Merge branch 'main' into b-416254132-2

Author: seviet

.github/CODEOWNERS

@@ -7,7 +7,7 @@
 /build/                       @terraform-google-modules/terraform-samples-git-admins @terraform-google-modules/cft-admins @terraform-google-modules/cloud-samples-infra
 
 /bigquery/                    @terraform-google-modules/bigquery-terraform-swe @terraform-google-modules/terraform-samples-reviewers
-/cloud_sql/                   @terraform-google-modules/terraform-samples-reviewers
+/cloud_sql/                   @terraform-google-modules/cloudsql-connectivity @terraform-google-modules/terraform-samples-reviewers
 /cloudvpn/                    @terraform-google-modules/dee-infra @terraform-google-modules/terraform-samples-reviewers
 /composer/                    @terraform-google-modules/cloud-dpes-composer @terraform-google-modules/terraform-samples-reviewers
 /compute/                     @terraform-google-modules/dee-infra @terraform-google-modules/terraform-samples-reviewers
@@ -17,8 +17,10 @@
 /looker/                      @terraform-google-modules/cloud-looker-docs @terraform-google-modules/terraform-samples-reviewers
 /media_cdn/                   @terraform-google-modules/dee-infra @terraform-google-modules/terraform-samples-reviewers
 /network_connectivity/        @terraform-google-modules/dee-infra @terraform-google-modules/terraform-samples-reviewers
+/network_security/intercept/  @terraform-google-modules/pm2-team @terraform-google-modules/terraform-samples-reviewers
 /network_security/mirroring/  @terraform-google-modules/pm2-team @terraform-google-modules/terraform-samples-reviewers
 /privateca/                   @terraform-google-modules/dee-infra @terraform-google-modules/terraform-samples-reviewers
+/securitycenter/          @terraform-google-modules/gcp-security-command-center @terraform-google-modules/terraform-samples-reviewers
 /storage/                     @terraform-google-modules/cloud-storage-dpe @terraform-google-modules/terraform-samples-reviewers
 /traffic_director/            @terraform-google-modules/dee-infra @terraform-google-modules/terraform-samples-reviewers
 /vpc/                         @terraform-google-modules/dee-infra @terraform-google-modules/terraform-samples-reviewers

.terraform.lock

@@ -18,7 +18,7 @@
 # Make will use bash instead of sh
 SHELL := /usr/bin/env bash
 
-DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.23
+DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.25
 DOCKER_IMAGE_DEVELOPER_TOOLS := cft/developer-tools
 REGISTRY_URL := gcr.io/cloud-foundation-cicd
 DOCKER_BIN ?= docker

Makefile

@@ -32,9 +32,9 @@ resource "google_backup_dr_backup_vault" "default" {
     annotations2 = "baz1"
   }
 
-  force_update  = "true"
-  force_delete  = "true"
-  allow_missing = "true"
+  force_update                = "true"
+  ignore_inactive_datasources = "true"
+  allow_missing               = "true"
 }
 
 # [END backupdr_create_backupvault]
@@ -67,3 +67,32 @@ resource "google_backup_dr_backup_plan" "default" {
 }
 
 # [END backupdr_create_backupplan]
+
+# [START backupdr_create_backupplan_disk]
+
+# Before creating a backup plan, you need to create backup vault (google_backup_dr_backup_vault).
+resource "google_backup_dr_backup_plan" "disk_default" {
+  provider       = google-beta
+  location       = "us-central1"
+  backup_plan_id = "my-disk-bp"
+  resource_type  = "compute.googleapis.com/Disk"
+  backup_vault   = google_backup_dr_backup_vault.default.name
+
+  backup_rules {
+    rule_id               = "rule-1"
+    backup_retention_days = 5
+
+    standard_schedule {
+      recurrence_type  = "HOURLY"
+      hourly_frequency = 1
+      time_zone        = "UTC"
+
+      backup_window {
+        start_hour_of_day = 0
+        end_hour_of_day   = 6
+      }
+    }
+  }
+}
+
+# [END backupdr_create_backupplan_disk]

backupdr/backup_plan/main.tf

@@ -53,6 +53,12 @@ resource "google_compute_instance" "default" {
   }
 }
 
+resource "google_compute_disk" "default" {
+  name = "disk-data"
+  type = "pd-standard"
+  zone = "us-central1-a"
+}
+
 resource "google_backup_dr_backup_vault" "default" {
   provider                                   = google-beta
   location                                   = "us-central1"
@@ -70,9 +76,9 @@ resource "google_backup_dr_backup_vault" "default" {
     annotations2 = "baz1"
   }
 
-  force_update  = "true"
-  force_delete  = "true"
-  allow_missing = "true"
+  force_update                = "true"
+  ignore_inactive_datasources = "true"
+  allow_missing               = "true"
 }
 
 resource "google_backup_dr_backup_plan" "default" {
@@ -99,6 +105,30 @@ resource "google_backup_dr_backup_plan" "default" {
   }
 }
 
+resource "google_backup_dr_backup_plan" "disk_default" {
+  provider       = google-beta
+  location       = "us-central1"
+  backup_plan_id = "my-disk-bp"
+  resource_type  = "compute.googleapis.com/Disk"
+  backup_vault   = google_backup_dr_backup_vault.default.name
+
+  backup_rules {
+    rule_id               = "rule-1"
+    backup_retention_days = 5
+
+    standard_schedule {
+      recurrence_type  = "HOURLY"
+      hourly_frequency = 1
+      time_zone        = "UTC"
+
+      backup_window {
+        start_hour_of_day = 0
+        end_hour_of_day   = 6
+      }
+    }
+  }
+}
+
 # [START backupdr_create_backupplanassociation]
 
