Add deletion_protection to v2 cloud run service resource (#11318) (#7901

) [upstream:1c7aa4de79d54b48b5e81cab86661d3db582625b] Signed-off-by: Modular Magician <[email protected]>
hashicorp · Aug 6, 2024 · bd71dbe · bd71dbe
1 parent 96864dd
commit bd71dbe
Show file tree

Hide file tree

Showing 16 changed files with 210 additions and 324 deletions.
diff --git a/.changelog/11318.txt b/.changelog/11318.txt
@@ -0,0 +1,3 @@
+```release-note:breaking-change
+cloudrunv2: added `deletion_protection` field to `google_cloudrunv2_service` to make deleting them require an explicit intent. `google_cloudrunv2_service` resources now cannot be destroyed unless `deletion_protection = false` is set for the resource.
+```
diff --git a/google-beta/services/cloudrunv2/data_source_google_cloud_run_v2_job_test.go b/google-beta/services/cloudrunv2/data_source_google_cloud_run_v2_job_test.go
@@ -41,6 +41,7 @@ func testAccDataSourceGoogleCloudRunV2Job_basic(name, location string) string {
 resource "google_cloud_run_v2_job" "hello" {
   name     = "%s"
   location = "%s"
+  deletion_protection = false
 
   template {
     template {
@@ -102,6 +103,7 @@ func testAccDataSourceGoogleCloudRunV2Job_bindIAMPermission(name, location strin
 resource "google_cloud_run_v2_job" "hello" {
   name     = "%s"
   location = "%s"
+  deletion_protection = false
 
   template {
     template {

diff --git a/google-beta/services/cloudrunv2/data_source_google_cloud_run_v2_service_test.go b/google-beta/services/cloudrunv2/data_source_google_cloud_run_v2_service_test.go
@@ -41,6 +41,7 @@ func testAccDataSourceGoogleCloudRunV2Service_basic(name, location string) strin
 resource "google_cloud_run_v2_service" "hello" {
   name     = "%s"
   location = "%s"
+  deletion_protection = false
   ingress  = "INGRESS_TRAFFIC_ALL"
   
   template {
@@ -95,6 +96,7 @@ func testAccDataSourceGoogleCloudRunV2Service_bindIAMPermission(name, location s
 resource "google_cloud_run_v2_service" "hello" {
   name     = "%s"
   location = "%s"
+  deletion_protection = false
   ingress  = "INGRESS_TRAFFIC_ALL"
   
   template {

diff --git a/google-beta/services/cloudrunv2/iam_cloud_run_v2_job_generated_test.go b/google-beta/services/cloudrunv2/iam_cloud_run_v2_job_generated_test.go
@@ -128,6 +128,7 @@ func testAccCloudRunV2JobIamMember_basicGenerated(context map[string]interface{}
 resource "google_cloud_run_v2_job" "default" {
   name     = "tf-test-cloudrun-job%{random_suffix}"
   location = "us-central1"
+  deletion_protection = false
 
   template {
     template {
@@ -153,6 +154,7 @@ func testAccCloudRunV2JobIamPolicy_basicGenerated(context map[string]interface{}
 resource "google_cloud_run_v2_job" "default" {
   name     = "tf-test-cloudrun-job%{random_suffix}"
   location = "us-central1"
+  deletion_protection = false
 
   template {
     template {
@@ -193,6 +195,7 @@ func testAccCloudRunV2JobIamPolicy_emptyBinding(context map[string]interface{})
 resource "google_cloud_run_v2_job" "default" {
   name     = "tf-test-cloudrun-job%{random_suffix}"
   location = "us-central1"
+  deletion_protection = false
 
   template {
     template {
@@ -220,6 +223,7 @@ func testAccCloudRunV2JobIamBinding_basicGenerated(context map[string]interface{
 resource "google_cloud_run_v2_job" "default" {
   name     = "tf-test-cloudrun-job%{random_suffix}"
   location = "us-central1"
+  deletion_protection = false
 
