Merge branch 'main' into fix-root-ca-sample

Author: glasnt

.github/CODEOWNERS

@@ -2,7 +2,10 @@
 
 *                       @terraform-google-modules/terraform-samples-git-admins @terraform-google-modules/terraform-samples-reviewers
 /.github/               @terraform-google-modules/terraform-samples-git-admins
+/test/                  @terraform-google-modules/terraform-samples-git-admins @terraform-google-modules/cft-admins
+/build/                 @terraform-google-modules/terraform-samples-git-admins @terraform-google-modules/cft-admins
 /bigquery/              @terraform-google-modules/bigquery-terraform-swe @terraform-google-modules/terraform-samples-reviewers
+/cloud_scheduler/       @terraform-google-modules/terraform-samples-reviewers
 /cloud_sql/             @terraform-google-modules/infra-db-sdk @terraform-google-modules/terraform-samples-reviewers
 /cloudvpn/              @terraform-google-modules/dee-infra @terraform-google-modules/terraform-samples-reviewers
 /composer/              @terraform-google-modules/cloud-dpes-composer @terraform-google-modules/terraform-samples-reviewers

Makefile

@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2022-2024 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -18,8 +18,7 @@
 # Make will use bash instead of sh
 SHELL := /usr/bin/env bash
 
-# Pin to 1.3.9 per https://github.com/GoogleCloudPlatform/cloud-foundation-toolkit/issues/1208
-DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.19
+DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.20
 DOCKER_IMAGE_DEVELOPER_TOOLS := cft/developer-tools
 REGISTRY_URL := gcr.io/cloud-foundation-cicd
 DOCKER_BIN ?= docker
@@ -70,6 +69,7 @@ docker_test_integration:
 .PHONY: docker_test_lint
 docker_test_lint:
 	$(DOCKER_BIN) run --rm -it \
+		-e ENABLE_PARALLEL=1 \
 		-v "$(CURDIR)":/workspace \
 		$(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \
 		/usr/local/bin/test_lint.sh

