Merge branch 'master' into wiktorn-dataproc-fixes

.github/actions/fabric-tests/action.yml

@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -28,13 +28,13 @@ runs:
         echo '{"type": "service_account", "project_id": "test-only"}' \
           | tee -a $GOOGLE_APPLICATION_CREDENTIALS
     - name: Set up Python
-      uses: actions/setup-python@v4
+      uses: actions/setup-python@v5
       with:
         python-version: ${{ inputs.PYTHON_VERSION }}
         cache: 'pip'
         cache-dependency-path: 'tests/requirements.txt'
     - name: Set up Terraform
-      uses: hashicorp/setup-terraform@v2
+      uses: hashicorp/setup-terraform@v3
       with:
         terraform_version: ${{ inputs.TERRAFORM_VERSION }}
         terraform_wrapper: false
@@ -47,12 +47,12 @@ runs:
           | tee -a /home/runner/.terraformrc
         mkdir -p ${{ env.TF_PLUGIN_CACHE_DIR }}
     - name: Download lockfile
-      uses: actions/download-artifact@v3
+      uses: actions/download-artifact@v4
       with:
         name: lockfile
         path: tools/lockfile
     - name: Download Terraform provider cache
-      uses: actions/cache@v3
+      uses: actions/cache@v4
       with:
         path: ${{ env.TF_PLUGIN_CACHE_DIR }}
         key: ${{ runner.os }}-terraform-${{ hashFiles('tools/lockfile/.terraform.lock.hcl') }}

.github/actions/post-fabric-tests/action.yml

@@ -0,0 +1,33 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: post-fabric-tests
+description: Create test reports
+inputs:
+  MODULE:
+    required: true
+runs:
+  using: composite
+  steps:
+    - name: Reformat test-results.xml
+      shell: bash
+      run: |
+        sed -e 's/\\n/\n/g' test-results-raw.xml > test-results.xml
+
+    - name: Test report
+      uses: pmeier/pytest-results-action@035bda205f160abee0b277db11ac6ca01175ca7d # v0.6.0
+      with:
+        path: test-results.xml
+        title: ${{ inputs.MODULE }} Test report
+

.github/workflows/daily-tag.yml

@@ -28,7 +28,7 @@ jobs:
     name: "Create tag on master if there was activity in last 24 hours"
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: "Check changes and tag"
         run: |

.github/workflows/linting.yml

@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -22,17 +22,17 @@ jobs:
   linting:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Set up Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: "3.10"
           cache: 'pip'
           cache-dependency-path: 'tools/requirements.txt'
 
       - name: Set up Terraform
-        uses: hashicorp/setup-terraform@v2
+        uses: hashicorp/setup-terraform@v3
         with:
           terraform_version: 1.7.4
 

.github/workflows/release.yml

@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -34,31 +34,14 @@ jobs:
     name: "Release new version"
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: "Validate input"
         run: |
           [[ "${{ github.event.inputs.changelog }}" != "true" ]] && { echo 'You didn''t update the changelog.' ; exit 1; }
           [[ -n "${{ github.event.inputs.version }}" ]] || { echo 'Version not specified!'; exit 1; }
           [[ "${{ github.event.inputs.version }}" != v* ]] && { echo 'Version does not start with v!' ; exit 1; }
 
-      - uses: actions/setup-go@v3
-        with:
-          go-version: "1.16"
-
-      - name: "Update all module names"
-        run: |
-          cd tools/tfeditor
-          go build .
-          ./tfeditor -path ../.. -module-name "google-pso-tool/cloud-foundation-fabric/{{ .Module }}/${{ github.event.inputs.version }}"
-          cd ../..
-
-          git config --global user.name "Release Automation"
-          git config --global user.email "[email protected]"
-
-          git commit -a -m "Release version ${{ github.event.inputs.version }}"
-          git push origin master
-
       - name: "Tag and release"
         run: |
           git tag ${{ github.event.inputs.version }}

.github/workflows/tests.yml

@@ -1,4 +1,4 @@
-# Copyright 2023 Google LLC
+# Copyright 2024 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -32,9 +32,9 @@ jobs:
   setup-tf-providers:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
-      - uses: hashicorp/setup-terraform@v2
+      - uses: hashicorp/setup-terraform@v3
         with:
           terraform_version: ${{ env.TF_VERSION }}
           terraform_wrapper: false
@@ -51,23 +51,24 @@ jobs:
           terraform init -upgrade=true
 
       - name: Upload Terraform provider cache
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: ${{ env.TF_PLUGIN_CACHE_DIR }}
           key: ${{ runner.os }}-terraform-${{ hashFiles('tools/lockfile/.terraform.lock.hcl') }}
 
       - name: Upload lockfile
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: lockfile
           path: tools/lockfile/.terraform.lock.hcl
+          overwrite: true
 
 
   examples-blueprints:
     runs-on: ubuntu-latest
     needs: setup-tf-providers
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Call composite action fabric-tests
         uses: ./.github/actions/fabric-tests
@@ -76,13 +77,19 @@ jobs:
           TERRAFORM_VERSION: ${{ env.TF_VERSION }}
 
