diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 57f2bbdae..1aaa749de 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -27,7 +27,7 @@ on:
terraform_version:
description: "Use '1.5.7' to test last MPLv2 Terraform version"
required: true
- default: 1.11.4
+ default: 1.12.2
type: string
env:
@@ -37,8 +37,8 @@ env:
TF_PLUGIN_CACHE_DIR: "/home/runner/.terraform.d/plugin-cache"
TFTEST_COPY: 1
DEFAULT_TERRAFORM_FLAVOUR: terraform
- DEFAULT_TERRAFORM_VERSION: ${{ inputs.terraform_version || '1.11.4' }}
- DEFAULT_TOFU_VERSION: "1.9.0"
+ DEFAULT_TERRAFORM_VERSION: ${{ inputs.terraform_version || '1.12.2' }}
+ DEFAULT_TOFU_VERSION: "1.10.0"
jobs:
compute-matrix:
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 71adc7a32..c92c7d7e2 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,12 +7,18 @@ All notable changes to this project will be documented in this file.
### BREAKING CHANGES
+- `modules/gke-hub`: Unified cluster configuration. The module now uses a single `clusters` variable to configure both cluster registration and feature enablement. [[#3332](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/3332)]
+- `all modules`: Minimum supported Terraform version bumped 1.12.2 [[#3332](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/3332)]
+- `all modules`: Minimum supported OpenTofu version bumped 1.10.0 [[#3332](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/3332)]
- `modules/project-factory`: the format for automation service account names has changed. [[#3345](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/3345)]
- [[#3361](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/3361)] Use pre-commit managed Python environment for pre-commit checks ([wiktorn](https://github.com/wiktorn))
### FAST
+- [[#3332](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/3332)] Update gke-hub module to use new Policy Controller API ([juliocc](https://github.com/juliocc))
+- [[#3400](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/3400)] Remove unavailable service from VPC-SC stage services list ([ludoo](https://github.com/ludoo))
+- [[#3385](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/3385)] fix: expose missing audiences variable for gitlab workflow file ([vvision](https://github.com/vvision))
- [[#3384](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/3384)] Add support for universe to fast project factory stage ([ludoo](https://github.com/ludoo))
- [[#3383](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/3383)] Support universe in fast security stage ([ludoo](https://github.com/ludoo))
- [[#3381](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/3381)] Fix typo in fast stage 0 provider template ([ludoo](https://github.com/ludoo))
@@ -28,6 +34,8 @@ All notable changes to this project will be documented in this file.
### MODULES
+- [[#3332](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/3332)] Update gke-hub module to use new Policy Controller API ([juliocc](https://github.com/juliocc))
+- [[#3402](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/3402)] Fix incorrect cloudservices agent email for global universe in project module ([ludoo](https://github.com/ludoo))
- [[#3388](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/3388)] Add support for context to bigquery module ([ludoo](https://github.com/ludoo))
- [[#3377](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/3377)] feat(bigquery-dataset): add optional schema support for views ([weather2602](https://github.com/weather2602))
- [[#3380](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/3380)] Lightly refactor service agents locals in project module ([ludoo](https://github.com/ludoo))
@@ -46,6 +54,11 @@ All notable changes to this project will be documented in this file.