application_integration/create_auth_config/main.tf

@@ -0,0 +1,167 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+provider "google" {}
+
+# [START application_integration_create_auth_config_auth_token]
+resource "google_integrations_client" "client" {
+  location = "us-central1"
+}
+
+resource "google_integrations_auth_config" "auth_config_auth_token" {
+  location     = "us-central1"
+  display_name = "tf-auth-token"
+  description  = "Test auth config created via terraform"
+  decrypted_credential {
+    credential_type = "AUTH_TOKEN"
+    auth_token {
+      type  = "Basic"
+      token = "some-random-token"
+    }
+  }
+  depends_on = [google_integrations_client.client]
+}
+# [END application_integration_create_auth_config_auth_token]
+
+# [START application_integration_create_auth_config_certificate]
+resource "google_integrations_auth_config" "auth_config_certificate" {
+  location     = "us-central1"
+  display_name = "tf-certificate"
+  description  = "Test auth config created via terraform"
+  decrypted_credential {
+    credential_type = "CLIENT_CERTIFICATE_ONLY"
+  }
+  client_certificate {
+    ssl_certificate       = <<EOT
+-----BEGIN CERTIFICATE-----
+MIICTTCCAbagAwIBAgIJAPT0tSKNxan/MA0GCSqGSIb3DQEBCwUAMCoxFzAVBgNV
+BAoTDkdvb2dsZSBURVNUSU5HMQ8wDQYDVQQDEwZ0ZXN0Q0EwHhcNMTUwMTAxMDAw
+MDAwWhcNMjUwMTAxMDAwMDAwWjAuMRcwFQYDVQQKEw5Hb29nbGUgVEVTVElORzET
+MBEGA1UEAwwKam9lQGJhbmFuYTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
+vDYFgMgxi5W488d9J7UpCInl0NXmZQpJDEHE4hvkaRlH7pnC71H0DLt0/3zATRP1
+JzY2+eqBmbGl4/sgZKYv8UrLnNyQNUTsNx1iZAfPUflf5FwgVsai8BM0pUciq1NB
+xD429VFcrGZNucvFLh72RuRFIKH8WUpiK/iZNFkWhZ0CAwEAAaN3MHUwDgYDVR0P
+AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB
+Af8EAjAAMBkGA1UdDgQSBBCVgnFBCWgL/iwCqnGrhTPQMBsGA1UdIwQUMBKAEKey
+Um2o4k2WiEVA0ldQvNYwDQYJKoZIhvcNAQELBQADgYEAYK986R4E3L1v+Q6esBtW
+JrUwA9UmJRSQr0N5w3o9XzarU37/bkjOP0Fw0k/A6Vv1n3vlciYfBFaBIam1qRHr
+5dMsYf4CZS6w50r7hyzqyrwDoyNxkLnd2PdcHT/sym1QmflsjEs7pejtnohO6N2H
+wQW6M0H7Zt8claGRla4fKkg=
+-----END CERTIFICATE-----
+EOT
+    encrypted_private_key = <<EOT
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCA/Oj2HXqs5fTk
+j/8DrlOQtLG3K9RMsYHvnwICLxkGqVcTfut58hDFLbQM8C3C0ENAKitNJplCJmYG
+8VpgZzgq8VxaGnlP/sXUFLMGksd5sATn0sY3SkPndTKk/dqqA4MIh/dYfh19ynEN
+hB9Ll/h54Yic2je2Qaxe/uMMu8RODTz3oCn7FcoYpPvfygfU0ntn4IcqH/hts5DG
+s+3otJk4entRZglQDxR+sWOsbLtJIQZDP8rH3jDVdl5l3wspgtMTY8b5T5+pLm0p
+/OzCmxT0dq/O6BhpxI1xf/zcdRZeWk5DTJxTi5AgPquTlAG/B6A3HkqBJ14hT/Rk
+iv7Ma3DLAgMBAAECggEABATkf9VfpiAT9zYdouk50bBpckvymQTyQLD8SlBaX+KY
+kgv/pHSXK4Pm4iensrQerFLgfqPA3U+FiqjW5Mv7c1VRK6HJbuVkpdzoXLI9IQsL
+vsBY7//9Ajk5P7NokjdB6JPdU/2dHROuQVa59cxPtzpHo0htnPlDOKXfFZZuoZ17
+Nr8WQHrHy8P8ABM1tLOzvU9Nlh7TcjQvev+HxkLek4qzYyJ/Ac7XOjg/XKUm1tZk
+O3BHr8YLabwyjO7l1t+2b14rUTL/8pfUZnAkEi3FAlPxm3ilftmX65zliC9G4ghk
+dr5PByT3DqnuIIglua9bISv1H34ogecd+9a6EU7RxQKBgQC2RPKLounXZo8vYiU4
+sFTEvjbs+u9Ypk4OrNLnb8KdacLBUaJGnf++xbBoKpwFCBJfy//fvuQfusYF9Gyn
+GxL43tw94C/H5upQYnDsmnQak6TbOu3mA24OGK7Rcq6NEHgeCY4HomutnSiPTZJq
+8jlpqgqh1itETe5avgkMNq3zBwKBgQC1KlztGzvbB+rUDc6Kfvk5pUbCSFKMMMa2
+NWNXeD6i2iA56zEYSbTjKQ3u9pjUV8LNqAdUFxmbdPxZjheNK2dEm68SVRXPKOeB
+EmQT+t/EyW9LqBEA2oZt3h2hXtK8ppJjQm4XUCDs1NphP87eNzx5FLzJWjG8VqDq
+jOvApNqPHQKBgDQqlZSbgvvwUYjJOUf5R7mri0LWKwyfRHX0xsQQe43cCC6WM7Cs
+Zdbu86dMkqzp+4BJfalHFDl0llp782D8Ybiy6CwZbvNyxptNIW7GYfZ9TVCllBMh
+5izIqbgub4DWNtq591l+Bf2BnmstU3uiagYw8awSBP4eo9p6y1IgkDafAoGBAJbi
+lIiqEP0IqA06/pWc0Qew3rD7OT0ndqjU6Es2i7xovURf3QDkinJThBZNbdYUzdsp
+IgloP9yY33/a90SNLLIYlARJtyNVZxK59X4qiOpF9prlfFvgpOumfbkj15JljTB8
+aGKkSvfVA5jRYwLysDwMCHwO0bOR1u3itos5AgsFAoGAKEGms1kuQ5/HyFgSmg9G
+wBUzu+5Y08/A37rvyXsR6GjmlZJvULEopJNUNCOOpITNQikXK63sIFry7/59eGv5
+UwKadZbfwbVF5ipu59UxfVE3lipf/mYePDqMkHVWv/8p+OnnJt9uKnyW8VSOu5uk
+82QF30zbIWDTUjrcugVAs+E=
+-----END PRIVATE KEY-----
+EOT
+  }
+  depends_on = [google_integrations_client.client]
+}
+# [END application_integration_create_auth_config_certificate]
+
+# [START application_integration_create_auth_config_jwt]
+resource "google_integrations_auth_config" "auth_config_jwt" {
+  location     = "us-central1"
+  display_name = "tf-jwt"
+  description  = "Test auth config created via terraform"
+  decrypted_credential {
+    credential_type = "JWT"
+    jwt {
+      jwt_header  = "{\"alg\": \"HS256\", \"typ\": \"JWT\"}"
+      jwt_payload = "{\"sub\": \"1234567890\", \"name\": \"John Doe\", \"iat\": 1516239022}"
+      secret      = "secret"
+    }
+  }
+  depends_on = [google_integrations_client.client]
+}
+# [END application_integration_create_auth_config_jwt]
+
+# [START application_integration_create_auth_config_oauth2_authorization_code]
+resource "google_integrations_auth_config" "auth_config_oauth2_authorization_code" {
+  location     = "us-central1"
+  display_name = "tf-oauth2-authorization-code"
+  description  = "Test auth config created via terraform"
+  decrypted_credential {
+    credential_type = "OAUTH2_AUTHORIZATION_CODE"
+    oauth2_authorization_code {
+      client_id      = "Kf7utRvgr95oGO5YMmhFOLo8"
+      client_secret  = "D-XXFDDMLrg2deDgczzHTBwC3p16wRK1rdKuuoFdWqO0wliJ"
+      scope          = "photo offline_access"
+      auth_endpoint  = "https://authorization-server.com/authorize"
+      token_endpoint = "https://authorization-server.com/token"
+    }
+  }
+  depends_on = [google_integrations_client.client]
+}
+# [END application_integration_create_auth_config_oauth2_authorization_code]
+
+# [START application_integration_create_auth_config_oauth2_client_credentials]
+resource "google_integrations_auth_config" "auth_config_oauth2_client_credentials" {
+  location     = "us-central1"
+  display_name = "tf-oauth2-client-credentials"
+  description  = "Test auth config created via terraform"
+  decrypted_credential {
+    credential_type = "OAUTH2_CLIENT_CREDENTIALS"
+    oauth2_client_credentials {
+      client_id      = "demo-backend-client"
+      client_secret  = "MJlO3binatD9jk1"
+      scope          = "read"
+      token_endpoint = "https://login-demo.curity.io/oauth/v2/oauth-token"
+      request_type   = "ENCODED_HEADER"
+      token_params {
+        entries {
+          key {
+            literal_value {
+              string_value = "string-key"
+            }
+          }
+          value {
+            literal_value {
+              string_value = "string-value"
+            }
+          }
+        }
+      }
+    }
+  }
+  depends_on = [google_integrations_client.client]
+}
+# [END application_integration_create_auth_config_oauth2_client_credentials]