   template {
     template {
@@ -245,6 +249,7 @@ func testAccCloudRunV2JobIamBinding_updateGenerated(context map[string]interface
 resource "google_cloud_run_v2_job" "default" {
   name     = "tf-test-cloudrun-job%{random_suffix}"
   location = "us-central1"
+  deletion_protection = false
 
   template {
     template {

diff --git a/google-beta/services/cloudrunv2/iam_cloud_run_v2_service_generated_test.go b/google-beta/services/cloudrunv2/iam_cloud_run_v2_service_generated_test.go
@@ -128,6 +128,7 @@ func testAccCloudRunV2ServiceIamMember_basicGenerated(context map[string]interfa
 resource "google_cloud_run_v2_service" "default" {
   name     = "tf-test-cloudrun-service%{random_suffix}"
   location = "us-central1"
+  deletion_protection = false
   ingress = "INGRESS_TRAFFIC_ALL"
   
   template {
@@ -152,6 +153,7 @@ func testAccCloudRunV2ServiceIamPolicy_basicGenerated(context map[string]interfa
 resource "google_cloud_run_v2_service" "default" {
   name     = "tf-test-cloudrun-service%{random_suffix}"
   location = "us-central1"
+  deletion_protection = false
   ingress = "INGRESS_TRAFFIC_ALL"
   
   template {
@@ -191,6 +193,7 @@ func testAccCloudRunV2ServiceIamPolicy_emptyBinding(context map[string]interface
 resource "google_cloud_run_v2_service" "default" {
   name     = "tf-test-cloudrun-service%{random_suffix}"
   location = "us-central1"
+  deletion_protection = false
   ingress = "INGRESS_TRAFFIC_ALL"
   
   template {
@@ -217,6 +220,7 @@ func testAccCloudRunV2ServiceIamBinding_basicGenerated(context map[string]interf
 resource "google_cloud_run_v2_service" "default" {
   name     = "tf-test-cloudrun-service%{random_suffix}"
   location = "us-central1"
+  deletion_protection = false
   ingress = "INGRESS_TRAFFIC_ALL"
   
   template {
@@ -241,6 +245,7 @@ func testAccCloudRunV2ServiceIamBinding_updateGenerated(context map[string]inter
 resource "google_cloud_run_v2_service" "default" {
   name     = "tf-test-cloudrun-service%{random_suffix}"
   location = "us-central1"
+  deletion_protection = false
   ingress = "INGRESS_TRAFFIC_ALL"
   
   template {

diff --git a/google-beta/services/cloudrunv2/resource_cloud_run_v2_job.go b/google-beta/services/cloudrunv2/resource_cloud_run_v2_job.go
@@ -756,6 +756,17 @@ A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to n
 				Computed:    true,
 				Description: `The last-modified time.`,
 			},
+			"deletion_protection": {
+				Type:     schema.TypeBool,
+				Optional: true,
+				Default:  true,
+				Description: `Whether Terraform will be prevented from destroying the job. Defaults to true.
+When a'terraform destroy' or 'terraform apply' would delete the job,
+the command will fail if this field is not set to false in Terraform state.
+When the field is set to true or unset in Terraform state, a 'terraform apply'
+or 'terraform destroy' that would delete the job will fail.
+When the field is set to false, deleting the job is allowed.`,
+			},
 			"project": {
 				Type:     schema.TypeString,
 				Optional: true,
@@ -978,6 +989,12 @@ func resourceCloudRunV2JobRead(d *schema.ResourceData, meta interface{}) error {
 		return transport_tpg.HandleNotFoundError(err, d, fmt.Sprintf("CloudRunV2Job %q", d.Id()))
 	}
 
