Merge branch 'master' into dns-refactory

Author: renato-rudnicki

.github/workflows/go-lint.yaml

@@ -36,13 +36,13 @@ jobs:
       matrix:
         folder: [helpers/foundation-deployer]
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
         with:
           go-version-file: ${{ matrix.folder }}/go.mod
           cache-dependency-path: ${{ matrix.folder }}/go.sum
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86 # v6.1.0
+        uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1
         with:
           version: latest
           working-directory: ${{ matrix.folder }}

.github/workflows/go-test.yaml

@@ -38,8 +38,8 @@ jobs:
       matrix:
         folder: [helpers/foundation-deployer]
     steps:
-    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-    - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
       with:
         go-version-file: ${{ matrix.folder }}/go.mod
         cache-dependency-path: ${{ matrix.folder }}/go.sum

0-bootstrap/README.md

@@ -361,12 +361,14 @@ Each step has instructions for this change.
 | default\_region\_2 | Secondary default region to create resources where applicable. | `string` | `"us-west1"` | no |
 | default\_region\_gcs | Case-Sensitive default region to create gcs resources where applicable. | `string` | `"US"` | no |
 | default\_region\_kms | Secondary default region to create kms resources where applicable. | `string` | `"us"` | no |
+| folder\_deletion\_protection | Prevent Terraform from destroying or recreating the folder. | `string` | `true` | no |
 | folder\_prefix | Name prefix to use for folders created. Should be the same in all steps. | `string` | `"fldr"` | no |
 | groups | Contain the details of the Groups to be created. | <pre>object({<br>    create_required_groups = optional(bool, false)<br>    create_optional_groups = optional(bool, false)<br>    billing_project        = optional(string, null)<br>    required_groups = object({<br>      group_org_admins     = string<br>      group_billing_admins = string<br>      billing_data_users   = string<br>      audit_data_users     = string<br>    })<br>    optional_groups = optional(object({<br>      gcp_security_reviewer    = optional(string, "")<br>      gcp_network_viewer       = optional(string, "")<br>      gcp_scc_admin            = optional(string, "")<br>      gcp_global_secrets_admin = optional(string, "")<br>      gcp_kms_admin            = optional(string, "")<br>    }), {})<br>  })</pre> | n/a | yes |
 | initial\_group\_config | Define the group configuration when it is initialized. Valid values are: WITH\_INITIAL\_OWNER, EMPTY and INITIAL\_GROUP\_CONFIG\_UNSPECIFIED. | `string` | `"WITH_INITIAL_OWNER"` | no |
 | org\_id | GCP Organization ID | `string` | n/a | yes |
 | org\_policy\_admin\_role | Additional Org Policy Admin role for admin group. You can use this for testing purposes. | `bool` | `false` | no |
 | parent\_folder | Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. | `string` | `""` | no |
+| project\_deletion\_policy | The deletion policy for the project created. | `string` | `"PREVENT"` | no |
 | project\_prefix | Name prefix to use for projects created. Should be the same in all steps. Max size is 3 characters. | `string` | `"prj"` | no |
 
 ## Outputs

0-bootstrap/cb.tf

@@ -70,7 +70,7 @@ resource "random_string" "suffix" {
 
 module "gcp_projects_state_bucket" {
   source  = "terraform-google-modules/cloud-storage/google//modules/simple_bucket"
-  version = "~> 6.0"
+  version = "~> 8.0"
 
   name          = "${var.bucket_prefix}-${module.seed_bootstrap.seed_project_id}-gcp-projects-tfstate"
   project_id    = module.seed_bootstrap.seed_project_id
@@ -86,7 +86,7 @@ module "gcp_projects_state_bucket" {
 
 module "tf_source" {
   source  = "terraform-google-modules/bootstrap/google//modules/tf_cloudbuild_source"
-  version = "~> 8.0"
+  version = "~> 9.0"
 
   org_id                = var.org_id
   folder_id             = google_folder.bootstrap.id
@@ -96,6 +96,8 @@ module "tf_source" {
   group_org_admins      = var.groups.required_groups.group_org_admins
   buckets_force_destroy = var.bucket_force_destroy
 
+  project_deletion_policy = var.project_deletion_policy
+
   activate_apis = [
     "serviceusage.googleapis.com",
     "servicenetworking.googleapis.com",
@@ -134,6 +136,15 @@ module "tf_source" {
   depends_on = [module.seed_bootstrap]
 }
 
+resource "google_project_service_identity" "workflows_identity" {
+  provider = google-beta
+
+  project = module.tf_source.cloudbuild_project_id
+  service = "workflows.googleapis.com"
+
+  depends_on = [module.tf_source]
+}
+
 module "tf_private_pool" {
   source = "./modules/cb-private-pool"
 