- [[#3346](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/3346)] Added Cloud Build v2 connection module ([apichick](https://github.com/apichick))
- [[#3345](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/3345)] Rationalize prefix handling for project factory automation resources ([ludoo](https://github.com/ludoo))
+### TOOLS
+
+- [[#3332](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/3332)] Update gke-hub module to use new Policy Controller API ([juliocc](https://github.com/juliocc))
+- [[#3404](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/3404)] Add tests for service agents iam_emails ([wiktorn](https://github.com/wiktorn))
+
## [45.0.0] - 2025-09-20
### FAST
diff --git a/default-versions.tf b/default-versions.tf
index 009b53c2c..b83c97f23 100644
--- a/default-versions.tf
+++ b/default-versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/default-versions.tofu b/default-versions.tofu
index 11f2895cf..c948cb65e 100644
--- a/default-versions.tofu
+++ b/default-versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/fast/project-templates/managed-kafka/versions.tf b/fast/project-templates/managed-kafka/versions.tf
index 5fdb34f76..0fdfcf979 100644
--- a/fast/project-templates/managed-kafka/versions.tf
+++ b/fast/project-templates/managed-kafka/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/fast/stages/3-gke-dev/gke-hub.tf b/fast/stages/3-gke-dev/gke-hub.tf
index 8540fe586..cfd0d9eed 100644
--- a/fast/stages/3-gke-dev/gke-hub.tf
+++ b/fast/stages/3-gke-dev/gke-hub.tf
@@ -18,7 +18,7 @@
locals {
fleet_clusters = var.fleet_config == null ? {} : {
- for k, v in var.clusters : k => v.fleet_config.configmanagement_template
+ for k, v in var.clusters : k => v.fleet_config
if v.fleet_config.register == true
}
fleet_mcs_enabled = (
@@ -33,16 +33,16 @@ module "gke-hub" {
count = var.fleet_config != null ? 1 : 0
project_id = module.gke-project-0.project_id
clusters = {
- for k, v in local.fleet_clusters : k => module.gke-cluster[k].id
+ for k, v in local.fleet_clusters : k => {
+ id = module.gke-cluster[k].id
+ configmanagement = v.configmanagement_template
+ policycontroller = null # Can be extended if needed
+ servicemesh = null # Can be extended if needed
+ workload_identity = var.fleet_config.use_workload_identity
+ }
}
features = var.fleet_config.enable_features
configmanagement_templates = var.fleet_configmanagement_templates
- configmanagement_clusters = {
- for k, v in local.fleet_clusters : v => k...
- }
- workload_identity_clusters = (
- var.fleet_config.use_workload_identity ? keys(local.fleet_clusters) : []
- )
depends_on = [
module.gke-nodepool
]
diff --git a/modules/__experimental_deprecated/alloydb-instance/versions.tf b/modules/__experimental_deprecated/alloydb-instance/versions.tf
index ad7d522a5..fdb373c23 100644
--- a/modules/__experimental_deprecated/alloydb-instance/versions.tf
+++ b/modules/__experimental_deprecated/alloydb-instance/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/__experimental_deprecated/alloydb-instance/versions.tofu b/modules/__experimental_deprecated/alloydb-instance/versions.tofu
index 3ebd4ff8c..c48bc9d58 100644
--- a/modules/__experimental_deprecated/alloydb-instance/versions.tofu
+++ b/modules/__experimental_deprecated/alloydb-instance/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/__experimental_deprecated/net-neg/versions.tf b/modules/__experimental_deprecated/net-neg/versions.tf
index 773a10ea4..b287689e6 100644
--- a/modules/__experimental_deprecated/net-neg/versions.tf
+++ b/modules/__experimental_deprecated/net-neg/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/__experimental_deprecated/net-neg/versions.tofu b/modules/__experimental_deprecated/net-neg/versions.tofu
index e8b2b241f..c832e4cee 100644
--- a/modules/__experimental_deprecated/net-neg/versions.tofu
+++ b/modules/__experimental_deprecated/net-neg/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/__experimental_deprecated/project-iam-magic/versions.tf b/modules/__experimental_deprecated/project-iam-magic/versions.tf
index f3a21eeea..94711c93b 100644
--- a/modules/__experimental_deprecated/project-iam-magic/versions.tf
+++ b/modules/__experimental_deprecated/project-iam-magic/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/__experimental_deprecated/project-iam-magic/versions.tofu b/modules/__experimental_deprecated/project-iam-magic/versions.tofu