application_integration/provision_region/main.tf

@@ -0,0 +1,57 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+data "google_project" "default" {
+}
+
+# [START application_integration_edit_region]
+resource "random_id" "default" {
+  byte_length = 8
+}
+
+resource "google_kms_key_ring" "default" {
+  name     = "${random_id.default.hex}-example-keyring"
+  location = "us-east1"
+}
+
+resource "google_kms_crypto_key" "default" {
+  name            = "crypto-key-example"
+  key_ring        = google_kms_key_ring.default.id
+  rotation_period = "7776000s"
+}
+
+resource "google_kms_crypto_key_version" "default" {
+  crypto_key = google_kms_crypto_key.default.id
+}
+
+resource "google_service_account" "default" {
+  account_id   = "service-account-id"
+  display_name = "Service Account"
+}
+
+resource "google_integrations_client" "example" {
+  location                   = "us-east1"
+  create_sample_integrations = true
+  run_as_service_account     = google_service_account.default.email
+  cloud_kms_config {
+    kms_location   = "us-east1"
+    kms_ring       = google_kms_key_ring.default.id
+    key            = google_kms_crypto_key.default.id
+    key_version    = google_kms_crypto_key_version.default.id
+    kms_project_id = data.google_project.default.project_id
+  }
+}
+# [END application_integration_edit_region]

