Skip to content

Commit

Permalink
Merge branch 'GoogleCloudPlatform:main' into main
Browse files Browse the repository at this point in the history
  • Loading branch information
KiyotakaMatsushita authored Nov 11, 2024
2 parents 358afa1 + 41d4e55 commit a685f17
Show file tree
Hide file tree
Showing 44 changed files with 249 additions and 97 deletions.
2 changes: 1 addition & 1 deletion build/int.cloudbuild.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -104,7 +104,7 @@ steps:
args: ['/bin/bash', '-c', 'cft test run TestSimpleJobExec --stage teardown --verbose']
- id: v2-init
waitFor:
- destroy cloud-run-with-cmek
- simple-job-exec-teardown
name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
args: ['/bin/bash', '-c', 'cft test run TestV2 --stage init --verbose']
- id: v2-apply
Expand Down
67 changes: 67 additions & 0 deletions docs/upgrading_to_cloud_run_v2_v0.14.0_from_v0.13.0.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
# Upgrading to cloud-run v2 v0.14.0 from v0.13.0

The cloud-run/v2 release v0.14.0 is backward incompatible.

## Google Cloud Provider deletion_policy

Terraform Google Provider 6.0.0 [added a new field](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/version_6_upgrade) to prevent deletion of some resources.

### Projects

The `deletion_policy` for projects now defaults to `"PREVENT"` rather than `"DELETE"`.
This aligns with the behavior in Google Cloud Platform Provider v6+.
To maintain the old behavior set `project_deletion_policy = "DELETE"` in the modules [service-project-factory](../modules/service-project-factory/) and [secure-serverless-harness](../modules/secure-serverless-harness/README.md)

```diff
module "secure-serverless-harness" {
- version = "~> 0.13.0"
+ version = "~> 0.14.0"

+ project_deletion_policy = "DELETE"
}
```

### Folder

The `deletion_protection` for folders was added and defaults to `true`.
This aligns with the behavior in Google Cloud Platform Provider v6+.
To maintain the old behavior set `folder_deletion_protection = false` in the module [secure-serverless-harness](../modules/secure-serverless-harness/README.md).

```diff
module "secure-serverless-harness" {
- version = "~> 0.13.0"
+ version = "~> 0.14.0"

+ folder_deletion_protection = false
}
```

### Cloud Run v2 Job

The `deletion_protection` for Cloud Run v2 Jobs was added and defaults to `true`.
This aligns with the behavior in Google Cloud Platform Provider v6+.
To maintain the old behavior set `cloud_run_deletion_protection = false` in the module [job-exec](../modules/job-exec/README.md).

```diff
module "job-exec" {
- version = "~> 0.13.0"
+ version = "~> 0.14.0"

+ cloud_run_deletion_protection = false
}
```

### Cloud Run v2 Service

The `deletion_protection` for Cloud Run v2 Services was added and defaults to `true`.
This aligns with the behavior in Google Cloud Platform Provider v6+.
To maintain the old behavior set `cloud_run_deletion_protection = false` in the module [v2](../modules/v2/README.md).

```diff
module "v2" {
- version = "~> 0.13.0"
+ version = "~> 0.14.0"

+ cloud_run_deletion_protection = false
}
```
2 changes: 1 addition & 1 deletion examples/cloud_run_vpc_connector/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ module "service_account" {

module "cloud_run" {
source = "GoogleCloudPlatform/cloud-run/google"
version = "~> 0.12"
version = "~> 0.13"

service_name = "ci-cloud-run-sc"
project_id = var.project_id
Expand Down
2 changes: 1 addition & 1 deletion examples/secure_cloud_run/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ locals {

module "secure_cloud_run" {
source = "GoogleCloudPlatform/cloud-run/google//modules/secure-cloud-run"
version = "~> 0.12"
version = "~> 0.13"

connector_name = "con-run"
subnet_name = "vpc-subnet"
Expand Down
6 changes: 4 additions & 2 deletions examples/secure_cloud_run_standalone/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ resource "random_id" "random_folder_suffix" {

module "secure_harness" {
source = "GoogleCloudPlatform/cloud-run/google//modules/secure-serverless-harness"
version = "~> 0.12"
version = "~> 0.14"

billing_account = var.billing_account
security_project_name = "prj-kms-secure-cloud-run"
Expand All @@ -51,6 +51,8 @@ module "secure_harness" {
egress_policies = var.egress_policies
ingress_policies = var.ingress_policies
base_serverless_api = "run.googleapis.com"
project_deletion_policy = "DELETE"
folder_deletion_protection = false
}

resource "null_resource" "copy_image" {
Expand All @@ -65,7 +67,7 @@ resource "null_resource" "copy_image" {

module "secure_cloud_run" {
source = "GoogleCloudPlatform/cloud-run/google//modules/secure-cloud-run"
version = "~> 0.12"
version = "~> 0.13"

location = local.location
region = local.region
Expand Down
2 changes: 1 addition & 1 deletion examples/simple_cloud_run/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ module "service_account" {