index 50406f35d..5cbf0f388 100644
--- a/modules/__experimental_deprecated/project-iam-magic/versions.tofu
+++ b/modules/__experimental_deprecated/project-iam-magic/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/ai-applications/versions.tf b/modules/ai-applications/versions.tf
index b5199d0ac..f9a0922f4 100644
--- a/modules/ai-applications/versions.tf
+++ b/modules/ai-applications/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/ai-applications/versions.tofu b/modules/ai-applications/versions.tofu
index fb217a7f5..117c49135 100644
--- a/modules/ai-applications/versions.tofu
+++ b/modules/ai-applications/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/alloydb/versions.tf b/modules/alloydb/versions.tf
index c4c4637c0..d5316ce83 100644
--- a/modules/alloydb/versions.tf
+++ b/modules/alloydb/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/alloydb/versions.tofu b/modules/alloydb/versions.tofu
index 127796c64..40476505e 100644
--- a/modules/alloydb/versions.tofu
+++ b/modules/alloydb/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/analytics-hub/versions.tf b/modules/analytics-hub/versions.tf
index 4f5c47105..48c1a0530 100644
--- a/modules/analytics-hub/versions.tf
+++ b/modules/analytics-hub/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/analytics-hub/versions.tofu b/modules/analytics-hub/versions.tofu
index 31da0e6dc..c3b98dadd 100644
--- a/modules/analytics-hub/versions.tofu
+++ b/modules/analytics-hub/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/api-gateway/versions.tf b/modules/api-gateway/versions.tf
index 746092cf9..be5d9e32c 100644
--- a/modules/api-gateway/versions.tf
+++ b/modules/api-gateway/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/api-gateway/versions.tofu b/modules/api-gateway/versions.tofu
index b945a3285..be6bdfb55 100644
--- a/modules/api-gateway/versions.tofu
+++ b/modules/api-gateway/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/apigee/versions.tf b/modules/apigee/versions.tf
index 8195a5b1c..6f1151cf2 100644
--- a/modules/apigee/versions.tf
+++ b/modules/apigee/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/apigee/versions.tofu b/modules/apigee/versions.tofu
index 07e90517e..e245f36b7 100644
--- a/modules/apigee/versions.tofu
+++ b/modules/apigee/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/artifact-registry/versions.tf b/modules/artifact-registry/versions.tf
index d19a20c91..60f7b7365 100644
--- a/modules/artifact-registry/versions.tf
+++ b/modules/artifact-registry/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/artifact-registry/versions.tofu b/modules/artifact-registry/versions.tofu
index 3eec4aef3..e873caf3c 100644
--- a/modules/artifact-registry/versions.tofu
+++ b/modules/artifact-registry/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/bigquery-dataset/versions.tf b/modules/bigquery-dataset/versions.tf
index 45348af2a..ab334c838 100644
--- a/modules/bigquery-dataset/versions.tf
+++ b/modules/bigquery-dataset/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/bigquery-dataset/versions.tofu b/modules/bigquery-dataset/versions.tofu
index 2935819ae..0301d8d99 100644
--- a/modules/bigquery-dataset/versions.tofu
+++ b/modules/bigquery-dataset/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/bigtable-instance/versions.tf b/modules/bigtable-instance/versions.tf
index 223edc08e..54e5b9ad1 100644
--- a/modules/bigtable-instance/versions.tf
+++ b/modules/bigtable-instance/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/bigtable-instance/versions.tofu b/modules/bigtable-instance/versions.tofu
index ffa52be3d..611f3316e 100644
--- a/modules/bigtable-instance/versions.tofu
+++ b/modules/bigtable-instance/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/billing-account/versions.tf b/modules/billing-account/versions.tf
index 898feea23..60e6f40f3 100644
--- a/modules/billing-account/versions.tf
+++ b/modules/billing-account/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/billing-account/versions.tofu b/modules/billing-account/versions.tofu
index 3ae5bcd46..a60805feb 100644
--- a/modules/billing-account/versions.tofu
