feat: adopt the new google_secure_source_manager_hook resource.

PiperOrigin-RevId: 814269077

Author: Android Build Filesystem (ABFS) Team

examples/simple/compute.tf

@@ -64,29 +64,3 @@ resource "google_compute_instance" "abfs_client" {
     enable_vtpm                 = var.abfs_client_config.shielded_instance_config.enable_vtpm
   }
 }
-
-module "ops_agent_policy" {
-  count = var.create_client_instance_resource ? 1 : 0
-
-  source = "github.com/terraform-google-modules/terraform-google-cloud-operations/modules/ops-agent-policy?ref=v0.6.0"
-
-  project = google_compute_instance.abfs_client[0].project
-  zone    = google_compute_instance.abfs_client[0].zone
-  assignment_id = format(
-    "goog-ops-agent-%s-%s",
-    var.abfs_client_config.goog_ops_agent_policy,
-    google_compute_instance.abfs_client[0].zone
-  )
-  agents_rule = {
-    package_state = "installed"
-    version       = "latest"
-  }
-  instance_filter = {
-    all = false
-    inclusion_labels = [{
-      labels = {
-        goog-ops-agent-policy = var.abfs_client_config.goog_ops_agent_policy
-      }
-    }]
-  }
-}

examples/simple/dns.tf

@@ -37,7 +37,7 @@ locals {
 module "cloud-dns-private-google-apis" {
   count   = var.create_dns_zones ? 1 : 0
   source  = "terraform-google-modules/cloud-dns/google"
-  version = "5.3.0"
+  version = "~>6.1.0"
 
   description = "Private DNS zone for Google APIs"
   domain      = "googleapis.com."
@@ -70,7 +70,7 @@ module "cloud-dns-private-google-apis" {
 module "cloud-dns-private-artifact-registry" {
   count   = var.create_dns_zones ? 1 : 0
   source  = "terraform-google-modules/cloud-dns/google"
-  version = "5.3.0"
+  version = "~>6.1.0"
 
   description = "Private DNS zone for Artifact Registry"
   domain      = "pkg.dev."
@@ -103,7 +103,7 @@ module "cloud-dns-private-artifact-registry" {
 module "source-repositories-private-artifact-registry" {
   count   = var.create_dns_zones ? 1 : 0
   source  = "terraform-google-modules/cloud-dns/google"
-  version = "5.3.0"
+  version = "~>6.1.0"
 
   description = "Private DNS zone for Cloud Source Repositories"
   domain      = "source.developers.google.com."

examples/simple/iam.tf

@@ -13,9 +13,20 @@
 # limitations under the License.
 
 locals {
-  create_service_account         = var.abfs_service_account_id == ""
+  # go/keep-sorted start
+  abfs_iam_roles = [
+    "roles/artifactregistry.reader",
+    "roles/logging.logWriter",
+    "roles/monitoring.metricWriter",
+    "roles/monitoring.viewer",
+    "roles/spanner.databaseUser",
+    "roles/stackdriver.resourceMetadata.writer",
+    "roles/storage.objectAdmin",
+  ]
   abfs_service_account_email     = local.create_service_account ? google_service_account.abfs[0].email : data.google_service_account.abfs[0].email
   abfs_service_account_unique_id = local.create_service_account ? google_service_account.abfs[0].unique_id : data.google_service_account.abfs[0].unique_id
+  create_service_account         = var.abfs_service_account_id == ""
+  # go/keep-sorted end
 }
 
 data "google_service_account" "abfs" {
@@ -38,22 +49,12 @@ resource "google_service_account" "abfs" {
   }
 }
 
-module "project-iam-bindings" {
-  source  = "terraform-google-modules/iam/google//modules/projects_iam"
-  version = "8.1.0"
-
-  projects = [data.google_project.project.project_id]
-  mode     = "authoritative"
-
-  bindings = {
-    "roles/artifactregistry.reader"             = ["serviceAccount:${local.abfs_service_account_email}"],
-    "roles/logging.logWriter"                   = ["serviceAccount:${local.abfs_service_account_email}"],
-    "roles/monitoring.metricWriter"             = ["serviceAccount:${local.abfs_service_account_email}"],
-    "roles/monitoring.viewer"                   = ["serviceAccount:${local.abfs_service_account_email}"],
-    "roles/spanner.databaseUser"                = ["serviceAccount:${local.abfs_service_account_email}"],
-    "roles/stackdriver.resourceMetadata.writer" = ["serviceAccount:${local.abfs_service_account_email}"],
-    "roles/storage.objectAdmin"                 = ["serviceAccount:${local.abfs_service_account_email}"],
-  }
+resource "google_project_iam_member" "abfs_iam" {
+  for_each = toset(local.abfs_iam_roles)
+
+  project = data.google_project.project.project_id
+  role    = each.value
+  member  = "serviceAccount:${local.abfs_service_account_email}"
 
   depends_on = [
     module.project-services,

examples/simple/network.tf

@@ -19,7 +19,7 @@ moved {
 
 module "abfs_vpc" {
   source  = "terraform-google-modules/network/google"
-  version = "9.2.0"
+  version = "~>12.0.0"
 
   project_id   = data.google_project.project.project_id
   network_name = var.abfs_network_name
@@ -106,7 +106,7 @@ resource "google_compute_router" "nat_router" {
 
 module "cloud-nat" {
   source  = "terraform-google-modules/cloud-nat/google"
-  version = "~> 5.3"
+  version = "~> 5.4.0"
 
   project_id = var.project_id
   region     = var.region

examples/simple/outputs.tf

@@ -36,14 +36,3 @@ output "spanner_database_schema_creation" {
     EOT
   )
 }
-
-output "webhook_setup_instructions" {
-  description = "Instructions to set up the webhook trigger."
-  value       = var.create_cloud_workstation_resources ? module.cicd_foundation[0].webhook_setup_instructions : null
-  sensitive   = true
-}
-
-output "webhook_setup_instructions_display" {
-  description = "Instructions to set up the webhook trigger."
-  value       = var.create_cloud_workstation_resources ? module.cicd_foundation[0].webhook_setup_instructions_display : null
-}

examples/simple/services.tf

@@ -14,7 +14,7 @@
 
 module "project-services-cloud-resource-manager" {
   source  = "terraform-google-modules/project-factory/google//modules/project_services"
-  version = "18.0.0"
+  version = "18.1.0"
 
   project_id                  = var.project_id
   enable_apis                 = var.enable_apis
@@ -26,7 +26,7 @@ module "project-services-cloud-resource-manager" {
 
 module "project-services" {
   source  = "terraform-google-modules/project-factory/google//modules/project_services"
-  version = "18.0.0"
+  version = "18.1.0"
 
   project_id                  = var.project_id
   enable_apis                 = var.enable_apis

examples/simple/terraform.tf

@@ -17,7 +17,7 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 6.11.0"
+      version = ">= 7.5.0"
     }
   }
   # grant Storage Object Admin role to the Google Identity invoking Terraform