feat!: add Terraform 0.13 constraint and module attribution (#45)

* feat!: add Terraform 0.13 constraint and module attribution

* Bumped versions and update bq flag.

Co-authored-by: James Duncan <[email protected]>

Makefile

@@ -18,7 +18,7 @@
 # Make will use bash instead of sh
 SHELL := /usr/bin/env bash
 
-DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 0.4.1
+DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 0.13
 DOCKER_IMAGE_DEVELOPER_TOOLS := cft/developer-tools
 REGISTRY_URL := gcr.io/cloud-foundation-cicd
 

README.md

@@ -3,8 +3,10 @@
 This module handles opinionated VPC Service Controls and Access Context Manager configuration and deployments.
 
 ## Compatibility
-This module is meant for use with Terraform 0.12. If you haven't [upgraded](https://www.terraform.io/upgrade-guides/0-12.html) and need a Terraform 0.11.x-compatible version of this module, the last released version intended for Terraform 0.11.x
-is [0.1.0](https://registry.terraform.io/modules/terraform-google-modules/vpc-service-controls/google/0.1.0).
+This module is meant for use with Terraform 0.13. If you haven't
+[upgraded](https://www.terraform.io/upgrade-guides/0-13.html) and need a Terraform
+0.12.x-compatible version of this module, the last released version
+intended for Terraform 0.12.x is [v2.1.0](https://registry.terraform.io/modules/terraform-google-modules/-vpc-service-controls/google/v2.1.0).
 
 ## Usage
 The root module only handles the configuration of the [access_context_manager_policy resource](https://www.terraform.io/docs/providers/google/r/access_context_manager_access_policy.html). For examples on how to use the root module with along with other submodules to configure all of VPC Service Controls and Access Context Manager resources, see the [examples](./examples/) folder and the [modules](./modules/) folder
@@ -58,9 +60,9 @@ You can add a delay using terraform's [`null_resource`](https://www.terraform.io
 ## Inputs
 
 | Name | Description | Type | Default | Required |
-|------|-------------|:----:|:-----:|:-----:|
-| parent\_id | The parent of this AccessPolicy in the Cloud Resource Hierarchy. As of now, only organization are accepted as parent. | string | n/a | yes |
-| policy\_name | The policy's name. | string | n/a | yes |
+|------|-------------|------|---------|:--------:|
+| parent\_id | The parent of this AccessPolicy in the Cloud Resource Hierarchy. As of now, only organization are accepted as parent. | `string` | n/a | yes |
+| policy\_name | The policy's name. | `string` | n/a | yes |
 
 ## Outputs
 
@@ -83,7 +85,7 @@ The [project factory](https://github.com/terraform-google-modules/terraform-goog
 
 ### Software Dependencies
 ### Terraform
-- [Terraform](https://www.terraform.io/downloads.html) >= 0.12.0
+- [Terraform](https://www.terraform.io/downloads.html) >= 0.13.0
 - [terraform-provider-google](https://github.com/terraform-providers/terraform-provider-google) >= v3.19.0
 
 ### Configure a Service Account

build/int.cloudbuild.yaml

@@ -75,4 +75,4 @@ tags:
 - 'integration'
 substitutions:
   _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools'
-  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '0.4.1'
+  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '0.13'

build/lint.cloudbuild.yaml

@@ -21,4 +21,4 @@ tags:
 - 'lint'
 substitutions:
   _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools'
-  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '0.4.1'
+  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '0.13'

examples/automatic_folder/README.md

@@ -102,15 +102,15 @@ Terraform is used to set up a new service perimeter and to deploy a Cloud Functi
 ## Inputs
 