+++ b/modules/billing-account/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/binauthz/versions.tf b/modules/binauthz/versions.tf
index 0d3789655..ad52c9d85 100644
--- a/modules/binauthz/versions.tf
+++ b/modules/binauthz/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/binauthz/versions.tofu b/modules/binauthz/versions.tofu
index 7c016fb16..1817d955d 100644
--- a/modules/binauthz/versions.tofu
+++ b/modules/binauthz/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/certificate-authority-service/versions.tf b/modules/certificate-authority-service/versions.tf
index 70bd3a469..985c752ae 100644
--- a/modules/certificate-authority-service/versions.tf
+++ b/modules/certificate-authority-service/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/certificate-authority-service/versions.tofu b/modules/certificate-authority-service/versions.tofu
index 66a57c8a4..251198ebf 100644
--- a/modules/certificate-authority-service/versions.tofu
+++ b/modules/certificate-authority-service/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/certificate-manager/versions.tf b/modules/certificate-manager/versions.tf
index d63932340..5a0606c17 100644
--- a/modules/certificate-manager/versions.tf
+++ b/modules/certificate-manager/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/certificate-manager/versions.tofu b/modules/certificate-manager/versions.tofu
index 810dc1afa..7d649da6e 100644
--- a/modules/certificate-manager/versions.tofu
+++ b/modules/certificate-manager/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/cloud-build-v2-connection/versions.tf b/modules/cloud-build-v2-connection/versions.tf
index d63932340..b0d10995d 100644
--- a/modules/cloud-build-v2-connection/versions.tf
+++ b/modules/cloud-build-v2-connection/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
@@ -27,9 +27,9 @@ terraform {
}
}
provider_meta "google" {
- module_name = "google-pso-tool/cloud-foundation-fabric/modules/certificate-manager:v45.0.0-tf"
+ module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-build-v2-connection:v45.0.0-tf"
}
provider_meta "google-beta" {
- module_name = "google-pso-tool/cloud-foundation-fabric/modules/certificate-manager:v45.0.0-tf"
+ module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-build-v2-connection:v45.0.0-tf"
}
}
diff --git a/modules/cloud-build-v2-connection/versions.tofu b/modules/cloud-build-v2-connection/versions.tofu
index a581ae71e..46edf62ff 100644
--- a/modules/cloud-build-v2-connection/versions.tofu
+++ b/modules/cloud-build-v2-connection/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
@@ -27,9 +27,9 @@ terraform {
}
}
provider_meta "google" {
- module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-deploy:v45.0.0-tofu"
+ module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-build-v2-connection:v45.0.0-tofu"
}
provider_meta "google-beta" {
- module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-deploy:v45.0.0-tofu"
+ module_name = "google-pso-tool/cloud-foundation-fabric/modules/cloud-build-v2-connection:v45.0.0-tofu"
}
-}
\ No newline at end of file
+}
diff --git a/modules/cloud-config-container/__need_fixing/onprem/versions.tf b/modules/cloud-config-container/__need_fixing/onprem/versions.tf
index ccb7ddfb3..35702c905 100644
--- a/modules/cloud-config-container/__need_fixing/onprem/versions.tf
+++ b/modules/cloud-config-container/__need_fixing/onprem/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/cloud-config-container/__need_fixing/onprem/versions.tofu b/modules/cloud-config-container/__need_fixing/onprem/versions.tofu
index eebad60a1..525ba388a 100644
--- a/modules/cloud-config-container/__need_fixing/onprem/versions.tofu
+++ b/modules/cloud-config-container/__need_fixing/onprem/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/cloud-config-container/__need_fixing/squid/versions.tf b/modules/cloud-config-container/__need_fixing/squid/versions.tf
index 6a2945275..f595ec98a 100644
--- a/modules/cloud-config-container/__need_fixing/squid/versions.tf
+++ b/modules/cloud-config-container/__need_fixing/squid/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/cloud-config-container/__need_fixing/squid/versions.tofu b/modules/cloud-config-container/__need_fixing/squid/versions.tofu
index e8ac4a791..d67ab0a85 100644
--- a/modules/cloud-config-container/__need_fixing/squid/versions.tofu