+	// Explicitly set virtual fields to default values if unset
+	if _, ok := d.GetOkExists("deletion_protection"); !ok {
+		if err := d.Set("deletion_protection", true); err != nil {
+			return fmt.Errorf("Error setting deletion_protection: %s", err)
+		}
+	}
 	if err := d.Set("project", project); err != nil {
 		return fmt.Errorf("Error reading Job: %s", err)
 	}
@@ -1207,6 +1224,9 @@ func resourceCloudRunV2JobDelete(d *schema.ResourceData, meta interface{}) error
 	}
 
 	headers := make(http.Header)
+	if d.Get("deletion_protection").(bool) {
+		return fmt.Errorf("cannot destroy job without setting deletion_protection=false and running `terraform apply`")
+	}
 
 	log.Printf("[DEBUG] Deleting Job %q", d.Id())
 	res, err := transport_tpg.SendRequest(transport_tpg.SendRequestOptions{
@@ -1252,6 +1272,11 @@ func resourceCloudRunV2JobImport(d *schema.ResourceData, meta interface{}) ([]*s
 	}
 	d.SetId(id)
 
+	// Explicitly set virtual fields to default values on import
+	if err := d.Set("deletion_protection", true); err != nil {
+		return nil, fmt.Errorf("Error setting deletion_protection: %s", err)
+	}
+
 	return []*schema.ResourceData{d}, nil
 }
 

diff --git a/google-beta/services/cloudrunv2/resource_cloud_run_v2_job_generated_test.go b/google-beta/services/cloudrunv2/resource_cloud_run_v2_job_generated_test.go
@@ -49,7 +49,7 @@ func TestAccCloudRunV2Job_cloudrunv2JobBasicExample(t *testing.T) {
 				ResourceName:            "google_cloud_run_v2_job.default",
 				ImportState:             true,
 				ImportStateVerify:       true,
-				ImportStateVerifyIgnore: []string{"annotations", "labels", "location", "name", "terraform_labels"},
+				ImportStateVerifyIgnore: []string{"annotations", "deletion_protection", "labels", "location", "name", "terraform_labels"},
 			},
 		},
 	})
@@ -60,6 +60,7 @@ func testAccCloudRunV2Job_cloudrunv2JobBasicExample(context map[string]interface
 resource "google_cloud_run_v2_job" "default" {
   name     = "tf-test-cloudrun-job%{random_suffix}"
   location = "us-central1"
+  deletion_protection = false
 
   template {
     template {
@@ -91,7 +92,7 @@ func TestAccCloudRunV2Job_cloudrunv2JobLimitsExample(t *testing.T) {
 				ResourceName:            "google_cloud_run_v2_job.default",
 				ImportState:             true,
 				ImportStateVerify:       true,
-				ImportStateVerifyIgnore: []string{"annotations", "labels", "location", "name", "terraform_labels"},
+				ImportStateVerifyIgnore: []string{"annotations", "deletion_protection", "labels", "location", "name", "terraform_labels"},
 			},
 		},
 	})
@@ -102,6 +103,7 @@ func testAccCloudRunV2Job_cloudrunv2JobLimitsExample(context map[string]interfac
 resource "google_cloud_run_v2_job" "default" {
   name     = "tf-test-cloudrun-job%{random_suffix}"
   location = "us-central1"
+  deletion_protection = false
 
   template {
     template {
@@ -146,7 +148,7 @@ func TestAccCloudRunV2Job_cloudrunv2JobSqlExample(t *testing.T) {
 				ResourceName:            "google_cloud_run_v2_job.default",
 				ImportState:             true,
 				ImportStateVerify:       true,
-				ImportStateVerifyIgnore: []string{"annotations", "labels", "location", "name", "terraform_labels"},
+				ImportStateVerifyIgnore: []string{"annotations", "deletion_protection", "labels", "location", "name", "terraform_labels"},
 			},
 		},
 	})
@@ -157,7 +159,7 @@ func testAccCloudRunV2Job_cloudrunv2JobSqlExample(context map[string]interface{}
 resource "google_cloud_run_v2_job" "default" {
   name     = "tf-test-cloudrun-job%{random_suffix}"
   location = "us-central1"
-  
+  deletion_protection = false
   template {
     template{
       volumes {
@@ -246,7 +248,7 @@ func TestAccCloudRunV2Job_cloudrunv2JobVpcaccessExample(t *testing.T) {
 				ResourceName:            "google_cloud_run_v2_job.default",
 				ImportState:             true,
 				ImportStateVerify:       true,
-				ImportStateVerifyIgnore: []string{"annotations", "labels", "location", "name", "terraform_labels"},
+				ImportStateVerifyIgnore: []string{"annotations", "deletion_protection", "labels", "location", "name", "terraform_labels"},
 			},
 		},
 	})
@@ -257,6 +259,7 @@ func testAccCloudRunV2Job_cloudrunv2JobVpcaccessExample(context map[string]inter
 resource "google_cloud_run_v2_job" "default" {
   name     = "tf-test-cloudrun-job%{random_suffix}"
   location = "us-central1"
+  deletion_protection = false
 