 | Name | Description | Type | Default | Required |
-|------|-------------|:----:|:-----:|:-----:|
-| folder\_id | Folder ID to watch for projects. | string | n/a | yes |
-| members | An allowed list of members (users, service accounts). The signed-in identity originating the request must be a part of one of the provided members. If not specified, a request may come from any user (logged in/not logged in, etc.). Formats: user:{emailid}, serviceAccount:{emailid} | list(string) | n/a | yes |
-| org\_id | The parent organization ID of this AccessPolicy in the Cloud Resource Hierarchy. | string | n/a | yes |
-| perimeter\_name | Name of perimeter. | string | `"regular_perimeter"` | no |
-| policy\_name | The policy's name. | string | n/a | yes |
-| project\_id | The ID of the project to host the watcher function. | string | n/a | yes |
-| region | The region in which resources will be applied. | string | n/a | yes |
-| restricted\_services | List of services to restrict. | list(string) | n/a | yes |
+|------|-------------|------|---------|:--------:|
+| folder\_id | Folder ID to watch for projects. | `string` | n/a | yes |
+| members | An allowed list of members (users, service accounts). The signed-in identity originating the request must be a part of one of the provided members. If not specified, a request may come from any user (logged in/not logged in, etc.). Formats: user:{emailid}, serviceAccount:{emailid} | `list(string)` | n/a | yes |
+| org\_id | The parent organization ID of this AccessPolicy in the Cloud Resource Hierarchy. | `string` | n/a | yes |
+| perimeter\_name | Name of perimeter. | `string` | `"regular_perimeter"` | no |
+| policy\_name | The policy's name. | `string` | n/a | yes |
+| project\_id | The ID of the project to host the watcher function. | `string` | n/a | yes |
+| region | The region in which resources will be applied. | `string` | n/a | yes |
+| restricted\_services | List of services to restrict. | `list(string)` | n/a | yes |
 
 ## Outputs
 

examples/bq-exfil-demo/README.md

@@ -58,23 +58,23 @@ terraform apply
 ## Inputs
 
 | Name | Description | Type | Default | Required |
-|------|-------------|:----:|:-----:|:-----:|
-| billing\_account | Billing Account id. e.g. AAAAAA-BBBBBB-CCCCCC | string | n/a | yes |
-| enabled\_apis | List of APIs to enable on the created projects | list | `<list>` | no |
-| folder\_id | Folder ID within the Organization: e.g. 1234567898765 | string | `""` | no |
-| members | List of members in the standard GCP form: user:{email}, serviceAccount:{email}, group:{email} | list | `<list>` | no |
-| org\_id | Organization ID. e.g. 1234567898765 | string | n/a | yes |
-| perimeter\_name | Name of the VPC SC perimeter | string | `"protect_the_daters"` | no |
-| region | Region where the bastion host will run | string | `"us-west1"` | no |
-| terraform\_service\_account | The Terraform service account email that should still be allowed in the perimeter to create buckets, datasets, etc. | string | n/a | yes |
-| zone | Zone where the bastion host will run | string | `"us-west1-a"` | no |
+|------|-------------|------|---------|:--------:|
+| billing\_account | Billing Account id. e.g. AAAAAA-BBBBBB-CCCCCC | `string` | n/a | yes |
+| enabled\_apis | List of APIs to enable on the created projects | `list` | <pre>[<br>  "iap.googleapis.com",<br>  "oslogin.googleapis.com",<br>  "compute.googleapis.com",<br>  "bigquery.googleapis.com",<br>  "storage-api.googleapis.com"<br>]</pre> | no |
+| folder\_id | Folder ID within the Organization: e.g. 1234567898765 | `string` | `""` | no |
+| members | List of members in the standard GCP form: user:{email}, serviceAccount:{email}, group:{email} | `list` | `[]` | no |
+| org\_id | Organization ID. e.g. 1234567898765 | `string` | n/a | yes |
+| perimeter\_name | Name of the VPC SC perimeter | `string` | `"protect_the_daters"` | no |
+| region | Region where the bastion host will run | `string` | `"us-west1"` | no |
+| terraform\_service\_account | The Terraform service account email that should still be allowed in the perimeter to create buckets, datasets, etc. | `string` | n/a | yes |
+| zone | Zone where the bastion host will run | `string` | `"us-west1-a"` | no |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
-| source\_project |  |
-| target\_bucket |  |
+| source\_project | n/a |
+| target\_bucket | n/a |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 

examples/bq-exfil-demo/main.tf

@@ -21,10 +21,9 @@
 
 module "bastion" {
   source  = "terraform-google-modules/bastion-host/google"
-  version = "2.1.0"
+  version = "~> 3.0"
 
