diff --git a/0-bootstrap/README.md b/0-bootstrap/README.md index 2d2982765..afc92af12 100644 --- a/0-bootstrap/README.md +++ b/0-bootstrap/README.md @@ -533,6 +533,7 @@ The following steps will guide you through deploying without using Cloud Build. | parent\_folder | Optional - for an organization with existing projects or for development/validation. It will place all the example foundation resources under the provided folder instead of the root organization. The value is the numeric folder ID. The folder must already exist. | `string` | `""` | no | | project\_deletion\_policy | The deletion policy for the project created. | `string` | `"PREVENT"` | no | | project\_prefix | Name prefix to use for projects created. Should be the same in all steps. Max size is 3 characters. | `string` | `"prj"` | no | +| workflow\_deletion\_protection | Whether Terraform will be prevented from destroying a workflow. When the field is set to true or unset in Terraform state, a `terraform apply` or `terraform destroy` that would delete the workflow will fail. When the field is set to false, deleting the workflow is allowed. | `bool` | `true` | no | ## Outputs diff --git a/0-bootstrap/cb.tf b/0-bootstrap/cb.tf index 27ca53163..8707e2ed3 100644 --- a/0-bootstrap/cb.tf +++ b/0-bootstrap/cb.tf @@ -68,7 +68,7 @@ resource "random_string" "suffix" { module "gcp_projects_state_bucket" { source = "terraform-google-modules/cloud-storage/google//modules/simple_bucket" - version = "~> 8.0" + version = "~> 9.0" name = "${var.bucket_prefix}-${module.seed_bootstrap.seed_project_id}-gcp-projects-tfstate" project_id = module.seed_bootstrap.seed_project_id @@ -84,7 +84,7 @@ module "gcp_projects_state_bucket" { module "tf_source" { source = "terraform-google-modules/bootstrap/google//modules/tf_cloudbuild_source" - version = "~> 9.0" + version = "~> 11.0" org_id = var.org_id folder_id = google_folder.bootstrap.id @@ -164,7 +164,7 @@ module "tf_private_pool" { module "tf_cloud_builder" { source = "terraform-google-modules/bootstrap/google//modules/tf_cloudbuild_builder" - version = "~> 9.0" + version = "~> 11.0" project_id = module.tf_source.cloudbuild_project_id dockerfile_repo_uri = module.tf_source.csr_repos[local.cloudbuilder_repo].url @@ -177,6 +177,7 @@ module "tf_cloud_builder" { enable_worker_pool = true worker_pool_id = module.tf_private_pool.private_worker_pool_id bucket_name = "${var.bucket_prefix}-${module.tf_source.cloudbuild_project_id}-tf-cloudbuilder-build-logs" + workflow_deletion_protection = var.workflow_deletion_protection } module "bootstrap_csr_repo" { @@ -215,7 +216,7 @@ module "build_terraform_image" { module "tf_workspace" { source = "terraform-google-modules/bootstrap/google//modules/tf_cloudbuild_workspace" - version = "~> 9.0" + version = "~> 11.0" for_each = local.granular_sa project_id = module.tf_source.cloudbuild_project_id diff --git a/0-bootstrap/github.tf.example b/0-bootstrap/github.tf.example index b08406844..2fa6fce3b 100644 --- a/0-bootstrap/github.tf.example +++ b/0-bootstrap/github.tf.example @@ -70,7 +70,7 @@ locals { module "gh_cicd" { source = "terraform-google-modules/project-factory/google" - version = "~> 17.0" + version = "~> 18.0" name = "${var.project_prefix}-b-cicd-wif-gh" random_project_id = true @@ -120,7 +120,7 @@ resource "google_service_account_iam_member" "self_impersonate" { module "gcp_projects_state_bucket" { source = "terraform-google-modules/cloud-storage/google//modules/simple_bucket" - version = "~> 8.0" + version = "~> 9.0" name = "${var.bucket_prefix}-${module.seed_bootstrap.seed_project_id}-gcp-projects-tfstate" project_id = module.seed_bootstrap.seed_project_id diff --git a/0-bootstrap/gitlab.tf.example b/0-bootstrap/gitlab.tf.example index 1f0346cfc..afd5fd77c 100644 --- a/0-bootstrap/gitlab.tf.example +++ b/0-bootstrap/gitlab.tf.example @@ -81,7 +81,7 @@ provider "gitlab" { module "gitlab_cicd" { source = "terraform-google-modules/project-factory/google" - version = "~> 17.0" + version = "~> 18.0" name = "${var.project_prefix}-b-cicd-wif-gl" random_project_id = true diff --git a/0-bootstrap/main.tf b/0-bootstrap/main.tf index 17bc985e5..44ca2faf0 100644 --- a/0-bootstrap/main.tf +++ b/0-bootstrap/main.tf @@ -45,7 +45,7 @@ resource "google_folder" "bootstrap" { module "seed_bootstrap" { source = "terraform-google-modules/bootstrap/google" - version = "~> 9.0" + version = "~> 11.0" org_id = var.org_id folder_id = google_folder.bootstrap.id diff --git a/0-bootstrap/modules/cb-private-pool/network.tf b/0-bootstrap/modules/cb-private-pool/network.tf index 308f56a9f..ea5546675 100644 --- a/0-bootstrap/modules/cb-private-pool/network.tf +++ b/0-bootstrap/modules/cb-private-pool/network.tf @@ -20,7 +20,7 @@ locals { module "peered_network" { source = "terraform-google-modules/network/google" - version = "~> 9.0" + version = "~> 10.0" count = var.private_worker_pool.create_peered_network ? 