v5.43.1

NOTES:

• 5.43.1 is a backport release, and some changes will not appear in 6.X series releases until 6.1.0

BUG FIXES:

• pubsub: fixed a validation bug that didn't allow empty filter definitions for google_pubsub_subscription resources (#8055)

v6.0.1

BREAKING CHANGES:

• sql: removed settings.ip_configuration.require_ssl from google_sql_database_instance in favor of settings.ip_configuration.ssl_mode. This field was intended to be removed in 6.0.0. (#8043)

v6.0.0

Terraform Google Provider 6.0.0 Upgrade Guide

BREAKING CHANGES:

• provider: changed provider labels to add the goog-terraform-provisioned: true label by default. (#8004)
• activedirectory: added deletion_protection field to google_active_directory_domain resource. This field defaults to true, preventing accidental deletions. To delete the resource, you must first set deletion_protection = false before destroying the resource. (#7837)
• alloydb: removed network in google_alloy_db_cluster. Use network_config.network instead. (#7999)
• billing: revised the format of id for google_billing_project_info (#7793)
• bigquery: added client-side validation to prevent table view creation if schema contains required fields for google_bigquery_table resource (#7755)
• bigquery: removed allow_resource_tags_on_deletion from google_bigquery_table. Resource tags are now always allowed on table deletion. (#7940)
• bigqueryreservation: removed multi_region_auxiliary from google_bigquery_reservation (#7844)
• cloudrunv2: added deletion_protection field to google_cloudrunv2_service to make deleting them require an explicit intent. This field defaults to true, preventing accidental deletions. To delete the resource, you must first set deletion_protection = false before destroying the resource. (#7901)
• cloudrunv2: changed liveness_probe to no longer infer a default value from api on google_cloud_run_v2_service. Removing this field and applying the change will now remove liveness probe from the Cloud Run service. (#7753)
• cloudrunv2: retyped containers.env to SET from ARRAY for google_cloud_run_v2_service and google_cloud_run_v2_job. (#7812)
• composer: ip_allocation_policy = [] in google_composer_environment is no longer valid configuration. Removing the field from configuration should not produce a diff. (#8011)
• compute: added new required field enabled in google_compute_backend_service and google_compute_region_backend_service (#7758)
• compute: revised and in some cases removed default values of connection_draining_timeout_sec, balancing_mode and outlier_detection in google_compute_region_backend_service and google_compute_backend_service. (#7723)
• compute: updated resource id for compute_network_endpoints (#7806)
• compute: stopped the certifcate_id field in google_compute_managed_ssl_certificate resource being incorrectly marked as a user-configurable value when it should just be an output. (#7936)
• compute: guest_accelerator = [] is no longer valid configuration in google_compute_instance. To explicitly set an empty list of objects, set guest_accelerator.count = 0. (#8011)
• compute: google_compute_instance_from_template and google_compute_instance_from_machine_image network_interface.alias_ip_range, network_interface.access_config, attached_disk, guest_accelerator, service_account, scratch_disk can no longer be set to an empty block []. Removing the fields from configuration should not produce a diff. (#8011)
• compute: secondary_ip_ranges = [] in google_compute_subnetwork is no longer valid configuration. To set an explicitly empty list, use send_secondary_ip_range_if_empty and completely remove secondary_ip_range from config. (#8011)
• container: made advanced_datapath_observability_config.enable_relay required in google_container_cluster (#7930)