module "cloud_run" {
source = "GoogleCloudPlatform/cloud-run/google"
version = "~> 0.12"
version = "~> 0.13"

service_name = "ci-cloud-run"
project_id = var.project_id
Expand Down
4 changes: 2 additions & 2 deletions examples/simple_cloud_run_with_cmek/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ module "service_account" {

module "kms" {
source = "terraform-google-modules/kms/google"
version = "~> 2.1"
version = "~> 3.0"

project_id = var.project_id
location = "us-central1"
Expand All @@ -53,7 +53,7 @@ resource "google_project_service_identity" "serverless_sa" {

module "cloud_run" {
source = "GoogleCloudPlatform/cloud-run/google"
version = "~> 0.12"
version = "~> 0.13"

service_name = "ci-cloud-run"
project_id = var.project_id
Expand Down
4 changes: 3 additions & 1 deletion examples/simple_job_exec/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -16,11 +16,13 @@

module "job" {
source = "GoogleCloudPlatform/cloud-run/google//modules/job-exec"
version = "~> 0.12"
version = "~> 0.14"

project_id = var.project_id
name = "simple-job"
location = "us-central1"
image = "us-docker.pkg.dev/cloudrun/container/job"
exec = true

cloud_run_deletion_protection = var.cloud_run_deletion_protection
}
6 changes: 6 additions & 0 deletions examples/simple_job_exec/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -18,3 +18,9 @@ variable "project_id" {
description = "The project ID to deploy to"
type = string
}

variable "cloud_run_deletion_protection" {
type = bool
description = "This field prevents Terraform from destroying or recreating the Cloud Run v2 Jobs and Services"
default = true
}
1 change: 1 addition & 0 deletions examples/v2/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ This example assumes that below mentioned prerequisites are in place before cons

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| cloud\_run\_deletion\_protection | This field prevents Terraform from destroying or recreating the Cloud Run v2 Jobs and Services | `bool` | `true` | no |
| project\_id | The project ID to deploy to | `string` | n/a | yes |

## Outputs
Expand Down
5 changes: 4 additions & 1 deletion examples/v2/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -16,11 +16,14 @@

module "cloud_run_v2" {
source = "GoogleCloudPlatform/cloud-run/google//modules/v2"
version = "~> 0.12"
version = "~> 0.14"

service_name = "ci-cloud-run-v2"
project_id = var.project_id
location = "us-central1"

cloud_run_deletion_protection = var.cloud_run_deletion_protection

containers = [
{
container_image = "us-docker.pkg.dev/cloudrun/container/hello"
Expand Down
6 changes: 6 additions & 0 deletions examples/v2/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -18,3 +18,9 @@ variable "project_id" {
description = "The project ID to deploy to"
type = string
}

variable "cloud_run_deletion_protection" {
type = bool
description = "This field prevents Terraform from destroying or recreating the Cloud Run v2 Jobs and Services"
default = true
}
4 changes: 2 additions & 2 deletions metadata.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -336,6 +336,6 @@ spec:
- cloudbilling.googleapis.com
providerVersions:
- source: hashicorp/google
version: < 6
version: < 7
- source: hashicorp/google-beta
version: < 6
version: < 7
1 change: 1 addition & 0 deletions modules/job-exec/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ Functional examples are included in the
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| argument | Arguments passed to the ENTRYPOINT command, include these only if image entrypoint needs arguments | `list(string)` | `[]` | no |
| cloud\_run\_deletion\_protection | This field prevents Terraform from destroying or recreating the Cloud Run v2 Jobs and Services | `bool` | `true` | no |
| container\_command | Leave blank to use the ENTRYPOINT command defined in the container image, include these only if image entrypoint should be overwritten | `list(string)` | `[]` | no |
| env\_secret\_vars | Environment variables (Secret Manager) | <pre>list(object({<br> name = string<br> value_source = set(object({<br> secret_key_ref = object({<br> secret = string<br> version = optional(string, "latest")<br> })<br> }))<br> }))</pre> | `[]` | no |
| env\_vars | Environment variables (cleartext) | <pre>list(object({<br> value = string<br> name = string<br> }))</pre> | `[]` | no |
Expand Down
2 changes: 2 additions & 0 deletions modules/job-exec/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,8 @@ resource "google_cloud_run_v2_job" "job" {
launch_stage = var.launch_stage
labels = var.labels

deletion_protection = var.cloud_run_deletion_protection

template {
labels = var.labels
parallelism = var.parallelism
Expand Down
6 changes: 6 additions & 0 deletions modules/job-exec/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -158,3 +158,9 @@ variable "timeout" {
error_message = "The value must be a duration in seconds with up to nine fractional digits, ending with 's'. Example: \"3.5s\"."
}
}

variable "cloud_run_deletion_protection" {
type = bool
description = "This field prevents Terraform from destroying or recreating the Cloud Run v2 Jobs and Services"
default = true
}
2 changes: 1 addition & 1 deletion modules/job-exec/versions.tf
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ terraform {
}
google = {
source = "hashicorp/google"
version = "< 6"
version = "< 7"
}
}
provider_meta "google" {
Expand Down
5 changes: 3 additions & 2 deletions modules/secure-cloud-run-core/loadbalancer.tf
Original file line number Diff line number Diff line change
Expand Up @@ -19,8 +19,9 @@ locals {
}

