Merge branch 'GoogleCloudPlatform:master' into gke-standard-feature-r…

…equest

CHANGELOG.md

@@ -3,7 +3,36 @@
 All notable changes to this project will be documented in this file.
 <!-- markdownlint-disable MD024 -->
 
-## [Unreleased]
+## [Unreleased] <!-- from: 2024-10-30 14:20:58+00:00 to: None since: v35.0.0 -->
+
+### BLUEPRINTS
+
+- [[#2514](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2514)] New SecOps blueprints section and SecOps GKE Forwarder ([simonebruzzechesse](https://github.com/simonebruzzechesse)) <!-- 2024-11-05 13:41:37+00:00 -->
+- [[#2658](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2658)] Update service agents spec ([juliocc](https://github.com/juliocc)) <!-- 2024-11-05 11:10:23+00:00 -->
+- [[#2659](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2659)] Fix Vertex MLOps blueprint  ([wiktorn](https://github.com/wiktorn)) <!-- 2024-11-05 10:22:43+00:00 -->
+- [[#2632](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2632)] Migrate blueprints/data-solutions/vertex-mlops to google_workbench_instance ([wiktorn](https://github.com/wiktorn)) <!-- 2024-11-04 09:34:54+00:00 -->
+- [[#2631](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2631)] fix Vertex-ML-Ops e2e tests ([wiktorn](https://github.com/wiktorn)) <!-- 2024-11-04 09:13:33+00:00 -->
+
+### FAST
+
+- [[#2681](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2681)] Keeping my contributor status :) ([drebes](https://github.com/drebes)) <!-- 2024-11-13 20:28:44+00:00 -->
+- [[#2680](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2680)] Swap groups_iam/iam_group for iam_by_principals in bootstrap README ([robrankin](https://github.com/robrankin)) <!-- 2024-11-13 15:33:41+00:00 -->
+
+### MODULES
+
+- [[#2686](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2686)] Fix gcs & NFS mounts for cloud-run-v2 service ([wiktorn](https://github.com/wiktorn)) <!-- 2024-11-14 12:33:21+00:00 -->
+- [[#2682](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2682)] Add support for service account in pubsub module bigquery subscriptions ([ludoo](https://github.com/ludoo)) <!-- 2024-11-14 11:05:37+00:00 -->
+- [[#2676](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2676)] Fix "inconsistent conditional result types" error in `modules/vpc-sc` ([joelvoss](https://github.com/joelvoss)) <!-- 2024-11-12 09:27:51+00:00 -->
+- [[#2673](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2673)] bump modules/README github tag reference ([kaue](https://github.com/kaue)) <!-- 2024-11-11 18:13:12+00:00 -->
+- [[#2670](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2670)] Fix the location of the GCS and NFS attributes ([wintermi](https://github.com/wintermi)) <!-- 2024-11-11 09:01:16+00:00 -->
+- [[#2669](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2669)] Additional examples for Cloud Run and Cloud SQL ([wiktorn](https://github.com/wiktorn)) <!-- 2024-11-10 06:02:30+00:00 -->
+- [[#2668](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2668)] SWP: remove condition from `addresses` variable and make it null by default ([LucaPrete](https://github.com/LucaPrete)) <!-- 2024-11-09 21:50:47+00:00 -->
+- [[#2666](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2666)] Update SWP ([LucaPrete](https://github.com/LucaPrete)) <!-- 2024-11-09 12:54:13+00:00 -->
+- [[#2657](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2657)] add enable_object_retention argument ([kejti23](https://github.com/kejti23)) <!-- 2024-11-05 16:27:29+00:00 -->
+- [[#2658](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2658)] Update service agents spec ([juliocc](https://github.com/juliocc)) <!-- 2024-11-05 11:10:23+00:00 -->
+- [[#2632](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2632)] Migrate blueprints/data-solutions/vertex-mlops to google_workbench_instance ([wiktorn](https://github.com/wiktorn)) <!-- 2024-11-04 09:34:54+00:00 -->
+- [[#2631](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2631)] fix Vertex-ML-Ops e2e tests ([wiktorn](https://github.com/wiktorn)) <!-- 2024-11-04 09:13:33+00:00 -->
+- [[#2653](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2653)] Add required enabled field introduced in Terraform version 5.41.0 ([jacobmammoliti](https://github.com/jacobmammoliti)) <!-- 2024-11-01 07:01:14+00:00 -->
 