• container: removed deprecated field advanced_datapath_observability_config.relay_mode from google_container_cluster resource. Users are expected to use enable_relay field instead. (#7930)
• container: three label-related fields are now in google_container_cluster resource. resource_labels field is non-authoritative and only manages the labels defined by the users on the resource through Terraform. The new output-only terraform_labels field merges the labels defined by the users on the resource through Terraform and the default labels configured on the provider. The new output-only effective_labels field lists all of labels present on the resource in GCP, including the labels configured through Terraform, the system, and other clients. (#7932)
• container: made three fields resource_labels, terraform_labels, and effective_labels be present in google_container_cluster datasources. All three fields will have all of labels present on the resource in GCP including the labels configured through Terraform, the system, and other clients, equivalent to effective_labels on the resource. (#7932)
• container: guest_accelerator = [] is no longer valid configuration in google_container_cluster and google_container_node_pool. To explicitly set an empty list of objects, set guest_accelerator.count = 0. (#8011)
• container: guest_accelerator.gpu_driver_installation_config = [] and guest_accelerator.gpu_sharing_config = [] are no longer valid configuration in google_container_cluster and google_container_node_pool. Removing the fields from configuration should not produce a diff. (#8011)
• datastore: removed google_datastore_index in favor of google_firestore_index (#7987)
• edgenetwork: three label-related fields are now in google_edgenetwork_network and google_edgenetwork_subnet resources. labels field is non-authoritative and only manages the labels defined by the users on the resource through Terraform. The new output-only terraform_labels field merges the labels defined by the users on the resource through Terraform and the default labels configured on the provider. The new output-only effective_labels field lists all of labels present on the resource in GCP, including the labels configured through Terraform, the system, and other clients. (#7932)
• identityplatform: removed resource google_identity_platform_project_default_config in favor of google_identity_platform_project_config (#7880)
• integrations: removed create_sample_workflows and provision_gmek from google_integrations_client (#7977)
• pubsub: allowed schema_settings in google_pubsub_topic to be removed (#7674)
• redis: added a deletion_protection_enabled field to the google_redis_cluster resource. This field defaults to true, preventing accidental deletions. To delete the resource, you must first set deletion_protection_enabled = false before destroying the resource. (#7995)
• resourcemanager: added deletion_protection field to google_folder to make deleting them require an explicit intent. Folder resources now cannot be destroyed unless deletion_protection = false is set for the resource. (#7903)
• resourcemanager: made deletion_policy in google_project 'PREVENT' by default. This makes deleting them require an explicit intent. google_project resources cannot be destroyed unless deletion_policy is set to 'ABANDON' or 'DELETE' for the resource. (#7946)
• storage: removed no_age field from lifecycle_rule.condition in the google_storage_bucket resource (#7923)
• sql: removed settings.ip_configuration.require_ssl in google_sql_database_instance. Please use settings.ip_configuration.ssl_mode instead. (#7804)
• vpcaccess: removed default values for min_throughput and min_instances fields on google_vpc_access_connector and made them default to values returned from the API when not provided by users (#7709)
• vpcaccess: ad...

