Merge branch 'master' into diogo-j-n-teixeira/apigee-env-flag

README.md

@@ -33,7 +33,7 @@ Currently available modules:
 - **process factories** - [project factory](./modules/project-factory/README.md)
 - **networking** - [DNS](./modules/dns), [DNS Response Policy](./modules/dns-response-policy/), [Cloud Endpoints](./modules/endpoints), [address reservation](./modules/net-address), [NAT](./modules/net-cloudnat), [VLAN Attachment](./modules/net-vlan-attachment/), [External Application LB](./modules/net-lb-app-ext/), [External Passthrough Network LB](./modules/net-lb-ext), [External Regional Application Load Balancer](./modules/net-lb-app-ext-regional/), [Firewall policy](./modules/net-firewall-policy), [Internal Application LB](./modules/net-lb-app-int), [Cross-region Internal Application LB](./modules/net-lb-app-int-cross-region), [Internal Passthrough Network LB](./modules/net-lb-int), [Internal Proxy Network LB](./modules/net-lb-proxy-int), [IPSec over Interconnect](./modules/net-ipsec-over-interconnect), [VPC](./modules/net-vpc), [VPC firewall](./modules/net-vpc-firewall), [VPC peering](./modules/net-vpc-peering), [VPN dynamic](./modules/net-vpn-dynamic), [HA VPN](./modules/net-vpn-ha), [VPN static](./modules/net-vpn-static), [Service Directory](./modules/service-directory), [Secure Web Proxy](./modules/net-swp)
 - **compute** - [VM/VM group](./modules/compute-vm), [MIG](./modules/compute-mig), [COS container](./modules/cloud-config-container/cos-generic-metadata/) (coredns, mysql, onprem, squid), [GKE cluster](./modules/gke-cluster-standard), [GKE hub](./modules/gke-hub), [GKE nodepool](./modules/gke-nodepool), [GCVE private cloud](./modules/gcve-private-cloud)
-- **data** - <!-- [AlloyDB instance](./modules/alloydb-instance), --> [Analytics Hub](./modules/analytics-hub), [BigQuery dataset](./modules/bigquery-dataset), [Bigtable instance](./modules/bigtable-instance), [Dataplex](./modules/dataplex), [Dataplex DataScan](./modules/dataplex-datascan/), [Cloud SQL instance](./modules/cloudsql-instance), [Data Catalog Policy Tag](./modules/data-catalog-policy-tag), [Data Catalog Tag](./modules/data-catalog-tag), [Data Catalog Tag Template](./modules/data-catalog-tag-template), [Datafusion](./modules/datafusion), [Dataproc](./modules/dataproc), [GCS](./modules/gcs), [Pub/Sub](./modules/pubsub), [Dataform Repository](./modules/dataform-repository/)
+- **data** - <!-- [AlloyDB instance](./modules/alloydb-instance), --> [Analytics Hub](./modules/analytics-hub), [BigQuery dataset](./modules/bigquery-dataset), [Bigtable instance](./modules/bigtable-instance), [Dataplex](./modules/dataplex), [Dataplex DataScan](./modules/dataplex-datascan/), [Cloud SQL instance](./modules/cloudsql-instance), [Spanner instance](./modules/spanner-instance), [Data Catalog Policy Tag](./modules/data-catalog-policy-tag), [Data Catalog Tag](./modules/data-catalog-tag), [Data Catalog Tag Template](./modules/data-catalog-tag-template), [Datafusion](./modules/datafusion), [Dataproc](./modules/dataproc), [GCS](./modules/gcs), [Pub/Sub](./modules/pubsub), [Dataform Repository](./modules/dataform-repository/)
 - **development** - [API Gateway](./modules/api-gateway), [Apigee](./modules/apigee), [Artifact Registry](./modules/artifact-registry), [Container Registry](./modules/container-registry), [Cloud Source Repository](./modules/source-repository), [Workstation cluster](./modules/workstation-cluster)
 - **security** - [Binauthz](./modules/binauthz/), [KMS](./modules/kms), [SecretManager](./modules/secret-manager), [VPC Service Control](./modules/vpc-sc)
 - **serverless** - [Cloud Function v1](./modules/cloud-function-v1), [Cloud Function v2](./modules/cloud-function-v2), [Cloud Run](./modules/cloud-run), [Cloud Run v2](./modules/cloud-run-v2)

blueprints/gke/patterns/autopilot-cluster/versions.tf

@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.32.0, < 6.0.0" # tftest
+      version = ">= 5.34.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.32.0, < 6.0.0" # tftest
+      version = ">= 5.34.0, < 6.0.0" # tftest
     }
   }
 }

blueprints/gke/patterns/batch/versions.tf

@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.32.0, < 6.0.0" # tftest
+      version = ">= 5.34.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.32.0, < 6.0.0" # tftest
+      version = ">= 5.34.0, < 6.0.0" # tftest
     }
   }
 }