       - name: Run tests on documentation examples
-        run: pytest -vv -n4 --tb=line -k blueprints/ tests/examples
+        run: pytest -vv -n4 --tb=line --junit-xml=test-results-raw.xml -k blueprints/ tests/examples
+
+      - name: Create report
+        uses: ./.github/actions/post-fabric-tests
+        if: always()
+        with:
+          MODULE: Blueprint Examples
 
   examples-modules:
     runs-on: ubuntu-latest
     needs: setup-tf-providers
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Call composite action fabric-tests
         uses: ./.github/actions/fabric-tests
@@ -91,13 +98,19 @@ jobs:
           TERRAFORM_VERSION: ${{ env.TF_VERSION }}
 
       - name: Run tests on documentation examples
-        run: pytest -vv -n4 --tb=line -k modules/ tests/examples
+        run: pytest -vv -n4 --tb=line --junit-xml=test-results-raw.xml -k modules/ tests/examples
+
+      - name: Create report
+        uses: ./.github/actions/post-fabric-tests
+        if: always()
+        with:
+          MODULE: Module Examples
 
   blueprints:
     runs-on: ubuntu-latest
     needs: setup-tf-providers
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Call composite action fabric-tests
         uses: ./.github/actions/fabric-tests
@@ -106,13 +119,19 @@ jobs:
           TERRAFORM_VERSION: ${{ env.TF_VERSION }}
 
       - name: Run tests environments
-        run: pytest -vv -n4 --tb=line tests/blueprints
+        run: pytest -vv -n4 --tb=line --junit-xml=test-results-raw.xml tests/blueprints
+
+      - name: Create report
+        uses: ./.github/actions/post-fabric-tests
+        if: always()
+        with:
+          MODULE: Blueprints
 
   modules:
     runs-on: ubuntu-latest
     needs: setup-tf-providers
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Call composite action fabric-tests
         uses: ./.github/actions/fabric-tests
@@ -121,13 +140,19 @@ jobs:
           TERRAFORM_VERSION: ${{ env.TF_VERSION }}
 
       - name: Run tests modules
-        run: pytest -vv -n4 --tb=line tests/modules
+        run: pytest -vv -n4 --tb=line --junit-xml=test-results-raw.xml tests/modules
+
+      - name: Create report
+        uses: ./.github/actions/post-fabric-tests
+        if: always()
+        with:
+          MODULE: Modules
 
   fast:
     runs-on: ubuntu-latest
     needs: setup-tf-providers
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Call composite action fabric-tests
         uses: ./.github/actions/fabric-tests
@@ -136,4 +161,10 @@ jobs:
           TERRAFORM_VERSION: ${{ env.TF_VERSION }}
 
       - name: Run tests on FAST stages
-        run: pytest -vv -n4 --tb=line tests/fast
+        run: pytest -vv -n4 --tb=line --junit-xml=test-results-raw.xml tests/fast
+
+      - name: Create report
+        uses: ./.github/actions/post-fabric-tests
+        if: always()
+        with:
+          MODULE: FAST

blueprints/cloud-operations/README.md

@@ -66,7 +66,7 @@ This [blueprint](./onprem-sa-key-management) shows how to manage IAM Service Acc
 
 ## Workload identity federation with Terraform Cloud workflows
 
-<a href="./terraform-cloud-dynamic-credentials" title="Workload identity federation with Terraform Cloud/Enterprise workflows"><img src="./terraform-cloud-dynamic-credentials/diagram.png" align="left" width="280px"></a> This [blueprint](./terraform-cloud-dynamic-credentials) shows how to configure [Wokload Identity Federation](https://cloud.google.com/iam/docs/workload-identity-federation) between [Terraform Cloud/Enterprise](https://developer.hashicorp.com/terraform/enterprise) instance and Google Cloud.
+<a href="./terraform-cloud-dynamic-credentials" title="Workload identity federation with Terraform Cloud/Enterprise workflows"><img src="./terraform-cloud-dynamic-credentials/diagram.png" align="left" width="280px"></a> This [blueprint](./terraform-cloud-dynamic-credentials) shows how to configure [Workload Identity Federation](https://cloud.google.com/iam/docs/workload-identity-federation) between [Terraform Cloud/Enterprise](https://developer.hashicorp.com/terraform/enterprise) instance and Google Cloud.
 
 <br clear="left">
 
@@ -78,7 +78,7 @@ This [blueprint](./onprem-sa-key-management) shows how to manage IAM Service Acc
 
 ## Migrate for Compute Engine (v5)
 
-<a href="./vm-migration" title="Packer image builder"><img src="./vm-migration/host-target-projects/diagram.png" align="left" width="280px"></a> This set of [blueprints](./vm-migration) shows how to deploy Migrate for Compute Engine (v5) on top of existing Cloud Foundations on different scenarios. An blueprint on how to deploy the M4CE connector on VMWare ESXi is also part of the blueprints.
+<a href="./vm-migration" title="Packer image builder"><img src="./vm-migration/host-target-projects/diagram.png" align="left" width="280px"></a> This set of [blueprints](./vm-migration) shows how to deploy Migrate for Compute Engine (v5) on top of existing Cloud Foundations on different scenarios. A blueprint on how to deploy the M4CE connector on VMWare ESXi is also part of the blueprints.
 