build/int.cloudbuild.yaml

@@ -12,14 +12,15 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-timeout: 14400s
+timeout: 21600s
 steps:
 - id: prune unchanged directories
   name: gcr.io/cloud-builders/git
   entrypoint: bash
   args:
     - -c
     - |
+      set -e
       # If this is a periodic tests, skip the pruning and run all tests
       if [[ "$_PERIODIC" == "true" ]]; then
         echo "_PERIODIC is true, running all tests."
@@ -29,11 +30,26 @@ steps:
       git fetch --unshallow
       git diff origin/${_BASE_BRANCH} --name-only > _changed_files
       sed 's/\/.*/\//' _changed_files > _changed_folders
+
+      # Do not prune if changing tests themselves
+      _INFRA_FOLDERS="build test .github"
+      for d in _changed_folders; do
+        if [[ "${_INFRA_FOLDERS}" =~ "$d" ]]; then
+          echo "Infrastructure folders have changed; no tests will be pruned."
+          exit 0 # do not prune
+        fi
+      done
+
       for d in */; do
           if ! grep -q "^$d" _changed_folders && [[ "$d" != "test/" ]]; then
             rm -rf $d;
           fi
       done
+
+      # Report remaining folders
+      echo Folders in scope for tests:
+      for d in */; do echo $d; done
+
 - id: prepare
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
   args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && prepare_environment']
@@ -76,4 +92,4 @@ tags:
 - 'integration'
 substitutions:
   _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools'
-  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.19'
+  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.20'

build/lint.cloudbuild.yaml

@@ -22,4 +22,4 @@ tags:
 - 'lint'
 substitutions:
   _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools'
-  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.19'
+  _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.20'

cloud_scheduler/basic/main.tf

@@ -0,0 +1,63 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+/*
+Create a cron job using Cloud Scheduler
+See https://cloud.google.com/scheduler/docs/schedule-run-cron-job-terraform
+before running the code snippet.
+*/
+
+# [START cloudscheduler_terraform_basic_enableapis]
+# Enable Cloud Scheduler API
+resource "google_project_service" "scheduler" {
+  service            = "cloudscheduler.googleapis.com"
+  disable_on_destroy = false
+}
+# Enable Pub/Sub API
+resource "google_project_service" "pubsub" {
+  service            = "pubsub.googleapis.com"
+  disable_on_destroy = false
+}
+# [END cloudscheduler_terraform_basic_enableapis]
+
+# [START cloudscheduler_terraform_basic_pubsub_topic]
+# Create Pub/Sub topic
+resource "google_pubsub_topic" "default" {
+  name = "pubsub_topic"
+}
+# [END cloudscheduler_terraform_basic_pubsub_topic]
+
+# [START cloudscheduler_terraform_basic_pubsub_subscription]
+# Create Pub/Sub subscription
+resource "google_pubsub_subscription" "default" {
+  name  = "pubsub_subscription"
+  topic = google_pubsub_topic.default.name
+}
+# [END cloudscheduler_terraform_basic_pubsub_subscription]
+
+# [START cloudscheduler_terraform_basic_job]
+# Create a cron job using Cloud Scheduler
+resource "google_cloud_scheduler_job" "default" {
+  name        = "test-job"
+  description = "test job"
+  schedule    = "30 16 * * 7"
+  region      = "us-central1"
+
+  pubsub_target {
+    topic_name = google_pubsub_topic.default.id
+    data       = base64encode("Hello world!")
+  }
+}
+# [END cloudscheduler_terraform_basic_job]

compute/region_autoscaler_basic/main.tf

@@ -53,13 +53,7 @@ resource "google_compute_instance_template" "foobar" {
   # To avoid embedding secret keys or user credentials in the instances, Google recommends that you use custom service accounts with the following access scopes.
   service_account {
     scopes = [
-      "https://www.googleapis.com/auth/devstorage.read_only",
-      "https://www.googleapis.com/auth/logging.write",
-      "https://www.googleapis.com/auth/monitoring.write",
-      "https://www.googleapis.com/auth/pubsub",
-      "https://www.googleapis.com/auth/service.management.readonly",
-      "https://www.googleapis.com/auth/servicecontrol",
-      "https://www.googleapis.com/auth/trace.append",
+      "https://www.googleapis.com/auth/cloud-platform"
     ]
   }
 }