   template {
     template{
@@ -313,7 +316,7 @@ func TestAccCloudRunV2Job_cloudrunv2JobDirectvpcExample(t *testing.T) {
 				ResourceName:            "google_cloud_run_v2_job.default",
 				ImportState:             true,
 				ImportStateVerify:       true,
-				ImportStateVerifyIgnore: []string{"annotations", "labels", "location", "name", "terraform_labels"},
+				ImportStateVerifyIgnore: []string{"annotations", "deletion_protection", "labels", "location", "name", "terraform_labels"},
 			},
 		},
 	})
@@ -324,6 +327,7 @@ func testAccCloudRunV2Job_cloudrunv2JobDirectvpcExample(context map[string]inter
 resource "google_cloud_run_v2_job" "default" {
   name     = "tf-test-cloudrun-job%{random_suffix}"
   location = "us-central1"
+  deletion_protection = false
   launch_stage = "GA"
   template {
     template{
@@ -362,7 +366,7 @@ func TestAccCloudRunV2Job_cloudrunv2JobSecretExample(t *testing.T) {
 				ResourceName:            "google_cloud_run_v2_job.default",
 				ImportState:             true,
 				ImportStateVerify:       true,
-				ImportStateVerifyIgnore: []string{"annotations", "labels", "location", "name", "terraform_labels"},
+				ImportStateVerifyIgnore: []string{"annotations", "deletion_protection", "labels", "location", "name", "terraform_labels"},
 			},
 		},
 	})
@@ -373,6 +377,7 @@ func testAccCloudRunV2Job_cloudrunv2JobSecretExample(context map[string]interfac
 resource "google_cloud_run_v2_job" "default" {
   name     = "tf-test-cloudrun-job%{random_suffix}"
   location = "us-central1"
+  deletion_protection = false
 
   template {
     template {
@@ -447,7 +452,7 @@ func TestAccCloudRunV2Job_cloudrunv2JobEmptydirExample(t *testing.T) {
 				ResourceName:            "google_cloud_run_v2_job.default",
 				ImportState:             true,
 				ImportStateVerify:       true,
-				ImportStateVerifyIgnore: []string{"annotations", "labels", "location", "name", "terraform_labels"},
+				ImportStateVerifyIgnore: []string{"annotations", "deletion_protection", "labels", "location", "name", "terraform_labels"},
 			},
 		},
 	})
@@ -459,6 +464,7 @@ resource "google_cloud_run_v2_job" "default" {
   provider = google-beta
   name     = "tf-test-cloudrun-job%{random_suffix}"
   location = "us-central1"
+  deletion_protection = false
   launch_stage = "BETA"
   template {
     template {
@@ -501,7 +507,7 @@ func TestAccCloudRunV2Job_cloudrunv2JobRunJobExample(t *testing.T) {
 				ResourceName:            "google_cloud_run_v2_job.default",
 				ImportState:             true,
 				ImportStateVerify:       true,
-				ImportStateVerifyIgnore: []string{"annotations", "labels", "location", "name", "terraform_labels"},
+				ImportStateVerifyIgnore: []string{"annotations", "deletion_protection", "labels", "location", "name", "terraform_labels"},
 			},
 		},
 	})
@@ -513,6 +519,7 @@ resource "google_cloud_run_v2_job" "default" {
   provider = google-beta
   name     = "tf-test-cloudrun-job%{random_suffix}"
   location = "us-central1"
+  deletion_protection = false
   start_execution_token = "start-once-created"
   template {
     template {