   project = module.project1.project_id
-  region  = var.region
   zone    = var.zone
   members = var.members
   network = module.vpc.network_self_link
@@ -37,7 +36,7 @@ module "bastion" {
 
 module "vpc" {
   source  = "terraform-google-modules/network/google"
-  version = "~> 2.3.0"
+  version = "~> 3.0"
 
   project_id              = module.project1.project_id
   network_name            = "test-network"

examples/bq-exfil-demo/projects.tf

@@ -16,7 +16,7 @@
 
 module "project1" {
   source  = "terraform-google-modules/project-factory/google"
-  version = "~> 8.0"
+  version = "~> 10.0"
 
   name              = "vpc-sc-demo-project-1"
   random_project_id = true
@@ -28,7 +28,7 @@ module "project1" {
 
 module "project2" {
   source  = "terraform-google-modules/project-factory/google"
-  version = "~> 8.0"
+  version = "~> 10.0"
 
   name              = "vpc-sc-demo-project-2"
   random_project_id = true

examples/onprem_demo/README.md

@@ -77,15 +77,15 @@ When you're done with this demo, delete the service account keys and delete the
 ## Inputs
 
 | Name | Description | Type | Default | Required |
-|------|-------------|:----:|:-----:|:-----:|
-| access\_policy\_name | Name of the access policy | string | n/a | yes |
-| billing\_account\_id | Billing account ID to which the new project should be associated | string | n/a | yes |
-| credentials\_path | Path to the service account .json file | string | n/a | yes |
-| onprem\_project\_id | The ID of the Onprem GCP project that is going to be created | string | n/a | yes |
-| organization\_id | Organization ID, which can be found at `gcloud organizations list` | string | n/a | yes |
-| region | GCP Region (like us-west1, us-central1, etc) | string | `"us-west1"` | no |
-| vpc\_sc\_project\_id | The ID of the VPC Service Control project that is going to be created | string | n/a | yes |
-| vpn\_shared\_secret | Shared secret string for VPN connection | string | n/a | yes |
+|------|-------------|------|---------|:--------:|
+| access\_policy\_name | Name of the access policy | `any` | n/a | yes |
+| billing\_account\_id | Billing account ID to which the new project should be associated | `any` | n/a | yes |
+| credentials\_path | Path to the service account .json file | `any` | n/a | yes |
+| onprem\_project\_id | The ID of the Onprem GCP project that is going to be created | `any` | n/a | yes |
+| organization\_id | Organization ID, which can be found at `gcloud organizations list` | `any` | n/a | yes |
+| region | GCP Region (like us-west1, us-central1, etc) | `string` | `"us-west1"` | no |
+| vpc\_sc\_project\_id | The ID of the VPC Service Control project that is going to be created | `any` | n/a | yes |
+| vpn\_shared\_secret | Shared secret string for VPN connection | `any` | n/a | yes |
 
 ## Outputs
 

examples/onprem_demo/main.tf

@@ -15,7 +15,7 @@
  */
 
 provider "google" {
-  version     = "~> 3.19.0"
+  version     = "~> 3.53.0"
   credentials = "${file("${var.credentials_path}")}"
 }
 