module "lb-http" {
source = "GoogleCloudPlatform/lb-http/google//modules/serverless_negs"
version = "~> 11.0"
source = "GoogleCloudPlatform/lb-http/google//modules/serverless_negs"
version = "~> 12.0"

name = var.lb_name
project = var.project_id
ssl = true
Expand Down
4 changes: 2 additions & 2 deletions modules/secure-cloud-run-core/versions.tf
Original file line number Diff line number Diff line change
Expand Up @@ -20,11 +20,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = "< 6"
version = "< 7"
}
google-beta = {
source = "hashicorp/google-beta"
version = "< 6"
version = "< 7"
}
random = {
source = "hashicorp/random"
Expand Down
2 changes: 1 addition & 1 deletion modules/secure-cloud-run-security/kms.tf
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@

module "cloud_run_kms" {
source = "terraform-google-modules/kms/google"
version = "~> 2.1"
version = "~> 3.0"

project_id = var.kms_project_id
location = var.location
Expand Down
4 changes: 2 additions & 2 deletions modules/secure-cloud-run-security/versions.tf
Original file line number Diff line number Diff line change
Expand Up @@ -20,11 +20,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = "< 6"
version = "< 7"
}
google-beta = {
source = "hashicorp/google-beta"
version = "< 6"
version = "< 7"
}
}

Expand Down
4 changes: 2 additions & 2 deletions modules/secure-cloud-run/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@

module "serverless_project_apis" {
source = "terraform-google-modules/project-factory/google//modules/project_services"
version = "~> 15.0"
version = "~> 17.0"

project_id = var.serverless_project_id
disable_services_on_destroy = false
Expand All @@ -32,7 +32,7 @@ module "serverless_project_apis" {

module "vpc_project_apis" {
source = "terraform-google-modules/project-factory/google//modules/project_services"
version = "~> 15.0"
version = "~> 17.0"

project_id = var.vpc_project_id
disable_services_on_destroy = false
Expand Down
4 changes: 2 additions & 2 deletions modules/secure-cloud-run/versions.tf
Original file line number Diff line number Diff line change
Expand Up @@ -20,11 +20,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = "< 6"
version = "< 7"
}
google-beta = {
source = "hashicorp/google-beta"
version = "< 6"
version = "< 7"
}
}

Expand Down
2 changes: 2 additions & 0 deletions modules/secure-serverless-harness/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,7 @@ module "secure_cloud_run_harness" {
| dns\_enable\_logging | Toggle DNS logging for VPC DNS. | `bool` | `true` | no |
| egress\_policies | A list of all [egress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#egress-rules-reference), each list object has a `from` and `to` value that describes egress\_from and egress\_to.<br><br>Example: `[{ from={ identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]`<br><br>Valid Values:<br>`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow identities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`<br>`SRV_NAME` = "`*`" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)<br>`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions). | <pre>list(object({<br> from = any<br> to = any<br> }))</pre> | `[]` | no |
| encrypters | List of comma-separated owners for each key declared in set\_encrypters\_for. | `list(string)` | `[]` | no |
| folder\_deletion\_protection | Prevent Terraform from destroying or recreating the folder. | `string` | `true` | no |
| ingress\_policies | A list of all [ingress policies](https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules#ingress-rules-reference), each list object has a `from` and `to` value that describes ingress\_from and ingress\_to.<br><br>Example: `[{ from={ sources={ resources=[], access_levels=[] }, identities=[], identity_type="ID_TYPE" }, to={ resources=[], operations={ "SRV_NAME"={ OP_TYPE=[] }}}}]`<br><br>Valid Values:<br>`ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow identities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`<br>`SRV_NAME` = "`*`" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)<br>`OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions). | <pre>list(object({<br> from = any<br> to = any<br> }))</pre> | `[]` | no |
| key\_name | Key name. | `string` | n/a | yes |
| key\_protection\_level | The protection level to use when creating a version based on this template. Possible values: ["SOFTWARE", "HSM"]. | `string` | `"HSM"` | no |
Expand All @@ -76,6 +77,7 @@ module "secure_cloud_run_harness" {
| parent\_folder\_id | The ID of a folder to host the infrastructure created in this module. | `string` | `""` | no |
| prevent\_destroy | Set the prevent\_destroy lifecycle attribute on keys. | `bool` | `true` | no |
| private\_service\_connect\_ip | The internal IP to be used for the private service connect. | `string` | n/a | yes |
| project\_deletion\_policy | The deletion policy for the project created. | `string` | `"PREVENT"` | no |
| region | The region in which the subnetwork will be created. | `string` | n/a | yes |
| security\_project\_extra\_apis | The extra APIs to be enabled during security project creation. | `list(string)` | `[]` | no |
| security\_project\_name | The name to give the security project. | `string` | n/a | yes |
Expand Down
Loading

0 comments on commit a685f17

Please sign in to comment.