1 : 0 project_id = var.project_id @@ -90,7 +90,7 @@ resource "google_compute_network_peering_routes_config" "peering_routes" { module "firewall_rules" { source = "terraform-google-modules/network/google//modules/firewall-rules" - version = "~> 9.0" + version = "~> 10.0" count = var.private_worker_pool.enable_network_peering ? 1 : 0 project_id = var.project_id diff --git a/0-bootstrap/modules/jenkins-agent/main.tf b/0-bootstrap/modules/jenkins-agent/main.tf index c9651b743..bc42e994b 100644 --- a/0-bootstrap/modules/jenkins-agent/main.tf +++ b/0-bootstrap/modules/jenkins-agent/main.tf @@ -29,7 +29,7 @@ resource "random_id" "suffix" { *******************************************/ module "cicd_project" { source = "terraform-google-modules/project-factory/google" - version = "~> 17.0" + version = "~> 18.0" name = local.cicd_project_name random_project_id = true @@ -130,8 +130,9 @@ resource "google_tags_tag_value" "jenkins_agents" { } module "jenkins_firewall_rules" { - source = "terraform-google-modules/network/google//modules/network-firewall-policy" - version = "~> 9.0" + source = "terraform-google-modules/network/google//modules/network-firewall-policy" + version = "~> 10.0" + project_id = module.cicd_project.project_id policy_name = "fp-${google_compute_network.jenkins_agents.name}-jenkins-firewall" description = "Jenkins Agent GCE network firewall rules." diff --git a/0-bootstrap/modules/tfc-agent-gke/main.tf b/0-bootstrap/modules/tfc-agent-gke/main.tf index 2e631e3fd..bbef96dfd 100644 --- a/0-bootstrap/modules/tfc-agent-gke/main.tf +++ b/0-bootstrap/modules/tfc-agent-gke/main.tf @@ -34,7 +34,7 @@ resource "random_string" "suffix" { module "network" { source = "terraform-google-modules/network/google" - version = "~> 9.0" + version = "~> 10.0" project_id = var.project_id network_name = var.network_name @@ -96,7 +96,7 @@ resource "google_service_account" "tfc_agent_service_account" { module "tfc_agent_cluster" { source = "terraform-google-modules/kubernetes-engine/google//modules/beta-autopilot-private-cluster/" - version = "~> 34.0" + version = "~> 36.0" project_id = var.project_id region = var.region @@ -372,7 +372,7 @@ resource "google_compute_firewall" "allow_private_api_egress" { module "private_service_connect" { source = "terraform-google-modules/network/google//modules/private-service-connect" - version = "~> 9.1" + version = "~> 10.0" project_id = var.project_id dns_code = "dz-${local.vpc_name}" @@ -394,7 +394,7 @@ resource "google_dns_policy" "default_policy" { module "hub" { source = "terraform-google-modules/kubernetes-engine/google//modules/fleet-membership" - version = "~> 34.0" + version = "~> 36.0" project_id = var.project_id location = var.region diff --git a/0-bootstrap/terraform_cloud.tf.example b/0-bootstrap/terraform_cloud.tf.example index 27d9e05a8..43aa54a2a 100644 --- a/0-bootstrap/terraform_cloud.tf.example +++ b/0-bootstrap/terraform_cloud.tf.example @@ -230,7 +230,7 @@ resource "tfe_run_trigger" "projects_bu2_shared_production" { module "tfc_cicd" { source = "terraform-google-modules/project-factory/google" - version = "~> 17.0" + version = "~> 18.0" name = "${var.project_prefix}-b-cicd-wif-tfc" random_project_id = true diff --git a/0-bootstrap/variables.tf b/0-bootstrap/variables.tf index 599ca7e4a..a2ceeded4 100644 --- a/0-bootstrap/variables.tf +++ b/0-bootstrap/variables.tf @@ -108,6 +108,12 @@ variable "folder_deletion_protection" { default = true } +variable "workflow_deletion_protection" { + description = "Whether Terraform will be prevented from destroying a workflow. When the field is set to true or unset in Terraform state, a `terraform apply` or `terraform destroy` that would delete the workflow will fail. When the field is set to false, deleting the workflow is allowed." + type = bool + default = true +} + /* ---------------------------------------- Specific to Groups creation ---------------------------------------- */ diff --git a/0-bootstrap/versions.tf b/0-bootstrap/versions.tf index 17dac8a60..348361fe5 100644 --- a/0-bootstrap/versions.tf +++ b/0-bootstrap/versions.tf @@ -20,13 +20,13 @@ terraform { google = { // version 4.31.0 removed because of issue https://github.com/hashicorp/terraform-provider-google/issues/12226 source = "hashicorp/google" - version = ">= 3.50, != 4.31.0, <= 6.10" + version = ">= 3.50, != 4.31.0, < 7.0" } google-beta = { // version 4.31.0 removed because of issue https://github.com/hashicorp/terraform-provider-google/issues/12226 