blueprints/gke/patterns/kafka/versions.tf

@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.32.0, < 6.0.0" # tftest
+      version = ">= 5.34.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.32.0, < 6.0.0" # tftest
+      version = ">= 5.34.0, < 6.0.0" # tftest
     }
   }
 }

blueprints/gke/patterns/kong-cloudrun/versions.tf

@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.32.0, < 6.0.0" # tftest
+      version = ">= 5.34.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.32.0, < 6.0.0" # tftest
+      version = ">= 5.34.0, < 6.0.0" # tftest
     }
   }
 }

blueprints/gke/patterns/mysql/versions.tf

@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.32.0, < 6.0.0" # tftest
+      version = ">= 5.34.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.32.0, < 6.0.0" # tftest
+      version = ">= 5.34.0, < 6.0.0" # tftest
     }
   }
 }

blueprints/gke/patterns/redis-cluster/versions.tf

@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.32.0, < 6.0.0" # tftest
+      version = ">= 5.34.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.32.0, < 6.0.0" # tftest
+      version = ">= 5.34.0, < 6.0.0" # tftest
     }
   }
 }

default-versions.tf

@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.32.0, < 6.0.0" # tftest
+      version = ">= 5.34.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.32.0, < 6.0.0" # tftest
+      version = ">= 5.34.0, < 6.0.0" # tftest
     }
   }
 }

fast/stages/0-bootstrap/README.md

@@ -18,7 +18,9 @@ Use the following diagram as a simple high level reference for the following sec
 - [Design overview and choices](#design-overview-and-choices)
   - [User groups](#user-groups)
   - [Organization-level IAM](#organization-level-iam)
-  - [Organization policies and tag-based conditions](#organization-policies-and-tag-based-conditions)
+  - [Organization policies](#organization-policies)
+    - [Security Command Center Enterprise](#security-command-center-enterprise)
+    - [Tags and Organization Policy conditions](#tags-and-organization-policy-conditions)
   - [Automation project and resources](#automation-project-and-resources)
   - [Billing account](#billing-account)
   - [Organization-level logging](#organization-level-logging)
@@ -70,13 +72,19 @@ One consequence of the above setup is the need to configure IAM bindings that ca
 
 A full reference of IAM roles managed by this stage [is available here](./IAM.md).
 
-### Organization policies and tag-based conditions
+### Organization policies
 
 It's often desirable to have organization policies deployed before any other resource in the org, so as to ensure compliance with specific requirements (e.g. location restrictions), or control the configuration of specific resources (e.g. default network at project creation or service account grants).
 
 To cover this use case, organization policies have been moved from the resource management to the bootstrap stage in FAST versions after 26.0.0. They are managed via the usual factory approach, and a [sample set of data files](./data/org-policies/) is included with this stage. They are not applied during the initial run when the `bootstrap_user` variable is set, to work around incompatibilities with user credentials.
 
-The only current exception to the factory approach is the `iam.allowedPolicyMemberDomains` constraint, which is managed in code so as to be able to auto-allow the organization's domain. More domains can be added via the `org_policies_config` variable, which also serves as an umbrella for future policies that will need to be managed in code.
+The only current exception to the factory approach is the `iam.allowedPolicyMemberDomains` constraint (DRS), which is managed in code so as to be able to auto-allow the organization's domain. More domains can be added via the `org_policies_config` variable, which also serves as an umbrella for future policies that will need to be managed in code.
+
+#### Security Command Center Enterprise
+
+The DRS policy mentioned above might make it complex to [enable Security Command Center Enterprise](https://cloud.google.com/security-command-center/docs/activate-enterprise-tier#verify_organization_policies). If this is the case, you can temporarily disable it via the Cloud Console, enable SCC Enterprise, then re-enable the policy.
+
+#### Tags and Organization Policy conditions
 
 Organization policy exceptions are managed via a dedicated resource management tag hierarchy, rooted in the `org-policies` tag key. A default condition is already present for the the `iam.allowedPolicyMemberDomains` constraint, that relaxes the policy on resources that have the `org-policies/allowed-policy-member-domains-all` tag value bound or inherited.
 