@@ -155,7 +166,7 @@ module "tf_private_pool" {
 
 module "tf_cloud_builder" {
   source  = "terraform-google-modules/bootstrap/google//modules/tf_cloudbuild_builder"
-  version = "~> 8.0"
+  version = "~> 9.0"
 
   project_id                   = module.tf_source.cloudbuild_project_id
   dockerfile_repo_uri          = module.tf_source.csr_repos[local.cloudbuilder_repo].url
@@ -206,7 +217,7 @@ module "build_terraform_image" {
 
 module "tf_workspace" {
   source   = "terraform-google-modules/bootstrap/google//modules/tf_cloudbuild_workspace"
-  version  = "~> 8.0"
+  version  = "~> 9.0"
   for_each = local.granular_sa
 
   project_id                = module.tf_source.cloudbuild_project_id

0-bootstrap/github.tf.example

@@ -70,7 +70,7 @@ locals {
 
 module "gh_cicd" {
   source  = "terraform-google-modules/project-factory/google"
-  version = "~> 15.0"
+  version = "~> 17.0"
 
   name              = "${var.project_prefix}-b-cicd-wif-gh"
   random_project_id = true
@@ -87,6 +87,8 @@ module "gh_cicd" {
     "cloudresourcemanager.googleapis.com",
     "iamcredentials.googleapis.com",
   ]
+
+  deletion_policy = var.project_deletion_policy
 }
 
 module "gh_oidc" {

0-bootstrap/gitlab.tf.example

@@ -81,7 +81,7 @@ provider "gitlab" {
 
 module "gitlab_cicd" {
   source  = "terraform-google-modules/project-factory/google"
-  version = "~> 15.0"
+  version = "~> 17.0"
 
   name              = "${var.project_prefix}-b-cicd-wif-gl"
   random_project_id = true
@@ -100,8 +100,9 @@ module "gitlab_cicd" {
     "sts.googleapis.com",
     "dns.googleapis.com",
     "secretmanager.googleapis.com",
-
   ]
+
+  deletion_policy = var.project_deletion_policy
 }
 
 module "gitlab_oidc" {

0-bootstrap/groups.tf

@@ -34,7 +34,7 @@ data "google_organization" "org" {
 
 module "required_group" {
   source   = "terraform-google-modules/group/google"
-  version  = "~> 0.6"
+  version  = "~> 0.7"
   for_each = local.required_groups_to_create
 
   id                   = each.value
@@ -46,7 +46,7 @@ module "required_group" {
 
 module "optional_group" {
   source   = "terraform-google-modules/group/google"
-  version  = "~> 0.6"
+  version  = "~> 0.7"
   for_each = local.optional_groups_to_create
 
   id                   = each.value

0-bootstrap/jenkins.tf.example

@@ -46,6 +46,7 @@ module "jenkins_bootstrap" {
   tunnel0_bgp_session_range                = var.tunnel0_bgp_session_range
   tunnel1_bgp_peer_address                 = var.tunnel1_bgp_peer_address
   tunnel1_bgp_session_range                = var.tunnel1_bgp_session_range
+  project_deletion_policy                  = var.project_deletion_policy
 }
 
 resource "google_organization_iam_member" "org_jenkins_sa_browser" {

0-bootstrap/main.tf

@@ -35,13 +35,14 @@ locals {
 }
 
 resource "google_folder" "bootstrap" {
-  display_name = "${var.folder_prefix}-bootstrap"
-  parent       = local.parent
+  display_name        = "${var.folder_prefix}-bootstrap"
+  parent              = local.parent
+  deletion_protection = var.folder_deletion_protection
 }
 
 module "seed_bootstrap" {
   source  = "terraform-google-modules/bootstrap/google"
-  version = "~> 8.0"
+  version = "~> 9.0"
 
   org_id                         = var.org_id
   folder_id                      = google_folder.bootstrap.id
@@ -61,6 +62,7 @@ module "seed_bootstrap" {
   encrypt_gcs_bucket_tfstate     = true
   key_rotation_period            = "7776000s"
   kms_prevent_destroy            = !var.bucket_tfstate_kms_force_destroy
+  project_deletion_policy        = var.project_deletion_policy
 
   project_labels = {
     environment       = "bootstrap"

0-bootstrap/modules/gitlab-oidc/versions.tf

@@ -20,7 +20,7 @@ terraform {
 
     google = {
       source  = "hashicorp/google"
-      version = ">= 3.64, < 6"
+      version = ">= 3.64, < 7"
     }
   }