examples/simple_example/README.md

@@ -23,15 +23,15 @@ You may use the following gcloud commands:
 ## Inputs
 
 | Name | Description | Type | Default | Required |
-|------|-------------|:----:|:-----:|:-----:|
-| access\_level\_name | Access level name of the Access Policy. | string | `"terraform_members"` | no |
-| dataset\_id | Unique dataset ID/name that will be created. | string | `"sample_dataset"` | no |
-| members | An allowed list of members (users, service accounts). The signed-in identity originating the request must be a part of one of the provided members. If not specified, a request may come from any user (logged in/not logged in, etc.). Formats: user:{emailid}, serviceAccount:{emailid} | list(string) | n/a | yes |
-| parent\_id | The parent of this AccessPolicy in the Cloud Resource Hierarchy. As of now, only organization are accepted as parent. | string | n/a | yes |
-| perimeter\_name | Perimeter name of the Access Policy.. | string | `"regular_perimeter_1"` | no |
-| policy\_name | The policy's name. | string | n/a | yes |
-| protected\_project\_ids | Project id and number of the project INSIDE the regular service perimeter. This map variable expects an "id" for the project id and "number" key for the project number. | object | n/a | yes |
-| regions | The request must originate from one of the provided countries/regions. Format: A valid ISO 3166-1 alpha-2 code. | list(string) | `<list>` | no |
+|------|-------------|------|---------|:--------:|
+| access\_level\_name | Access level name of the Access Policy. | `string` | `"terraform_members"` | no |
+| dataset\_id | Unique dataset ID/name that will be created. | `string` | `"sample_dataset"` | no |
+| members | An allowed list of members (users, service accounts). The signed-in identity originating the request must be a part of one of the provided members. If not specified, a request may come from any user (logged in/not logged in, etc.). Formats: user:{emailid}, serviceAccount:{emailid} | `list(string)` | n/a | yes |
+| parent\_id | The parent of this AccessPolicy in the Cloud Resource Hierarchy. As of now, only organization are accepted as parent. | `string` | n/a | yes |
+| perimeter\_name | Perimeter name of the Access Policy.. | `string` | `"regular_perimeter_1"` | no |
+| policy\_name | The policy's name. | `string` | n/a | yes |
+| protected\_project\_ids | Project id and number of the project INSIDE the regular service perimeter. This map variable expects an "id" for the project id and "number" key for the project number. | `object({ id = string, number = number })` | n/a | yes |
+| regions | The request must originate from one of the provided countries/regions. Format: A valid ISO 3166-1 alpha-2 code. | `list(string)` | `[]` | no |
 
 ## Outputs
 

examples/simple_example/main.tf

@@ -15,7 +15,7 @@
  */
 
 provider "google" {
-  version = "~> 3.19.0"
+  version = "~> 3.53.0"
 }
 
 module "access_context_manager_policy" {

examples/simple_example_access_level/README.md

@@ -11,16 +11,16 @@ This example illustrates how to use the `vpc-service-controls` module to configu
 ## Inputs
 
 | Name | Description | Type | Default | Required |
-|------|-------------|:----:|:-----:|:-----:|
-| ip\_subnetworks | A list of CIDR block IP subnetwork specification. May be IPv4 or IPv6. Note that for a CIDR IP address block, the specified IP address portion must be properly truncated (i.e. all the host bits must be zero) or the input is considered malformed. For example, "192.0.2.0/24" is accepted but "192.0.2.1/24" is not. Similarly, for IPv6, "2001:db8::/32" is accepted whereas "2001:db8::1/32" is not. The originating IP of a request must be in one of the listed subnets in order for this Condition to be true. If empty, all IP addresses are allowed. | list(string) | n/a | yes |
-| parent\_id | The parent of this AccessPolicy in the Cloud Resource Hierarchy. As of now, only organization are accepted as parent. | string | n/a | yes |
-| policy\_name | The policy's name. | string | n/a | yes |
-| protected\_project\_id | Project number of the project INSIDE the regular service perimeter. | number | n/a | yes |
+|------|-------------|------|---------|:--------:|
+| ip\_subnetworks | A list of CIDR block IP subnetwork specification. May be IPv4 or IPv6. Note that for a CIDR IP address block, the specified IP address portion must be properly truncated (i.e. all the host bits must be zero) or the input is considered malformed. For example, "192.0.2.0/24" is accepted but "192.0.2.1/24" is not. Similarly, for IPv6, "2001:db8::/32" is accepted whereas "2001:db8::1/32" is not. The originating IP of a request must be in one of the listed subnets in order for this Condition to be true. If empty, all IP addresses are allowed. | `list(string)` | n/a | yes |
+| parent\_id | The parent of this AccessPolicy in the Cloud Resource Hierarchy. As of now, only organization are accepted as parent. | `string` | n/a | yes |
+| policy\_name | The policy's name. | `string` | n/a | yes |
+| protected\_project\_id | Project number of the project INSIDE the regular service perimeter. | `number` | n/a | yes |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
-| policy\_name |  |
+| policy\_name | n/a |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

examples/simple_example_access_level/main.tf

@@ -15,7 +15,7 @@
  */
 
 provider "google" {
-  version = "~> 3.19.0"
+  version = "~> 3.53.0"
 }
 
 module "access_context_manager_policy" {

examples/simple_example_access_level_dry_run/README.md

@@ -11,16 +11,16 @@ This example illustrates how to use the `vpc-service-controls` module to configu
 ## Inputs
 