source = "hashicorp/google-beta" - version = ">= 3.50, != 4.31.0, <= 6.10" + version = ">= 3.50, != 4.31.0, < 7.0" } // Un-comment gitlab required_providers when using gitlab CI/CD diff --git a/1-org/envs/shared/org_policy.tf b/1-org/envs/shared/org_policy.tf index 5c43dbbc1..08ea8acda 100644 --- a/1-org/envs/shared/org_policy.tf +++ b/1-org/envs/shared/org_policy.tf @@ -46,7 +46,7 @@ locals { module "organization_policies_type_boolean" { source = "terraform-google-modules/org-policy/google" - version = "~> 5.1" + version = "~> 7.0" for_each = local.boolean_type_organization_policies organization_id = local.organization_id @@ -63,7 +63,7 @@ module "organization_policies_type_boolean" { module "org_vm_external_ip_access" { source = "terraform-google-modules/org-policy/google" - version = "~> 5.1" + version = "~> 7.0" organization_id = local.organization_id folder_id = local.folder_id @@ -75,7 +75,7 @@ module "org_vm_external_ip_access" { module "restrict_protocol_fowarding" { source = "terraform-google-modules/org-policy/google" - version = "~> 5.1" + version = "~> 7.0" organization_id = local.organization_id folder_id = local.folder_id @@ -99,7 +99,7 @@ resource "time_sleep" "wait_logs_export" { module "org_domain_restricted_sharing" { source = "terraform-google-modules/org-policy/google//modules/domain_restricted_sharing" - version = "~> 5.1" + version = "~> 7.0" organization_id = local.organization_id folder_id = local.folder_id @@ -117,7 +117,7 @@ module "org_domain_restricted_sharing" { module "domain_restricted_contacts" { source = "terraform-google-modules/org-policy/google" - version = "~> 5.1" + version = "~> 7.0" organization_id = local.organization_id folder_id = local.folder_id @@ -134,7 +134,7 @@ module "domain_restricted_contacts" { module "allowed_worker_pools" { source = "terraform-google-modules/org-policy/google" - version = "~> 5.1" + version = "~> 7.0" count = var.enforce_allowed_worker_pools && local.cloud_build_private_worker_pool_id != "" ? 1 : 0 organization_id = local.organization_id diff --git a/1-org/envs/shared/projects.tf b/1-org/envs/shared/projects.tf index 2cf27b963..be2ee3f1f 100644 --- a/1-org/envs/shared/projects.tf +++ b/1-org/envs/shared/projects.tf @@ -34,7 +34,7 @@ locals { module "org_audit_logs" { source = "terraform-google-modules/project-factory/google" - version = "~> 17.0" + version = "~> 18.0" random_project_id = true random_project_id_length = 4 @@ -68,7 +68,7 @@ module "org_audit_logs" { module "org_billing_export" { source = "terraform-google-modules/project-factory/google" - version = "~> 17.0" + version = "~> 18.0" random_project_id = true random_project_id_length = 4 @@ -102,7 +102,7 @@ module "org_billing_export" { module "common_kms" { source = "terraform-google-modules/project-factory/google" - version = "~> 17.0" + version = "~> 18.0" random_project_id = true random_project_id_length = 4 @@ -137,7 +137,7 @@ module "common_kms" { module "org_secrets" { source = "terraform-google-modules/project-factory/google" - version = "~> 17.0" + version = "~> 18.0" random_project_id = true random_project_id_length = 4 @@ -171,7 +171,7 @@ module "org_secrets" { module "interconnect" { source = "terraform-google-modules/project-factory/google" - version = "~> 17.0" + version = "~> 18.0" random_project_id = true random_project_id_length = 4 @@ -205,7 +205,7 @@ module "interconnect" { module "scc_notifications" { source = "terraform-google-modules/project-factory/google" - version = "~> 17.0" + version = "~> 18.0" random_project_id = true random_project_id_length = 4 @@ -239,7 +239,7 @@ module "scc_notifications" { module "dns_hub" { source = "terraform-google-modules/project-factory/google" - version = "~> 17.0" + version = "~> 18.0" random_project_id = true random_project_id_length = 4 @@ -281,7 +281,7 @@ module "dns_hub" { module "base_network_hub" { source = "terraform-google-modules/project-factory/google" - version = "~> 17.0" + version = "~> 18.0" count = var.enable_hub_and_spoke ? 1 : 0 random_project_id = true @@ -332,7 +332,7 @@ resource "google_project_iam_member" "network_sa_base" { module "restricted_network_hub" { source = "terraform-google-modules/project-factory/google" - version = "~> 17.0" + version = "~> 18.0" count = var.enable_hub_and_spoke ? 