 <br clear="left">
 

modules/net-ipsec-over-interconnect/README.md

@@ -64,6 +64,11 @@ module "vpngw-a" {
       bgp_peer = {
         address = "169.254.1.2"
         asn     = 64514
+        # MD5 Authentication is optional
+        md5_authentication_key = {
+          name = "foo"
+          key  = "bar"
+        }
       }
       bgp_session_range     = "169.254.1.1/30"
       shared_secret         = "foobar"
@@ -112,7 +117,7 @@ module "vpngw-a" {
 | [project_id](variables.tf#L54) | The project id. | <code>string</code> | ✓ |  |
 | [region](variables.tf#L59) | GCP Region. | <code>string</code> | ✓ |  |
 | [router_config](variables.tf#L64) | Cloud Router configuration for the VPN. If you want to reuse an existing router, set create to false and use name to specify the desired router. | <code title="object&#40;&#123;&#10;  create    &#61; optional&#40;bool, true&#41;&#10;  asn       &#61; optional&#40;number&#41;&#10;  name      &#61; optional&#40;string&#41;&#10;  keepalive &#61; optional&#40;number&#41;&#10;  custom_advertise &#61; optional&#40;object&#40;&#123;&#10;    all_subnets &#61; bool&#10;    ip_ranges   &#61; map&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  |
-| [tunnels](variables.tf#L79) | VPN tunnel configurations. | <code title="map&#40;object&#40;&#123;&#10;  bgp_peer &#61; object&#40;&#123;&#10;    address        &#61; string&#10;    asn            &#61; number&#10;    route_priority &#61; optional&#40;number, 1000&#41;&#10;    custom_advertise &#61; optional&#40;object&#40;&#123;&#10;      all_subnets          &#61; bool&#10;      all_vpc_subnets      &#61; bool&#10;      all_peer_vpc_subnets &#61; bool&#10;      ip_ranges            &#61; map&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#10;  bgp_session_range               &#61; string&#10;  ike_version                     &#61; optional&#40;number, 2&#41;&#10;  peer_external_gateway_interface &#61; optional&#40;number&#41;&#10;  peer_gateway_id                 &#61; optional&#40;string, &#34;default&#34;&#41;&#10;  router                          &#61; optional&#40;string&#41;&#10;  shared_secret                   &#61; optional&#40;string&#41;&#10;  vpn_gateway_interface           &#61; number&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [tunnels](variables.tf#L79) | VPN tunnel configurations. | <code title="map&#40;object&#40;&#123;&#10;  bgp_peer &#61; object&#40;&#123;&#10;    address &#61; string&#10;    asn     &#61; number&#10;    custom_advertise &#61; optional&#40;object&#40;&#123;&#10;      all_subnets          &#61; bool&#10;      all_vpc_subnets      &#61; bool&#10;      all_peer_vpc_subnets &#61; bool&#10;      ip_ranges            &#61; map&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;    md5_authentication_key &#61; optional&#40;object&#40;&#123;&#10;      name &#61; string&#10;      key  &#61; string&#10;    &#125;&#41;&#41;&#10;    route_priority &#61; optional&#40;number, 1000&#41;&#10;  &#125;&#41;&#10;  bgp_session_range               &#61; string&#10;  ike_version                     &#61; optional&#40;number, 2&#41;&#10;  peer_external_gateway_interface &#61; optional&#40;number&#41;&#10;  peer_gateway_id                 &#61; optional&#40;string, &#34;default&#34;&#41;&#10;  router                          &#61; optional&#40;string&#41;&#10;  shared_secret                   &#61; optional&#40;string&#41;&#10;  vpn_gateway_interface           &#61; number&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 
 ## Outputs
 

modules/net-ipsec-over-interconnect/main.tf

@@ -116,6 +116,15 @@ resource "google_compute_router_peer" "default" {
       description = range.value
     }
   }
+
+  dynamic "md5_authentication_key" {
+    for_each = each.value.bgp_peer.md5_authentication_key != null ? [each.value.bgp_peer.md5_authentication_key] : []
+    content {
+      name = md5_authentication_key.value.name
+      key  = md5_authentication_key.value.key
+    }
+  }
+
   interface = google_compute_router_interface.default[each.key].name
 }
 

modules/net-ipsec-over-interconnect/variables.tf

@@ -80,15 +80,19 @@ variable "tunnels" {
   description = "VPN tunnel configurations."
   type = map(object({
     bgp_peer = object({
-      address        = string
-      asn            = number
-      route_priority = optional(number, 1000)
+      address = string
+      asn     = number
       custom_advertise = optional(object({
         all_subnets          = bool
         all_vpc_subnets      = bool
         all_peer_vpc_subnets = bool
         ip_ranges            = map(string)
       }))
+      md5_authentication_key = optional(object({
+        name = string
+        key  = string
+      }))
+      route_priority = optional(number, 1000)
     })
     # each BGP session on the same Cloud Router must use a unique /30 CIDR
     # from the 169.254.0.0/16 block.