v5.43.0

DEPRECATIONS:

• storage: deprecated lifecycle_rule.condition.no_age field in google_storage_bucket. Use the new lifecycle_rule.condition.send_age_if_zero field instead. (#7994)

FEATURES:

• New Resource: google_kms_ekm_connection_iam_binding (#7969)
• New Resource: google_kms_ekm_connection_iam_member (#7969)
• New Resource: google_kms_ekm_connection_iam_policy (#7969)
• New Resource: google_scc_v2_organization_scc_big_query_exports (#8002)

IMPROVEMENTS:

• compute: exposed service side id as new output field forwarding_rule_id on resource google_compute_forwarding_rule (#7972)
• container: added EXTENDED as a valid option for release_channel field in google_container_cluster resource (#7973)
• logging: changed enable_analytics parsing to "no preference" in analytics if omitted, instead of explicitly disabling analytics in google_logging_project_bucket_config. (#7964)
• networkservices: added idle_timeout field to the google_network_services_tcp_route resource (#7996)
• pusbub: added validation to filter field in resource google_pubsub_subscription (#7968)
• resourcemanager: added default_labels field to google_client_config data source (#7992)
• vmwareengine: added PC undelete support in google_vmwareengine_private_cloud (#8005)

BUG FIXES:

• alloydb: fixed a permadiff on psc_instance_config in google_alloydb_instance resource (#7975)
• compute: fixed a malformed URL that affected updating the server_tls_policy property on google_compute_target_https_proxy resources (#7988)
• compute: fixed force diff replacement logic for network_ip on resource google_compute_instance (#7971)

v5.42.0

DEPRECATIONS:

• compute: setting google_compute_subnetwork.secondary_ip_range = [] to explicitly set a list of empty objects is deprecated and will produce an error in the upcoming major release. Use send_secondary_ip_range_if_empty while removing secondary_ip_range from config instead. (#7961)

FEATURES:

• New Data Source: google_artifact_registry_locations (#7922)
• New Data Source: google_cloud_identity_transitive_group_memberships (#7917)
• New Resource: google_discovery_engine_schema (#7963)
• New Resource: google_scc_folder_notification_config (#7928)
• New Resource: google_scc_v2_folder_notification_config (#7927)
• New Resource: google_vertex_ai_index_endpoint_deployed_index (#7931)

IMPROVEMENTS:

• clouddeploy: added serial_pipeline.stages.strategy.canary.runtime_config.kubernetes.gateway_service_mesh.pod_selector_label and serial_pipeline.stages.strategy.canary.runtime_config.kubernetes.service_networking.pod_selector_label fields to google_clouddeploy_delivery_pipeline resource (#7945)
• compute: added TDX instance option to confidential_instance_type instance in google_compute_instance (#7913)
• compute: added send_secondary_ip_range_if_empty to google_compute_subnetwork (#7961)
• discoveryengine: added skip_default_schema_creation field to google_data_store resource (#7900)
• dns: changed load_balancer_type field from required to optional in google_dns_record_set (#7925)
• parallelstore: added file_stripe_level, directory_stripe_level fields to google_parallelstore_instance resource (#7942)
• servicenetworking: added update_on_creation_fail field to google_service_networking_connection resource. When it is set to true, enforce an update of the reserved peering ranges on the existing service networking connection in case of a new connection creation failure. (#7915)
• sql: added server_ca_mode field to google_sql_database_instance resource (#7886)

BUG FIXES:

• bigquery: made google_bigquery_dataset_iam_member non-authoritative. To remove a bigquery dataset iam member, use an authoritative resource like google_bigquery_dataset_iam_policy (#7960)
• cloudfunctions2: fixed a "Provider produced inconsistent final plan" bug affecting the service_config.environment_variables field in google_cloudfunctions2_function resource (#7905)
• cloudfunctions2: fixed a permadiff on storage_source.generation in google_cloudfunctions2_function resource (#7912)
• compute: fixed issue where sub-resources managed by google_compute_forwarding_rule prevented resource deletion (#7958)
• logging: changed google_logging_project_bucket_config.enable_analytics behavior to set "no preference" in analytics if omitted, instead of explicitly disabling analytics. (#19126)
• workbench: fixed a bug with google_workbench_instance metadata drifting when using custom containers. (#7959)

v5.41.0

DEPRECATIONS:

• resourcemanager: deprecated skip_delete field in the google_project resource. Use deletion_policy instead. (#7817)

FEATURES:

• New Data Source: google_scc_v2_organization_source_iam_policy (#7888)
• New Resource: google_access_context_manager_service_perimeter_dry_run_egress_policy (#7882)
• New Resource: google_access_context_manager_service_perimeter_dry_run_ingress_policy (#7882)
• New Resource: google_scc_v2_folder_mute_config (#7846)
• New Resource: google_scc_v2_project_mute_config (#7881)
• New Resource: google_scc_v2_project_notification_config (#7892)
• New Resource: google_scc_v2_organization_source (#7888)
• New Resource: google_scc_v2_organization_source_iam_binding (#7888)
• New Resource: google_scc_v2_organization_source_iam_member (#7888)
• New Resource: google_scc_v2_organization_source_iam_policy (#7888)

IMPROVEMENTS:

• clouddeploy: added gke.proxy_url field to google_clouddeploy_target (#7899)
• cloudrunv2: added field binary_authorization.policy to resource google_cloud_run_v2_job and resource google_cloud_run_v2_service to support named binary authorization policy. (#7883)
• compute: added update-in-place support for the google_compute_target_https_proxy.server_tls_policy field (#7884)
• compute: added update-in-place support for the google_compute_region_target_https_proxy.server_tls_policy field (#7891)
• container: added auto_provisioning_locations field to google_container_cluster (#7849)
• dataform: added kms_key_name field to google_dataform_repository resource (#7855)
• discoveryengine: added skip_default_schema_creation field to google_discovery_engine_data_store resource (#7900)
• gkehub: added configmanagement.management and configmanagement.config_sync.enabled fields to google_gkehub_feature_membership (#7899)
• gkehub: added management field to google_gke_hub_feature.fleet_default_member_config.configmanagement (#7862)
• resourcemanager: added deletion_policy field to the google_project resource. Setting deletion_policy to PREVENT will protect the project against any destroy actions caused by a terraform apply or terraform destroy. Setting deletion_policy to ABANDON allows the resource to be abandoned rather than deleted and it behaves the same with skip_delete = true. Default value is DELETE. skip_delete = true takes precedence over deletion_policy = "DELETE".
• storage: added force_destroy field to google_storage_managed_folder resource (#7867)
• storage: added generation field to google_storage_bucket_object resource (#7866)

BUG FIXES:

• compute: fixed google_compute_instance.alias_ip_range update behavior to avoid temporarily deleting unchanged alias IP ranges (#7898)
• compute: fixed the bug that creation of PSC forwarding rules fails in google_compute_forwarding_rule resource when provider default labels are set (#7873)
• sql: fixed a perma-diff in settings.insights_config in google_sql_database_instance (#7861)

v5.40.0

NOTES:

• resourcemanager: This release included a deprecation of skip_delete in google_project without the future field (deletion_policy) being available. This will be corrected in a future 5.X release prior to the release of 6.0.0 where the deletion_policy field will be made available.

DEPRECATIONS:

• resourcemanager: deprecated skip_delete field in the google_project resource. Instead use the new field deletion_policy in the next major release (#7817)

IMPROVEMENTS:

• bigquery: added support for value DELTA_LAKE to source_format in google_bigquery_table resource (#7841)
• compute: added access_mode field to google_compute_disk resource (#7813)
• compute: added stack_type, and gateway_ip_version fields to google_compute_router resource (#7801)
• container: added field ray_operator_config for resource_container_cluster (#7795)
• monitoring: updated goal field to accept a max threshold of up to 0.9999 in google_monitoring_slo resource (#7807)
• networkconnectivity: added export_psc field to google_network_connectivity_hub resource (#7816)
• sql: added enable_dataplex_integration field to google_sql_database_instance resource (#7810)

BUG FIXES:

• bigquery: fixed a permadiff when handling "assets" in params in the google_bigquery_data_transfer_config resource (#7833)
• bigquery: fixed an issue preventing certain keys in params from being assigned values in google_bigquery_data_transfer_config (#7828)
• compute: fixed perma-diff in google_compute_router (#7818)
• container: fixed perma-diff on node_config.guest_accelerator.gpu_driver_installation_config field in GKE 1.30+ in google_container_node_pool resource (#7799)
• sql: fixed a perma-diff in settings.insights_config in google_sql_database_instance (#7861)

v5.39.1

BUG FIXES:

• datastream: fixed a breaking change in 5.39.0 google_datastream_stream that made one of destination_config.0.bigquery_destination_config.0.merge or destination_config.0.bigquery_destination_config.0.append_only required (#7835)

v5.39.0

NOTES:

• networkconnectivity: migrated google_network_connectivity_hub from DCL to MMv1 (#7724)
• networkconnectivity: migrated google_network_connectivity_spoke from DCL to MMv1 (#7762)

DEPRECATIONS:

• bigquery: deprecated allow_resource_tags_on_deletion in google_bigquery_table. (#7782)
• bigqueryreservation: deprecated multi_region_auxiliary on google_bigquery_reservation. (#7778)
• datastore: deprecated the resource google_datastore_index. Use the google_firestore_index resource instead. (#7764)

FEATURES:

• New Resource: google_apigee_environment_keyvaluemaps_entries (#7717)
• New Resource: google_apigee_environment_keyvaluemaps (#7717)
• New Resource: google_compute_resize_request (#7725)
• New Resource: google_compute_router_route_policy (#7748)
• New Resource: google_scc_v2_organization_mute_config (#7744)

IMPROVEMENTS:

• alloydb: added observability_config field to google_alloydb_instance resource (#7737)
• bigquery: added resource_tags field to google_bigquery_table resource (#7735)
• bigtable: added data_boost_isolation_read_only and data_boost_isolation_read_only.compute_billing_owner fields to google_bigtable_app_profile resource (#7789)
• cloudfunctions: added build_service_account field to google_cloudfunctions_function resource (#7713)
• compute: added aws_v4_authentication field to google_compute_backend_service resource (#7775)
• compute: added custom_learned_ip_ranges and custom_learned_route_priority fields to google_compute_router_peer resource (#7727)
• compute: added export_policies and import_policies fields to google_compute_router_peer resource (#7748)
• compute: added shared_secret field to google_compute_public_advertised_prefix resource (#7767)
• compute: added storage_pool under boot_disk.initialize_params to google_compute_instance resource (#7787)
• compute: changed target_service field on the google_compute_service_attachment resource to accept a ForwardingRule or Gateway URL. (#7736)
• container: added field ray_operator_config for google_container_cluster (#7795)
• datastream: added merge and append_only fields to google_datastream_stream resource (#7726)
• dlp: added cloud_storage_target field to google_data_loss_prevention_discovery_config resource (#7734)
• resourcemanager: added check_if_service_has_usage_on_destroy field to google_project_service resource (#7745)
• resourcemanager: added the member property to google_project_service_identity (#7708)
• vmwareengine: added deletion_delay_hours field to google_vmwareengine_private_cloud resource (#7710)
• vmwareengine: supported type change from TIME_LIMITED to STANDARD for multi-node google_vmwareengine_private_cloud resource (#7710)
• workbench: added access_configs to google_workbench_instance resource (#7732)

BUG FIXES:

• compute: fixed perma-diff for interconnect_type being DEDICATED in google_compute_interconnect resource (#7750)
• dialogflowcx: fixed intermittent issues with retrieving resource state soon after creating google_dialogflow_cx_security_settings resources (#7772)
• firestore: fixed missing import of field for google_firestore_field. (#7757)
• firestore: fixed bug where fields database, collection, document_id, and field could not be updated on google_firestore_document and google_firestore_field resources. (#7791)
• netapp: made the smb_settings field on the google_netapp_volume resource default to the value returned from the API. This solves permadiffs when the field is unset. (#7770)
• networksecurity: added recreate functionality on update for client_validation_mode and client_validation_trust_config in google_network_security_server_tls_policy (#7756)

v5.38.0

FEATURES:

• New Data Source: google_gke_hub_membership_binding (#7696)
• New Data Source: google_site_verification_token (#7704)
• New Resource: google_scc_project_notification_config (#7698)

IMPROVEMENTS:

• cloudkms: added key_access_justifications_policy field to google_kms_crypto_key resource (#7693)
• compute: made the google_compute_resource_policy resource updatable in-place (#7692)
• vertexai: added project_number field to google_vertex_ai_feature_online_store_featureview resource (#7680)

BUG FIXES:

• cloudfunctions2: fixed permadiffs on service_config.environment_variables field in google_cloudfunctions2_function resource (#7684)
• networksecurity: fixed permadiffs on purpose field in google_network_security_address_group resource (#7687)