From f55020f2b7bccf0c3f63925d72ef7227705ad2b0 Mon Sep 17 00:00:00 2001
From: Abhishek Tiwari <abhiwa@google.com>
Date: Fri, 22 Nov 2024 07:15:09 +0000
Subject: [PATCH] fix: add deletion_protection to backup module and set it to
 false in intergration tests

---
 examples/mysql-backup-create-service-account/main.tf  |  1 +
 .../main.tf                                           |  1 +
 examples/postgresql-with-cross-region-failover/kms.tf | 11 +++++++++--
 modules/backup/README.md                              |  1 +
 modules/backup/main.tf                                |  2 ++
 modules/backup/metadata.yaml                          |  6 +++++-
 modules/backup/variables.tf                           |  6 ++++++
 modules/backup/versions.tf                            |  2 +-
 8 files changed, 26 insertions(+), 4 deletions(-)

diff --git a/examples/mysql-backup-create-service-account/main.tf b/examples/mysql-backup-create-service-account/main.tf
index b434eb8b..d2f6316d 100644
--- a/examples/mysql-backup-create-service-account/main.tf
+++ b/examples/mysql-backup-create-service-account/main.tf
@@ -56,4 +56,5 @@ module "backup" {
   backup_schedule       = "5 * * * *"
   export_schedule       = "10 * * * *"
   compress_export       = false
+  deletion_protection   = false
 }
diff --git a/examples/postgresql-backup-provided-service-account/main.tf b/examples/postgresql-backup-provided-service-account/main.tf
index fd18b856..e34c76e4 100644
--- a/examples/postgresql-backup-provided-service-account/main.tf
+++ b/examples/postgresql-backup-provided-service-account/main.tf
@@ -70,6 +70,7 @@ module "backup" {
   service_account             = "${data.google_project.test_project.number}-compute@developer.gserviceaccount.com"
   create_notification_channel = false
   notification_channels       = [google_monitoring_notification_channel.email.id]
+  deletion_protection         = false
 }
 
 data "google_project" "test_project" {
diff --git a/examples/postgresql-with-cross-region-failover/kms.tf b/examples/postgresql-with-cross-region-failover/kms.tf
index 913bcab8..001d7147 100644
--- a/examples/postgresql-with-cross-region-failover/kms.tf
+++ b/examples/postgresql-with-cross-region-failover/kms.tf
@@ -60,15 +60,22 @@ resource "google_project_service_identity" "cloudsql_sa" {
   service = "sqladmin.googleapis.com"
 }
 
+resource "time_sleep" "wait_10m" {
+  depends_on      = [google_project_service_identity.cloudsql_sa]
+  create_duration = "10m"
+}
+
 resource "google_kms_crypto_key_iam_member" "crypto_key_region1" {
   crypto_key_id = google_kms_crypto_key.cloudsql_region1_key.id
   role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
-  member        = "serviceAccount:${google_project_service_identity.cloudsql_sa.email}"
+  member        = google_project_service_identity.cloudsql_sa.member
+  depends_on    = [time_sleep.wait_10m]
 }
 
 resource "google_kms_crypto_key_iam_member" "crypto_key_region2" {
   crypto_key_id = google_kms_crypto_key.cloudsql_region2_key.id
   role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
-  member        = "serviceAccount:${google_project_service_identity.cloudsql_sa.email}"
+  member        = google_project_service_identity.cloudsql_sa.member
+  depends_on    = [time_sleep.wait_10m]
 }
 
diff --git a/modules/backup/README.md b/modules/backup/README.md
index 8c5d238d..b12be0f4 100644
--- a/modules/backup/README.md
+++ b/modules/backup/README.md
@@ -60,6 +60,7 @@ fetch workflows.googleapis.com/Workflow
 | compress\_export | Whether or not to compress the export when storing in the bucket; Only valid for MySQL and PostgreSQL | `bool` | `true` | no |
 | connector\_params\_timeout | The end-to-end duration the connector call is allowed to run for before throwing a timeout exception. The default value is 1800 and this should be the maximum for connector methods that are not long-running operations. Otherwise, for long-running operations, the maximum timeout for a connector call is 31536000 seconds (one year). | `number` | `1800` | no |
 | create\_notification\_channel | If set to true it will create email notification channel | `bool` | `false` | no |
+| deletion\_protection | Whether Terraform will be prevented from destroying the workflow. | `bool` | `true` | no |
 | enable\_backup\_monitoring | Whether to monitor backup workflows or not | `bool` | `false` | no |
 | enable\_connector\_params | Whether to enable connector-specific parameters for Google Workflow SQL Export. | `bool` | `false` | no |
 | enable\_export\_backup | Weather to create exports to GCS Buckets with this module | `bool` | `true` | no |
diff --git a/modules/backup/main.tf b/modules/backup/main.tf
index d590738d..872d4566 100644
--- a/modules/backup/main.tf
+++ b/modules/backup/main.tf
@@ -99,6 +99,7 @@ resource "google_workflows_workflow" "sql_backup" {
     backupRetentionTime      = var.backup_retention_time
     backupRunsListMaxResults = var.backup_runs_list_max_results
   })
+  deletion_protection = var.deletion_protection
 }
 
 resource "google_cloud_scheduler_job" "sql_backup" {
@@ -171,6 +172,7 @@ resource "google_workflows_workflow" "sql_export" {
     logDbName              = var.log_db_name_to_export
     serverlessExport       = var.use_serverless_export
   })
+  deletion_protection = var.deletion_protection
 }
 
 resource "google_cloud_scheduler_job" "sql_export" {
diff --git a/modules/backup/metadata.yaml b/modules/backup/metadata.yaml
index 5198a9fe..ad41812b 100644
--- a/modules/backup/metadata.yaml
+++ b/modules/backup/metadata.yaml
@@ -27,7 +27,7 @@ spec:
       dir: /modules/backup
     actuationTool:
       flavor: Terraform
-      version: ">= 0.13"
+      version: ">= 1.3"
     description: {}
   content:
     examples:
@@ -89,6 +89,10 @@ spec:
         description: If set to true it will create email notification channel
         varType: bool
         defaultValue: false
+      - name: deletion_protection
+        description: Whether Terraform will be prevented from destroying the workflow.
+        varType: bool
+        defaultValue: true
       - name: enable_backup_monitoring
         description: Whether to monitor backup workflows or not
         varType: bool
diff --git a/modules/backup/variables.tf b/modules/backup/variables.tf
index 84d4bcf7..598495c5 100644
--- a/modules/backup/variables.tf
+++ b/modules/backup/variables.tf
@@ -192,3 +192,9 @@ variable "notification_channels" {
   type        = list(string)
   default     = []
 }
+
+variable "deletion_protection" {
+  description = "Whether Terraform will be prevented from destroying the workflow."
+  type        = bool
+  default     = true
+}
diff --git a/modules/backup/versions.tf b/modules/backup/versions.tf
index 8fbfeba7..d2492885 100644
--- a/modules/backup/versions.tf
+++ b/modules/backup/versions.tf
@@ -19,7 +19,7 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 4.0, < 7"
+      version = ">= 6.11.0, < 7"
     }
   }
 }