 # Before creating a backup plan association, you need to create backup plan (google_backup_dr_backup_plan)
@@ -113,3 +143,18 @@ resource "google_backup_dr_backup_plan_association" "default" {
 }
 
 # [END backupdr_create_backupplanassociation]
+
+# [START backupdr_create_backupplanassociation_disk]
+
+# Before creating a backup plan association, you need to create backup plan (google_backup_dr_backup_plan)
+# and compute disk (google_compute_disk or google_compute_region_disk).
+resource "google_backup_dr_backup_plan_association" "disk_association" {
+  provider                   = google-beta
+  location                   = "us-central1"
+  backup_plan_association_id = "my-disk-bpa"
+  resource                   = google_compute_disk.default.id
+  resource_type              = "compute.googleapis.com/Disk"
+  backup_plan                = google_backup_dr_backup_plan.disk_default.name
+}
+
+# [END backupdr_create_backupplanassociation_disk]

backupdr/backup_plan_association/main.tf

@@ -23,7 +23,7 @@ resource "google_backup_dr_backup_vault" "default" {
   description                                = "This vault is created usingTerraform."
   backup_minimum_enforced_retention_duration = "100000s"
   force_update                               = "true"
-  force_delete                               = "true"
+  ignore_inactive_datasources                = "true"
   allow_missing                              = "true"
 }
 

backupdr/backup_vault/main.tf

@@ -0,0 +1,74 @@
+/**
+* Copyright 2025 Google LLC
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+*      http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+
+
+# [START bigquery_authorized_view_tutorial]
+# Creates an authorized view.
+
+# Create a dataset to contain the view.
+resource "google_bigquery_dataset" "view_dataset" {
+  dataset_id  = "view_dataset"
+  description = "Dataset that contains the view"
+  location    = "us-west1"
+}
+
+# Create the view to authorize.
+resource "google_bigquery_table" "movie_view" {
+  project     = google_bigquery_dataset.view_dataset.project
+  dataset_id  = google_bigquery_dataset.view_dataset.dataset_id
+  table_id    = "movie_view"
+  description = "View to authorize"
+
+  view {
+    query          = "SELECT item_id, avg(rating) FROM `movie_project.movie_dataset.movie_ratings` GROUP BY item_id ORDER BY item_id;"
+    use_legacy_sql = false
+  }
+}
+
+
+# Authorize the view to access the dataset
+# that the query data originates from.
+resource "google_bigquery_dataset_access" "view_authorization" {
+  project    = "movie_project"
+  dataset_id = "movie_dataset"
+
+  view {
+    project_id = google_bigquery_table.movie_view.project
+    dataset_id = google_bigquery_table.movie_view.dataset_id
+    table_id   = google_bigquery_table.movie_view.table_id
+  }
+}
+
+# Specify the IAM policy for principals that can access
+# the authorized view. These users should already
+# have the roles/bigqueryUser role at the project level.
+data "google_iam_policy" "principals_policy" {
+  binding {
+    role = "roles/bigquery.dataViewer"
+    members = [
+      "group:[email protected]",
+    ]
+  }
+}
+
+# Set the IAM policy on the authorized  view.
+resource "google_bigquery_table_iam_policy" "authorized_view_policy" {
+  project     = google_bigquery_table.movie_view.project
+  dataset_id  = google_bigquery_table.movie_view.dataset_id
+  table_id    = google_bigquery_table.movie_view.table_id
+  policy_data = data.google_iam_policy.principals_policy.policy_data
+}
+# [END bigquery_authorized_view_tutorial]

bigquery/bigquery_authorized_view_tutorial/main.tf

@@ -0,0 +1,20 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: blueprints.cloud.google.com/v1alpha1
+kind: BlueprintTest
+metadata:
+  name: bigquery_authorized_view_tutorial
+spec:
+  skip: true

bigquery/bigquery_authorized_view_tutorial/test.yaml

@@ -35,12 +35,13 @@ steps:
       cat _changed_folders
 
       # Do not prune if changing tests themselves
-      while read d; do
-        if [[ "build test .github" =~ "${d%/}" ]]; then
-          echo "Infrastructure folder ${d%/} has changed; no tests will be pruned."
+      set +e
+      _build_changes=$(git diff origin/main build test .github/workflows)
+      set -e
+      if [[ -n "${_build_changes}" ]]; then
+          echo "Infrastructure folders have changed; no tests will be pruned."
           exit 0 # do not prune
-        fi
-      done < _changed_folders
+      fi
 
       # Remove base folders without changes
       for d in *; do
@@ -63,6 +64,21 @@ steps:
       echo -n "Folders in scope for tests:"
       find . -type d -printf '%P\n'
 
+- id: resource specific fixups
+  name: golang:1.23
+  entrypoint: bash
+  args:
+    - -c
+    - |
+      set -e
+      go install github.com/minamijoyo/[email protected]
+
+      # Add `deletion_protection = false` to google_container_cluster.default resources
+      find ./gke -name "*.tf" -print | xargs -t -I {} $$GOPATH/bin/hcledit attribute append resource.google_container_cluster.default.deletion_protection 'false' -u -f {} || true
+
+      # Add `deletion_protection = false` to google_sql_database_instance.default resources
+      find ./cloud_sql -name "*.tf" -print | xargs -t -I {} $$GOPATH/bin/hcledit attribute append resource.google_sql_database_instance.default.deletion_protection 'false' -u -f {} || true
+
 - id: prepare
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && prepare_environment']
@@ -105,4 +121,4 @@ tags:
 - 'integration'
 substitutions:
   _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools'
-  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.23'
+  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.25'

build/int.cloudbuild.yaml

@@ -22,4 +22,4 @@ tags:
 - 'lint'
 substitutions:
   _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools'
-  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.23'
+  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.25'