modules/README.md

@@ -84,6 +84,7 @@ These modules are used in the examples included in this repository. If you are u
 - [BigQuery dataset](./bigquery-dataset)
 - [Bigtable instance](./bigtable-instance)
 - [Cloud SQL instance](./cloudsql-instance)
+- [Spanner instance](./spanner-instance)
 - [Data Catalog Policy Tag](./data-catalog-policy-tag)
 - [Data Catalog Tag](./data-catalog-tag)
 - [Data Catalog Tag Template](./data-catalog-tag-template)

modules/__experimental_deprecated/alloydb-instance/versions.tf

@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.32.0, < 6.0.0" # tftest
+      version = ">= 5.34.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.32.0, < 6.0.0" # tftest
+      version = ">= 5.34.0, < 6.0.0" # tftest
     }
   }
 }

modules/__experimental_deprecated/net-neg/versions.tf

@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.32.0, < 6.0.0" # tftest
+      version = ">= 5.34.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.32.0, < 6.0.0" # tftest
+      version = ">= 5.34.0, < 6.0.0" # tftest
     }
   }
 }

modules/__experimental_deprecated/project-iam-magic/versions.tf

@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.32.0, < 6.0.0" # tftest
+      version = ">= 5.34.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.32.0, < 6.0.0" # tftest
+      version = ">= 5.34.0, < 6.0.0" # tftest
     }
   }
 }

modules/alloydb/versions.tf

@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.32.0, < 6.0.0" # tftest
+      version = ">= 5.34.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.32.0, < 6.0.0" # tftest
+      version = ">= 5.34.0, < 6.0.0" # tftest
     }
   }
 }

modules/analytics-hub/versions.tf

@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.32.0, < 6.0.0" # tftest
+      version = ">= 5.34.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.32.0, < 6.0.0" # tftest
+      version = ">= 5.34.0, < 6.0.0" # tftest
     }
   }
 }

modules/api-gateway/versions.tf

@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.32.0, < 6.0.0" # tftest
+      version = ">= 5.34.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.32.0, < 6.0.0" # tftest
+      version = ">= 5.34.0, < 6.0.0" # tftest
     }
   }
 }

modules/apigee/versions.tf

@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.32.0, < 6.0.0" # tftest
+      version = ">= 5.34.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.32.0, < 6.0.0" # tftest
+      version = ">= 5.34.0, < 6.0.0" # tftest
     }
   }
 }

modules/artifact-registry/versions.tf

@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.32.0, < 6.0.0" # tftest
+      version = ">= 5.34.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.32.0, < 6.0.0" # tftest
+      version = ">= 5.34.0, < 6.0.0" # tftest
     }
   }
 }

modules/bigquery-dataset/versions.tf

@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.32.0, < 6.0.0" # tftest
+      version = ">= 5.34.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.32.0, < 6.0.0" # tftest
+      version = ">= 5.34.0, < 6.0.0" # tftest
     }
   }
 }

modules/bigtable-instance/versions.tf

@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.32.0, < 6.0.0" # tftest
+      version = ">= 5.34.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.32.0, < 6.0.0" # tftest
+      version = ">= 5.34.0, < 6.0.0" # tftest
     }
   }
 }

modules/billing-account/versions.tf

@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.32.0, < 6.0.0" # tftest
+      version = ">= 5.34.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.32.0, < 6.0.0" # tftest
+      version = ">= 5.34.0, < 6.0.0" # tftest
     }
   }
 }

modules/binauthz/versions.tf

@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.32.0, < 6.0.0" # tftest
+      version = ">= 5.34.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.32.0, < 6.0.0" # tftest
+      version = ">= 5.34.0, < 6.0.0" # tftest
     }
   }
 }

modules/cloud-config-container/__need_fixing/onprem/versions.tf

@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.32.0, < 6.0.0" # tftest
+      version = ">= 5.34.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.32.0, < 6.0.0" # tftest
+      version = ">= 5.34.0, < 6.0.0" # tftest
     }
   }
 }

modules/cloud-config-container/__need_fixing/squid/versions.tf

@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.32.0, < 6.0.0" # tftest
+      version = ">= 5.34.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.32.0, < 6.0.0" # tftest
+      version = ">= 5.34.0, < 6.0.0" # tftest
     }
   }
 }

modules/cloud-config-container/bindplane/versions.tf

@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.32.0, < 6.0.0" # tftest
+      version = ">= 5.34.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.32.0, < 6.0.0" # tftest
+      version = ">= 5.34.0, < 6.0.0" # tftest
     }
   }
 }

modules/cloud-config-container/coredns/versions.tf

@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.32.0, < 6.0.0" # tftest
+      version = ">= 5.34.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.32.0, < 6.0.0" # tftest
+      version = ">= 5.34.0, < 6.0.0" # tftest
     }
   }
 }

modules/cloud-config-container/cos-generic-metadata/versions.tf

@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.32.0, < 6.0.0" # tftest
+      version = ">= 5.34.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.32.0, < 6.0.0" # tftest
+      version = ">= 5.34.0, < 6.0.0" # tftest
     }
   }
 }

modules/cloud-config-container/envoy-sni-dyn-fwd-proxy/versions.tf

@@ -17,11 +17,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 5.32.0, < 6.0.0" # tftest
+      version = ">= 5.34.0, < 6.0.0" # tftest
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = ">= 5.32.0, < 6.0.0" # tftest
+      version = ">= 5.34.0, < 6.0.0" # tftest
     }
   }
 }