 | Name | Description | Type | Default | Required |
-|------|-------------|:----:|:-----:|:-----:|
-| ip\_subnetworks | A list of CIDR block IP subnetwork specification. May be IPv4 or IPv6. Note that for a CIDR IP address block, the specified IP address portion must be properly truncated (i.e. all the host bits must be zero) or the input is considered malformed. For example, "192.0.2.0/24" is accepted but "192.0.2.1/24" is not. Similarly, for IPv6, "2001:db8::/32" is accepted whereas "2001:db8::1/32" is not. The originating IP of a request must be in one of the listed subnets in order for this Condition to be true. If empty, all IP addresses are allowed. | list(string) | n/a | yes |
-| parent\_id | The parent of this AccessPolicy in the Cloud Resource Hierarchy. As of now, only organization are accepted as parent. | string | n/a | yes |
-| policy\_name | The policy's name. | string | n/a | yes |
-| protected\_project\_id | Project number of the project INSIDE the regular service perimeter. | number | n/a | yes |
+|------|-------------|------|---------|:--------:|
+| ip\_subnetworks | A list of CIDR block IP subnetwork specification. May be IPv4 or IPv6. Note that for a CIDR IP address block, the specified IP address portion must be properly truncated (i.e. all the host bits must be zero) or the input is considered malformed. For example, "192.0.2.0/24" is accepted but "192.0.2.1/24" is not. Similarly, for IPv6, "2001:db8::/32" is accepted whereas "2001:db8::1/32" is not. The originating IP of a request must be in one of the listed subnets in order for this Condition to be true. If empty, all IP addresses are allowed. | `list(string)` | n/a | yes |
+| parent\_id | The parent of this AccessPolicy in the Cloud Resource Hierarchy. As of now, only organization are accepted as parent. | `string` | n/a | yes |
+| policy\_name | The policy's name. | `string` | n/a | yes |
+| protected\_project\_id | Project number of the project INSIDE the regular service perimeter. | `number` | n/a | yes |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
-| policy\_name |  |
+| policy\_name | n/a |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

examples/simple_example_access_level_dry_run/main.tf

@@ -15,7 +15,7 @@
  */
 
 provider "google" {
-  version = "~> 3.19.0" // Dry-run support added in provider version 3.17.0
+  version = "~> 3.53.0" // Dry-run support added in provider version 3.17.0
 }
 
 module "access_context_manager_policy" {

examples/simple_example_bridge/README.md

@@ -18,17 +18,17 @@ You may use the following gcloud commands:
 ## Inputs
 
 | Name | Description | Type | Default | Required |
-|------|-------------|:----:|:-----:|:-----:|
-| parent\_id | The parent of this AccessPolicy in the Cloud Resource Hierarchy. As of now, only organization are accepted as parent. | string | n/a | yes |
-| policy\_name | The policy's name. | string | n/a | yes |
-| protected\_project\_ids | Project id and number of the project INSIDE the regular service perimeter. This map variable expects an "id" for the project id and "number" key for the project number. | object | n/a | yes |
-| public\_project\_ids | Project id and number of the project OUTSIDE of the regular service perimeter. This variable is only necessary for running integration tests. This map variable expects an "id" for the project id and "number" key for the project number. | object | n/a | yes |
+|------|-------------|------|---------|:--------:|
+| parent\_id | The parent of this AccessPolicy in the Cloud Resource Hierarchy. As of now, only organization are accepted as parent. | `string` | n/a | yes |
+| policy\_name | The policy's name. | `string` | n/a | yes |
+| protected\_project\_ids | Project id and number of the project INSIDE the regular service perimeter. This map variable expects an "id" for the project id and "number" key for the project number. | `object({ id = string, number = number })` | n/a | yes |
+| public\_project\_ids | Project id and number of the project OUTSIDE of the regular service perimeter. This variable is only necessary for running integration tests. This map variable expects an "id" for the project id and "number" key for the project number. | `object({ id = string, number = number })` | n/a | yes |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
-| policy\_name |  |
+| policy\_name | n/a |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->