 ## [35.0.0] - 2024-10-30
 <!-- None < 2024-09-05 10:07:19+00:00 -->
@@ -2618,4 +2647,4 @@ All notable changes to this project will be documented in this file.
 [1.3.0]: https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/compare/v1.2.0...v1.3.0
 [1.2.0]: https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/compare/v1.1.0...v1.2.0
 [1.1.0]: https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/compare/v1.0.0...v1.1.0
-[1.0.0]: https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/compare/v0.1...v1.0.0
+[1.0.0]: https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/compare/v0.1...v1.0.0

blueprints/apigee/apigee-x-foundations/README.md

@@ -491,10 +491,15 @@ module "apigee-x-foundations" {
 | [apigee_vpc_id](outputs.tf#L22) | Apigee VPC. |  |  |
 | [apigee_vpc_self_link](outputs.tf#L27) | Apigee VPC. |  |  |
 | [endpoint_attachment_hosts](outputs.tf#L31) | Endpoint attachment hosts. |  |  |
-| [ext_lb_ip_address](outputs.tf#L36) | External IP address. |  |  |
-| [instance_service_attachments](outputs.tf#L41) | Instance service attachments. |  |  |
-| [int_cross_region_lb_ip_addresses](outputs.tf#L46) | Internal IP addresses. |  |  |
-| [int_lb_ip_addresses](outputs.tf#L51) | Internal IP addresses. |  |  |
-| [project](outputs.tf#L56) | Project. |  |  |
-| [project_id](outputs.tf#L61) | Project id. |  |  |
+| [ext_lb](outputs.tf#L36) | External LB. |  |  |
+| [ext_lb_ip_address](outputs.tf#L41) | External IP address. |  |  |
+| [instance_service_attachments](outputs.tf#L46) | Instance service attachments. |  |  |
+| [instances](outputs.tf#L51) | Instances. |  |  |
+| [int_cross_region_lb](outputs.tf#L56) | Internal cross-region LBs. |  |  |
+| [int_cross_region_lb_ip_addresses](outputs.tf#L61) | Internal IP addresses. |  |  |
+| [int_lb_ip_addresses](outputs.tf#L66) | Internal IP addresses. |  |  |
+| [int_lbs](outputs.tf#L71) | Internal LBs. |  |  |
+| [project](outputs.tf#L76) | Project. |  |  |
+| [project_id](outputs.tf#L81) | Project id. |  |  |
+| [psc_negs](outputs.tf#L86) | PSC NEGs. |  |  |
 <!-- END TFDOC -->

blueprints/apigee/apigee-x-foundations/outputs.tf

@@ -33,6 +33,11 @@ output "endpoint_attachment_hosts" {
   value       = module.apigee.endpoint_attachment_hosts
 }
 
+output "ext_lb" {
+  description = "External LB."
+  value       = var.ext_lb_config != null && length(local.ext_instances) > 0 ? module.ext_lb[0] : null
+}
+
 output "ext_lb_ip_address" {
   description = "External IP address."
   value       = var.ext_lb_config != null && length(local.ext_instances) > 0 ? module.ext_lb[0].address : null
@@ -43,6 +48,16 @@ output "instance_service_attachments" {
   value       = { for k, v in module.apigee.instances : k => v.service_attachment }
 }
 
+output "instances" {
+  description = "Instances."
+  value       = module.apigee.instances
+}
+
+output "int_cross_region_lb" {
+  description = "Internal cross-region LBs."
+  value       = var.int_cross_region_lb_config != null && length(local.int_cross_region_instances) > 0 ? module.int_cross_region_lb[0] : null
+}
+
 output "int_cross_region_lb_ip_addresses" {
   description = "Internal IP addresses."
   value       = var.int_cross_region_lb_config != null && length(local.int_cross_region_instances) > 0 ? module.int_cross_region_lb[0].addresses : null
@@ -53,6 +68,11 @@ output "int_lb_ip_addresses" {
   value       = var.int_lb_config != null && length(local.int_instances) > 0 ? { for k, v in module.int_lb : k => v.address } : null
 }
 