1 : 0 random_project_id = true diff --git a/1-org/modules/cai-monitoring/main.tf b/1-org/modules/cai-monitoring/main.tf index 8a76ab17d..353af6f0c 100644 --- a/1-org/modules/cai-monitoring/main.tf +++ b/1-org/modules/cai-monitoring/main.tf @@ -71,7 +71,7 @@ data "archive_file" "function_source_zip" { module "cloudfunction_source_bucket" { source = "terraform-google-modules/cloud-storage/google//modules/simple_bucket" - version = "~> 8.0" + version = "~> 9.0" project_id = var.project_id name = "bkt-cai-monitoring-${random_id.suffix.hex}-sources-${data.google_project.project.number}" diff --git a/1-org/modules/network/main.tf b/1-org/modules/network/main.tf index d1b22bd52..7e3ac03d4 100644 --- a/1-org/modules/network/main.tf +++ b/1-org/modules/network/main.tf @@ -20,7 +20,7 @@ module "base_shared_vpc_host_project" { source = "terraform-google-modules/project-factory/google" - version = "~> 17.0" + version = "~> 18.0" random_project_id = true random_project_id_length = 4 @@ -57,7 +57,7 @@ module "base_shared_vpc_host_project" { module "restricted_shared_vpc_host_project" { source = "terraform-google-modules/project-factory/google" - version = "~> 17.0" + version = "~> 18.0" random_project_id = true random_project_id_length = 4 diff --git a/2-environments/modules/env_baseline/kms.tf b/2-environments/modules/env_baseline/kms.tf index 01dc42f26..1514991c1 100644 --- a/2-environments/modules/env_baseline/kms.tf +++ b/2-environments/modules/env_baseline/kms.tf @@ -21,7 +21,7 @@ module "env_kms" { source = "terraform-google-modules/project-factory/google" - version = "~> 17.0" + version = "~> 18.0" random_project_id = true random_project_id_length = 4 diff --git a/2-environments/modules/env_baseline/secrets.tf b/2-environments/modules/env_baseline/secrets.tf index 6ff24a4ec..7b04f93ee 100644 --- a/2-environments/modules/env_baseline/secrets.tf +++ b/2-environments/modules/env_baseline/secrets.tf @@ -21,7 +21,7 @@ module "env_secrets" { source = "terraform-google-modules/project-factory/google" - version = "~> 17.0" + version = "~> 18.0" random_project_id = true random_project_id_length = 4 diff --git a/3-networks-dual-svpc/envs/shared/dns-hub.tf b/3-networks-dual-svpc/envs/shared/dns-hub.tf index 10ffa7084..4c1a5f0d2 100644 --- a/3-networks-dual-svpc/envs/shared/dns-hub.tf +++ b/3-networks-dual-svpc/envs/shared/dns-hub.tf @@ -20,7 +20,7 @@ module "dns_hub_vpc" { source = "terraform-google-modules/network/google" - version = "~> 9.0" + version = "~> 10.0" project_id = local.dns_hub_project_id network_name = "vpc-net-dns" diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/firewall.tf b/3-networks-dual-svpc/modules/base_shared_vpc/firewall.tf index 23ba8ccae..57764a609 100644 --- a/3-networks-dual-svpc/modules/base_shared_vpc/firewall.tf +++ b/3-networks-dual-svpc/modules/base_shared_vpc/firewall.tf @@ -18,8 +18,9 @@ Mandatory and optional firewall rules *****************************************/ module "firewall_rules" { - source = "terraform-google-modules/network/google//modules/network-firewall-policy" - version = "~> 9.0" + source = "terraform-google-modules/network/google//modules/network-firewall-policy" + version = "~> 10.0" + project_id = var.project_id policy_name = "fp-${var.environment_code}-dual-svpc-base-firewalls" description = "Firewall rules for base dual shared vpc: ${module.main.network_name}." diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/main.tf b/3-networks-dual-svpc/modules/base_shared_vpc/main.tf index 25fb01aa3..31e3d7763 100644 --- a/3-networks-dual-svpc/modules/base_shared_vpc/main.tf +++ b/3-networks-dual-svpc/modules/base_shared_vpc/main.tf @@ -26,7 +26,7 @@ locals { module "main" { source = "terraform-google-modules/network/google" - version = "~> 9.0" + version = "~> 10.0" project_id = var.project_id network_name = local.network_name diff --git a/3-networks-dual-svpc/modules/base_shared_vpc/private_service_connect.tf b/3-networks-dual-svpc/modules/base_shared_vpc/private_service_connect.tf index 617c93930..0052c3009 100644 --- a/3-networks-dual-svpc/modules/base_shared_vpc/private_service_connect.tf +++ b/3-networks-dual-svpc/modules/base_shared_vpc/private_service_connect.tf @@ -17,7 +17,7 @@ module "private_service_connect" { source = "terraform-google-modules/network/google//modules/private-service-connect" - version = "~> 9.1" + version = "~> 10.0" project_id = var.project_id dns_code = "dz-${var.environment_code}-shared-base" diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/firewall.tf b/3-networks-dual-svpc/modules/restricted_shared_vpc/firewall.tf index 53ee7c453..3e35b3d7c 100644 --- a/3-networks-dual-svpc/modules/restricted_shared_vpc/firewall.tf +++ b/3-networks-dual-svpc/modules/restricted_shared_vpc/firewall.tf @@ -19,8 +19,9 @@ Mandatory and optional firewall rules *****************************************/ module "firewall_rules" { - source = "terraform-google-modules/network/google//modules/network-firewall-policy" - version = "~> 9.0" + source = "terraform-google-modules/network/google//modules/network-firewall-policy" + version = "~> 10.0" + project_id = var.project_id policy_name = "fp-${var.environment_code}-dual-svpc-restricted-firewalls" description = "Firewall rules for restricted dual shared vpc: ${module.main.network_name}." diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/main.tf b/3-networks-dual-svpc/modules/restricted_shared_vpc/main.tf index dfdf7cd50..54c2f648d 100644 --- a/3-networks-dual-svpc/modules/restricted_shared_vpc/main.tf +++ b/3-networks-dual-svpc/modules/restricted_shared_vpc/main.tf @@ -26,7 +26,7 @@ locals { module "main" { source = "terraform-google-modules/network/google" - version = "~> 9.0" + version = "~> 10.0" project_id = var.project_id network_name = local.network_name diff --git a/3-networks-dual-svpc/modules/restricted_shared_vpc/private_service_connect.tf b/3-networks-dual-svpc/modules/restricted_shared_vpc/private_service_connect.tf index 452625170..3294a0ce5 100644 --- a/3-networks-dual-svpc/modules/restricted_shared_vpc/private_service_connect.tf +++ b/3-networks-dual-svpc/modules/restricted_shared_vpc/private_service_connect.tf @@ -17,7 +17,7 @@ module "private_service_connect" { source = "terraform-google-modules/network/google//modules/private-service-connect" - version = "~> 9.1" + version = "~> 10.0" project_id = var.project_id dns_code = "dz-${var.environment_code}-shared-restricted" diff --git a/3-networks-hub-and-spoke/envs/shared/dns-hub.tf b/3-networks-hub-and-spoke/envs/shared/dns-hub.tf index 6f3dc2d96..8235754ef 100644 --- a/3-networks-hub-and-spoke/envs/shared/dns-hub.tf +++ b/3-networks-hub-and-spoke/envs/shared/dns-hub.tf @@ -20,7 +20,7 @@ module "dns_hub_vpc" { source = "terraform-google-modules/network/google" - version = "~> 9.0" + version = "~> 10.0" project_id = local.dns_hub_project_id network_name = "vpc-net-dns" diff --git a/3-networks-hub-and-spoke/modules/base_shared_vpc/firewall.tf b/3-networks-hub-and-spoke/modules/base_shared_vpc/firewall.tf index 0386b9a97..94dbe7b31 100644 --- a/3-networks-hub-and-spoke/modules/base_shared_vpc/firewall.tf +++ b/3-networks-hub-and-spoke/modules/base_shared_vpc/firewall.tf @@ -18,8 +18,9 @@ Mandatory and optional firewall rules *****************************************/ module "firewall_rules" { - source = "terraform-google-modules/network/google//modules/network-firewall-policy" - version = "~> 9.0" + source = "terraform-google-modules/network/google//modules/network-firewall-policy" + version = "~> 10.0" + project_id = var.project_id policy_name = "fp-${var.environment_code}-hub-and-spoke-base-firewalls" description = "Firewall rules for base hub and spoke shared vpc: ${module.main.network_name}." diff --git a/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf b/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf index eed177f9f..c353140d2 100644 --- a/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf +++ b/3-networks-hub-and-spoke/modules/base_shared_vpc/main.tf @@ -27,7 +27,7 @@ locals { module "main" { source = "terraform-google-modules/network/google" - version = "~> 9.0" + version = "~> 10.0" project_id = var.project_id network_name = local.network_name @@ -74,7 +74,7 @@ data "google_compute_network" "vpc_base_net_hub" { module "peering" { source = "terraform-google-modules/network/google//modules/network-peering" - version = "~> 9.0" + version = "~> 10.0" count = var.mode == "spoke" ? 1 : 0 prefix = "np" diff --git a/3-networks-hub-and-spoke/modules/base_shared_vpc/private_service_connect.tf b/3-networks-hub-and-spoke/modules/base_shared_vpc/private_service_connect.tf index 864e6ee37..c18e514e6 100644 --- a/3-networks-hub-and-spoke/modules/base_shared_vpc/private_service_connect.tf +++ b/3-networks-hub-and-spoke/modules/base_shared_vpc/private_service_connect.tf @@ -17,7 +17,7 @@ module "private_service_connect" { source = "terraform-google-modules/network/google//modules/private-service-connect" - version = "~> 9.1" + version = "~> 10.0" project_id = var.project_id dns_code = "dz-${var.environment_code}-shared-base" diff --git a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/firewall.tf b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/firewall.tf index 77fdff46b..5e2a9be25 100644 --- a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/firewall.tf +++ b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/firewall.tf @@ -19,8 +19,9 @@ Mandatory and optional firewall rules *****************************************/ module "firewall_rules" { - source = "terraform-google-modules/network/google//modules/network-firewall-policy" - version = "~> 9.0" + source = "terraform-google-modules/network/google//modules/network-firewall-policy" + version = "~> 10.0" + project_id = var.project_id policy_name = "fp-${var.environment_code}-hub-and-spoke-restricted-firewalls" description = "Firewall rules for restricted hub and spoke shared vpc: ${module.main.network_name}." diff --git a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf index b81619ea7..2c056e53f 100644 --- a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf +++ b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/main.tf @@ -27,7 +27,7 @@ locals { module "main" { source = "terraform-google-modules/network/google" - version = "~> 9.0" + version = "~> 10.0" project_id = var.project_id network_name = local.network_name @@ -76,7 +76,7 @@ data "google_compute_network" "vpc_restricted_net_hub" { module "peering" { source = "terraform-google-modules/network/google//modules/network-peering" - version = "~> 9.0" + version = "~> 10.0" count = var.mode == "spoke" ? 1 : 0 prefix = "np" diff --git a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/private_service_connect.tf b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/private_service_connect.tf index 33f407fa6..99a49440c 100644 --- a/3-networks-hub-and-spoke/modules/restricted_shared_vpc/private_service_connect.tf +++ b/3-networks-hub-and-spoke/modules/restricted_shared_vpc/private_service_connect.tf @@ -17,7 +17,7 @@ module "private_service_connect" { source = "terraform-google-modules/network/google//modules/private-service-connect" - version = "~> 9.1" + version = "~> 10.0" project_id = var.project_id dns_code = "dz-${var.environment_code}-shared-restricted" diff --git a/3-networks-hub-and-spoke/modules/transitivity/main.tf b/3-networks-hub-and-spoke/modules/transitivity/main.tf index f2e0cff90..35d31c751 100644 --- a/3-networks-hub-and-spoke/modules/transitivity/main.tf +++ b/3-networks-hub-and-spoke/modules/transitivity/main.tf @@ -37,7 +37,7 @@ module "service_account" { module "templates" { source = "terraform-google-modules/vm/google//modules/instance_template" - version = "~> 12.0" + version = "~> 13.0" for_each = toset(var.regions) can_ip_forward = true @@ -65,7 +65,7 @@ module "templates" { module "migs" { source = "terraform-google-modules/vm/google//modules/mig" - version = "~> 12.1" + version = "~> 13.0" for_each = toset(var.regions) project_id = var.project_id diff --git a/4-projects/modules/base_env/example_peering_project.tf b/4-projects/modules/base_env/example_peering_project.tf index 862836007..aee340e6b 100644 --- a/4-projects/modules/base_env/example_peering_project.tf +++ b/4-projects/modules/base_env/example_peering_project.tf @@ -76,7 +76,7 @@ module "peering_project" { module "peering_network" { source = "terraform-google-modules/network/google" - version = "~> 9.0" + version = "~> 10.0" project_id = module.peering_project.project_id network_name = "vpc-${local.env_code}-peering-base" @@ -112,7 +112,7 @@ resource "google_dns_policy" "default_policy" { module "peering" { source = "terraform-google-modules/network/google//modules/network-peering" - version = "~> 9.0" + version = "~> 10.0" prefix = "${var.business_code}-${local.env_code}" local_network = module.peering_network.network_self_link @@ -124,8 +124,9 @@ module "peering" { Mandatory and optional firewall rules *****************************************/ module "firewall_rules" { - source = "terraform-google-modules/network/google//modules/network-firewall-policy" - version = "~> 9.0" + source = "terraform-google-modules/network/google//modules/network-firewall-policy" + version = "~> 10.0" + project_id = module.peering_project.project_id policy_name = "fp-${local.env_code}-peering-project-firewalls" description = "Firewall rules for Peering Network: ${module.peering_network.network_name}." diff --git a/4-projects/modules/base_env/example_storage_cmek.tf b/4-projects/modules/base_env/example_storage_cmek.tf index f9a77c08b..af21ded6f 100644 --- a/4-projects/modules/base_env/example_storage_cmek.tf +++ b/4-projects/modules/base_env/example_storage_cmek.tf @@ -20,7 +20,7 @@ data "google_storage_project_service_account" "gcs_account" { module "kms" { source = "terraform-google-modules/kms/google" - version = "~> 3.2" + version = "~> 4.0" project_id = local.kms_project_id keyring = var.keyring_name @@ -44,7 +44,7 @@ resource "random_string" "bucket_name" { module "gcs_buckets" { source = "terraform-google-modules/cloud-storage/google//modules/simple_bucket" - version = "~> 8.0" + version = "~> 9.0" project_id = module.base_shared_vpc_project.project_id location = var.location_gcs diff --git a/4-projects/modules/infra_pipelines/main.tf b/4-projects/modules/infra_pipelines/main.tf index 123b5514b..ab0da04ea 100644 --- a/4-projects/modules/infra_pipelines/main.tf +++ b/4-projects/modules/infra_pipelines/main.tf @@ -55,7 +55,7 @@ resource "google_storage_bucket" "cloudbuild_bucket" { module "tf_workspace" { source = "terraform-google-modules/bootstrap/google//modules/tf_cloudbuild_workspace" - version = "~> 9.0" + version = "~> 11.0" for_each = toset(var.app_infra_repos) diff --git a/4-projects/modules/single_project/main.tf b/4-projects/modules/single_project/main.tf index eda1b55f5..94551125d 100644 --- a/4-projects/modules/single_project/main.tf +++ b/4-projects/modules/single_project/main.tf @@ -46,7 +46,7 @@ locals { module "project" { source = "terraform-google-modules/project-factory/google" - version = "~> 17.0" + version = "~> 18.0" random_project_id = true random_project_id_length = 4 diff --git a/5-app-infra/modules/env_base/main.tf b/5-app-infra/modules/env_base/main.tf index 078743720..6fdc56349 100644 --- a/5-app-infra/modules/env_base/main.tf +++ b/5-app-infra/modules/env_base/main.tf @@ -62,7 +62,7 @@ resource "google_service_account" "compute_engine_service_account" { module "instance_template" { source = "terraform-google-modules/vm/google//modules/instance_template" - version = "~> 12.0" + version = "~> 13.0" machine_type = var.machine_type region = var.region @@ -81,7 +81,7 @@ module "instance_template" { module "compute_instance" { source = "terraform-google-modules/vm/google//modules/compute_instance" - version = "~> 12.0" + version = "~> 13.0" region = var.region subnetwork = local.subnetwork_self_link diff --git a/helpers/foundation-deployer/global.tfvars.example b/helpers/foundation-deployer/global.tfvars.example index b9ab862de..352408781 100644 --- a/helpers/foundation-deployer/global.tfvars.example +++ b/helpers/foundation-deployer/global.tfvars.example @@ -27,8 +27,8 @@ foundation_code_path = "FULL_PATH_TO_FOLDER_WHERE_THE_EXAMPLE_FOUNDATION_CODE_WA // See https://cloud.google.com/sdk/gcloud/reference/config/set#EXAMPLES validator_project_id = "EXISTING_PROJECT_ID" -project_deletion_policy = "DELETE" -folder_deletion_protection = false +project_deletion_policy = "PREVENT" # Use "DELETE" to allow deletion of the projects +folder_deletion_protection = true // 0-bootstrap inputs // https://github.com/terraform-google-modules/terraform-example-foundation/blob/master/0-bootstrap/README.md#inputs @@ -42,6 +42,7 @@ default_region_kms = "us" bucket_force_destroy = false bucket_tfstate_kms_force_destroy = false +workflow_deletion_protection = true project_prefix = "prj" folder_prefix = "fldr" diff --git a/helpers/foundation-deployer/stages/apply.go b/helpers/foundation-deployer/stages/apply.go index d48083083..fd37abb48 100644 --- a/helpers/foundation-deployer/stages/apply.go +++ b/helpers/foundation-deployer/stages/apply.go @@ -43,6 +43,7 @@ func DeployBootstrapStage(t testing.TB, s steps.Steps, tfvars GlobalTFVars, c Co FolderPrefix: tfvars.FolderPrefix, BucketForceDestroy: tfvars.BucketForceDestroy, BucketTfstateKmsForceDestroy: tfvars.BucketTfstateKmsForceDestroy, + WorkflowDeletionProtection: tfvars.WorkflowDeletionProtection, Groups: tfvars.Groups, InitialGroupConfig: tfvars.InitialGroupConfig, FolderDeletionProtection: tfvars.FolderDeletionProtection, diff --git a/helpers/foundation-deployer/stages/data.go b/helpers/foundation-deployer/stages/data.go index a3b64687c..2c1ad59c3 100644 --- a/helpers/foundation-deployer/stages/data.go +++ b/helpers/foundation-deployer/stages/data.go @@ -145,6 +145,7 @@ type GlobalTFVars struct { FolderPrefix *string `hcl:"folder_prefix"` BucketForceDestroy *bool `hcl:"bucket_force_destroy"` BucketTfstateKmsForceDestroy *bool `hcl:"bucket_tfstate_kms_force_destroy"` + WorkflowDeletionProtection *bool `hcl:"workflow_deletion_protection"` AuditLogsTableDeleteContentsOnDestroy *bool `hcl:"audit_logs_table_delete_contents_on_destroy"` LogExportStorageForceDestroy *bool `hcl:"log_export_storage_force_destroy"` LogExportStorageLocation string `hcl:"log_export_storage_location"` @@ -159,7 +160,7 @@ type GlobalTFVars struct { ValidatorProjectId *string `hcl:"validator_project_id"` Groups Groups `hcl:"groups"` InitialGroupConfig *string `hcl:"initial_group_config"` - FolderDeletionProtection bool `hcl:"folder_deletion_protection"` + FolderDeletionProtection *bool `hcl:"folder_deletion_protection"` ProjectDeletionPolicy string `hcl:"project_deletion_policy"` } @@ -205,9 +206,10 @@ type BootstrapTfvars struct { FolderPrefix *string `hcl:"folder_prefix"` BucketForceDestroy *bool `hcl:"bucket_force_destroy"` BucketTfstateKmsForceDestroy *bool `hcl:"bucket_tfstate_kms_force_destroy"` + WorkflowDeletionProtection *bool `hcl:"workflow_deletion_protection"` Groups Groups `hcl:"groups"` InitialGroupConfig *string `hcl:"initial_group_config"` - FolderDeletionProtection bool `hcl:"folder_deletion_protection"` + FolderDeletionProtection *bool `hcl:"folder_deletion_protection"` ProjectDeletionPolicy string `hcl:"project_deletion_policy"` } @@ -224,13 +226,13 @@ type OrgTfvars struct { LogExportStorageLocation string `hcl:"log_export_storage_location"` BillingExportDatasetLocation string `hcl:"billing_export_dataset_location"` GcpGroups GcpGroups `hcl:"gcp_groups"` - FolderDeletionProtection bool `hcl:"folder_deletion_protection"` + FolderDeletionProtection *bool `hcl:"folder_deletion_protection"` ProjectDeletionPolicy string `hcl:"project_deletion_policy"` } type EnvsTfvars struct { RemoteStateBucket string `hcl:"remote_state_bucket"` - FolderDeletionProtection bool `hcl:"folder_deletion_protection"` + FolderDeletionProtection *bool `hcl:"folder_deletion_protection"` ProjectDeletionPolicy string `hcl:"project_deletion_policy"` } @@ -260,7 +262,7 @@ type ProjSharedTfvars struct { type ProjEnvTfvars struct { LocationKMS string `hcl:"location_kms"` LocationGCS string `hcl:"location_gcs"` - FolderDeletionProtection bool `hcl:"folder_deletion_protection"` + FolderDeletionProtection *bool `hcl:"folder_deletion_protection"` ProjectDeletionPolicy string `hcl:"project_deletion_policy"` } diff --git a/helpers/foundation-deployer/stages/validate.go b/helpers/foundation-deployer/stages/validate.go index 2f8a6d15b..2ef55635f 100644 --- a/helpers/foundation-deployer/stages/validate.go +++ b/helpers/foundation-deployer/stages/validate.go @@ -94,24 +94,42 @@ func ValidateBasicFields(t testing.TB, g GlobalTFVars) { // ValidateDestroyFlags checks if the flags to allow the destruction of the infrastructure are enabled func ValidateDestroyFlags(t testing.TB, g GlobalTFVars) { - flags := []string{} + trueFlags := []string{} + falseFlags := []string{} + projectDeletion := false if g.BucketForceDestroy == nil || !*g.BucketForceDestroy { - flags = append(flags, "bucket_force_destroy") + trueFlags = append(trueFlags, "bucket_force_destroy") } if g.AuditLogsTableDeleteContentsOnDestroy == nil || !*g.AuditLogsTableDeleteContentsOnDestroy { - flags = append(flags, "audit_logs_table_delete_contents_on_destroy") + trueFlags = append(trueFlags, "audit_logs_table_delete_contents_on_destroy") } if g.LogExportStorageForceDestroy == nil || !*g.LogExportStorageForceDestroy { - flags = append(flags, "log_export_storage_force_destroy") + trueFlags = append(trueFlags, "log_export_storage_force_destroy") } if g.BucketTfstateKmsForceDestroy == nil || !*g.BucketTfstateKmsForceDestroy { - flags = append(flags, "bucket_tfstate_kms_force_destroy") + trueFlags = append(trueFlags, "bucket_tfstate_kms_force_destroy") } + if g.FolderDeletionProtection != nil && *g.FolderDeletionProtection { + falseFlags = append(falseFlags, "folder_deletion_protection") + } + if g.WorkflowDeletionProtection != nil && *g.WorkflowDeletionProtection { + falseFlags = append(falseFlags, "workflow_deletion_protection") + } + projectDeletion = g.ProjectDeletionPolicy != "DELETE" - if len(flags) > 0 { + if len(trueFlags) > 0 || len(falseFlags) > 0 || projectDeletion { fmt.Println("# To use the feature to destroy the deployment created by this helper,") - fmt.Println("# please set the following flags to 'true' in the tfvars file:") - fmt.Printf("# %s\n", strings.Join(flags, ", ")) + if len(trueFlags) > 0 { + fmt.Println("# please set the following flags to 'true' in the tfvars file:") + fmt.Printf("# %s\n", strings.Join(trueFlags, ", ")) + } + if len(falseFlags) > 0 { + fmt.Println("# please set the following flags to 'false' in the tfvars file:") + fmt.Printf("# %s\n", strings.Join(falseFlags, ", ")) + } + if projectDeletion { + fmt.Println("# please set the project_deletion_policy input to 'DELETE' in the tfvars file") + } } } diff --git a/test/integration/bootstrap/bootstrap_test.go b/test/integration/bootstrap/bootstrap_test.go index aef67be44..d9817529b 100644 --- a/test/integration/bootstrap/bootstrap_test.go +++ b/test/integration/bootstrap/bootstrap_test.go @@ -50,6 +50,7 @@ func TestBootstrap(t *testing.T) { "bucket_force_destroy": true, "bucket_tfstate_kms_force_destroy": true, "folder_deletion_protection": false, + "workflow_deletion_protection": false, "project_deletion_policy": "DELETE", } diff --git a/test/setup/main.tf b/test/setup/main.tf index 976fba60b..57267a8af 100644 --- a/test/setup/main.tf +++ b/test/setup/main.tf @@ -47,7 +47,7 @@ resource "google_folder" "test_folder" { module "project" { source = "terraform-google-modules/project-factory/google" - version = "~> 17.0" + version = "~> 18.0" name = "ci-foundation-${random_string.suffix.result}" random_project_id = true