "project_id" {
   type        = string
 }
 
+variable "project_deletion_policy" {
+  description = "The deletion policy for the project created."
+  type        = string
+  default     = "PREVENT"
+}
+
 variable "activate_apis" {
   description = "List of APIs to enable in the Cloudbuild project."
   type        = list(string)

@@ -21,12 +21,12 @@ terraform {
     google = {
       source = "hashicorp/google"
       # Exclude 4.31.0 for https://github.com/hashicorp/terraform-provider-google/issues/12226
-      version = ">= 3.50, != 4.31.0, <6"
+      version = ">= 3.50, != 4.31.0, <7"
     }
     google-beta = {
       source = "hashicorp/google-beta"
       # Exclude 4.31.0 for https://github.com/hashicorp/terraform-provider-google/issues/12226
-      version = ">= 3.50, != 4.31.0, <6"
+      version = ">= 3.50, != 4.31.0, <7"
     }
     random = {
       source  = "hashicorp/random"

@@ -21,7 +21,7 @@ terraform {
     google = {
       source = "hashicorp/google"
       # Exclude 4.31.0 for https://github.com/hashicorp/terraform-provider-google/issues/12226
-      version = ">= 4.17, != 4.31.0, < 6"
+      version = ">= 4.17, != 4.31.0, < 7"
     }
 
     time = {
@@ -37,7 +37,7 @@ terraform {
     google-beta = {
       source = "hashicorp/google-beta"
       # Exclude 4.31.0 for https://github.com/hashicorp/terraform-provider-google/issues/12226
-      version = ">= 4.17, != 4.31.0, < 6"
+      version = ">= 4.17, != 4.31.0, < 7"
     }
   }
 }