+output "int_lbs" {
+  description = "Internal LBs."
+  value       = module.int_lb
+}
+
 output "project" {
   description = "Project."
   value       = module.project
@@ -62,3 +82,8 @@ output "project_id" {
   description = "Project id."
   value       = module.project.project_id
 }
+
+output "psc_negs" {
+  description = "PSC NEGs."
+  value       = google_compute_region_network_endpoint_group.psc_negs
+}

blueprints/gke/patterns/autopilot-cluster/versions.tf

@@ -19,11 +19,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 6.1.0, < 7.0.0" # tftest
+      version = ">= 6.11.2, < 7.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 6.1.0, < 7.0.0" # tftest
+      version = ">= 6.11.2, < 7.0.0" # tftest
     }
   }
 }

blueprints/gke/patterns/batch/versions.tf

@@ -19,11 +19,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 6.1.0, < 7.0.0" # tftest
+      version = ">= 6.11.2, < 7.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 6.1.0, < 7.0.0" # tftest
+      version = ">= 6.11.2, < 7.0.0" # tftest
     }
   }
 }

blueprints/gke/patterns/kafka/versions.tf

@@ -19,11 +19,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 6.1.0, < 7.0.0" # tftest
+      version = ">= 6.11.2, < 7.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 6.1.0, < 7.0.0" # tftest
+      version = ">= 6.11.2, < 7.0.0" # tftest
     }
   }
 }

blueprints/gke/patterns/kong-cloudrun/versions.tf

@@ -19,11 +19,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 6.1.0, < 7.0.0" # tftest
+      version = ">= 6.11.2, < 7.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 6.1.0, < 7.0.0" # tftest
+      version = ">= 6.11.2, < 7.0.0" # tftest
     }
   }
 }

blueprints/gke/patterns/mysql/versions.tf

@@ -19,11 +19,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 6.1.0, < 7.0.0" # tftest
+      version = ">= 6.11.2, < 7.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 6.1.0, < 7.0.0" # tftest
+      version = ">= 6.11.2, < 7.0.0" # tftest
     }
   }
 }

blueprints/gke/patterns/redis-cluster/versions.tf

@@ -19,11 +19,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 6.1.0, < 7.0.0" # tftest
+      version = ">= 6.11.2, < 7.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 6.1.0, < 7.0.0" # tftest
+      version = ">= 6.11.2, < 7.0.0" # tftest
     }
   }
 }

blueprints/secops/secops-gke-forwarder/versions.tf

@@ -19,11 +19,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 6.1.0, < 7.0.0" # tftest
+      version = ">= 6.11.2, < 7.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 6.1.0, < 7.0.0" # tftest
+      version = ">= 6.11.2, < 7.0.0" # tftest
     }
   }
 }

default-versions.tf

@@ -19,11 +19,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 6.1.0, < 7.0.0" # tftest
+      version = ">= 6.11.2, < 7.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 6.1.0, < 7.0.0" # tftest
+      version = ">= 6.11.2, < 7.0.0" # tftest
     }
   }
 }

fast/README.md

@@ -14,7 +14,7 @@ Fabric FAST was initially conceived to help enterprises quickly set up a GCP org
 
 FAST uses the concept of stages, which individually perform precise tasks but taken together build a functional, ready-to-use GCP organization. More importantly, stages are modeled around the security boundaries that typically appear in mature organizations. This arrangement allows delegating ownership of each stage to the team responsible for the types of resources it manages. For example, as its name suggests, the networking stage sets up all the networking elements and is usually the responsibility of a dedicated networking team within the organization.
 
-From the perspective of FAST's overall design, stages also work as contacts or interfaces, defining a set of pre-requisites and inputs required to perform their designed task and generating outputs needed by other stages lower in the chain. The diagram below shows the relationships between stages.
+From the perspective of FAST's overall design, stages also work as contracts or interfaces, defining a set of pre-requisites and inputs required to perform their designed task and generating outputs needed by other stages lower in the chain. The diagram below shows the relationships between stages.
 
 <p align="center">
   <img src="stages.svg" alt="Stages diagram">

fast/stages/0-bootstrap/README.md

@@ -468,10 +468,10 @@ One other area where we directly support customizations is IAM. The code here, a
 
 In code, the distinction above reflects on how IAM bindings are specified in the underlying module variables:
 
-- group roles "for humans" always use `iam_groups` variables
+- group roles "for humans" always use `iam_by_principals` variables
 - service account roles always use `iam` variables
 
-This makes it easy to tweak user roles by adding mappings to the `iam_groups` variables of the relevant resources, without having to understand and deal with the details of service account roles.
+This makes it easy to tweak user roles by adding mappings to the `iam_by_principals` variables of the relevant resources, without having to understand and deal with the details of service account roles.
 
 One more critical difference in IAM bindings is between authoritative and additive:
 
@@ -482,7 +482,7 @@ This stage groups all IAM definitions in the [organization-iam.tf](./organizatio
 
 When customizations are needed, three stage-level variables allow injecting additional bindings to match the desired setup:
 
-- `group_iam` allows adding authoritative bindings for groups
+- `iam_by_principals` allows adding authoritative bindings for groups
 - `iam` allows adding authoritative bindings for any type of supported principal, and is merged with the internal `iam` local and then with group bindings at the module level
 - `iam_bindings_additive` allows adding individual role/member pairs, and also supports IAM conditions
 

fast/stages/2-project-factory/README.md

@@ -353,5 +353,5 @@ The approach is not shown here but reasonably easy to implement. The main projec
 | name | description | sensitive | consumers |
 |---|---|:---:|---|
 | [projects](outputs.tf#L17) | Created projects. |  |  |
-| [service_accounts](outputs.tf#L27) | Created service accounts. |  |  |
+| [service_accounts](outputs.tf#L22) | Created service accounts. |  |  |
 <!-- END TFDOC -->

fast/stages/2-project-factory/outputs.tf

@@ -16,12 +16,7 @@
 
 output "projects" {
   description = "Created projects."
-  value = {
-    for k, v in module.projects.projects : k => {
-      number     = v.number
-      project_id = v.id
-    }
-  }
+  value       = module.projects.projects
 }
 
 output "service_accounts" {

modules/__experimental_deprecated/alloydb-instance/versions.tf

@@ -19,11 +19,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 6.1.0, < 7.0.0" # tftest
+      version = ">= 6.11.2, < 7.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 6.1.0, < 7.0.0" # tftest
+      version = ">= 6.11.2, < 7.0.0" # tftest
     }
   }
 }

modules/__experimental_deprecated/net-neg/versions.tf

@@ -19,11 +19,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 6.1.0, < 7.0.0" # tftest
+      version = ">= 6.11.2, < 7.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 6.1.0, < 7.0.0" # tftest
+      version = ">= 6.11.2, < 7.0.0" # tftest
     }
   }
 }

modules/__experimental_deprecated/project-iam-magic/versions.tf

@@ -19,11 +19,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 6.1.0, < 7.0.0" # tftest
+      version = ">= 6.11.2, < 7.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 6.1.0, < 7.0.0" # tftest
+      version = ">= 6.11.2, < 7.0.0" # tftest
     }
   }
 }

modules/alloydb/main.tf

@@ -302,14 +302,6 @@ resource "google_alloydb_cluster" "secondary" {
     }
   }
 
-  dynamic "initial_user" {
-    for_each = var.initial_user != null ? [""] : []
-    content {
-      user     = var.initial_user.user
-      password = var.initial_user.password
-    }
-  }
-
   dynamic "maintenance_update_policy" {
     for_each = var.maintenance_config.enabled ? [""] : []
     content {

modules/alloydb/versions.tf

@@ -19,11 +19,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 6.1.0, < 7.0.0" # tftest
+      version = ">= 6.11.2, < 7.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 6.1.0, < 7.0.0" # tftest
+      version = ">= 6.11.2, < 7.0.0" # tftest
     }
   }
 }

modules/analytics-hub/versions.tf

@@ -19,11 +19,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 6.1.0, < 7.0.0" # tftest
+      version = ">= 6.11.2, < 7.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 6.1.0, < 7.0.0" # tftest
+      version = ">= 6.11.2, < 7.0.0" # tftest
     }
   }
 }

modules/api-gateway/versions.tf

@@ -19,11 +19,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 6.1.0, < 7.0.0" # tftest
+      version = ">= 6.11.2, < 7.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 6.1.0, < 7.0.0" # tftest
+      version = ">= 6.11.2, < 7.0.0" # tftest
     }
   }
 }

modules/apigee/versions.tf

@@ -19,11 +19,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 6.1.0, < 7.0.0" # tftest
+      version = ">= 6.11.2, < 7.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 6.1.0, < 7.0.0" # tftest
+      version = ">= 6.11.2, < 7.0.0" # tftest
     }
   }
 }