+++ b/modules/cloud-config-container/__need_fixing/squid/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/cloud-config-container/bindplane/versions.tf b/modules/cloud-config-container/bindplane/versions.tf
index e129456ec..97d969954 100644
--- a/modules/cloud-config-container/bindplane/versions.tf
+++ b/modules/cloud-config-container/bindplane/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/cloud-config-container/bindplane/versions.tofu b/modules/cloud-config-container/bindplane/versions.tofu
index f1ef30dfa..94f2d5930 100644
--- a/modules/cloud-config-container/bindplane/versions.tofu
+++ b/modules/cloud-config-container/bindplane/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/cloud-config-container/coredns/versions.tf b/modules/cloud-config-container/coredns/versions.tf
index b818ef2a9..160d84a24 100644
--- a/modules/cloud-config-container/coredns/versions.tf
+++ b/modules/cloud-config-container/coredns/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/cloud-config-container/coredns/versions.tofu b/modules/cloud-config-container/coredns/versions.tofu
index 1faee840b..4b9927616 100644
--- a/modules/cloud-config-container/coredns/versions.tofu
+++ b/modules/cloud-config-container/coredns/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/cloud-config-container/cos-generic-metadata/versions.tf b/modules/cloud-config-container/cos-generic-metadata/versions.tf
index 65d2a36ad..cd89047a7 100644
--- a/modules/cloud-config-container/cos-generic-metadata/versions.tf
+++ b/modules/cloud-config-container/cos-generic-metadata/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/cloud-config-container/cos-generic-metadata/versions.tofu b/modules/cloud-config-container/cos-generic-metadata/versions.tofu
index a505ce421..721f4dca7 100644
--- a/modules/cloud-config-container/cos-generic-metadata/versions.tofu
+++ b/modules/cloud-config-container/cos-generic-metadata/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/cloud-config-container/envoy-sni-dyn-fwd-proxy/versions.tf b/modules/cloud-config-container/envoy-sni-dyn-fwd-proxy/versions.tf
index aa0072a38..ef36496d9 100644
--- a/modules/cloud-config-container/envoy-sni-dyn-fwd-proxy/versions.tf
+++ b/modules/cloud-config-container/envoy-sni-dyn-fwd-proxy/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/cloud-config-container/envoy-sni-dyn-fwd-proxy/versions.tofu b/modules/cloud-config-container/envoy-sni-dyn-fwd-proxy/versions.tofu
index 680d54340..4a2e2da81 100644
--- a/modules/cloud-config-container/envoy-sni-dyn-fwd-proxy/versions.tofu
+++ b/modules/cloud-config-container/envoy-sni-dyn-fwd-proxy/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/cloud-config-container/envoy-traffic-director/versions.tf b/modules/cloud-config-container/envoy-traffic-director/versions.tf
index 91a98d2ae..67adf9db8 100644
--- a/modules/cloud-config-container/envoy-traffic-director/versions.tf
+++ b/modules/cloud-config-container/envoy-traffic-director/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/cloud-config-container/envoy-traffic-director/versions.tofu b/modules/cloud-config-container/envoy-traffic-director/versions.tofu
index 5af65d06b..967766c6a 100644
--- a/modules/cloud-config-container/envoy-traffic-director/versions.tofu
+++ b/modules/cloud-config-container/envoy-traffic-director/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/cloud-config-container/mysql/versions.tf b/modules/cloud-config-container/mysql/versions.tf
index b1ee1a5a9..dda957d5e 100644
--- a/modules/cloud-config-container/mysql/versions.tf
+++ b/modules/cloud-config-container/mysql/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/cloud-config-container/mysql/versions.tofu b/modules/cloud-config-container/mysql/versions.tofu
index d3a6bb8af..d66940d87 100644
--- a/modules/cloud-config-container/mysql/versions.tofu
+++ b/modules/cloud-config-container/mysql/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/cloud-config-container/nginx-tls/versions.tf b/modules/cloud-config-container/nginx-tls/versions.tf
index 587d1b228..f7d0702a1 100644
--- a/modules/cloud-config-container/nginx-tls/versions.tf
+++ b/modules/cloud-config-container/nginx-tls/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/cloud-config-container/nginx-tls/versions.tofu b/modules/cloud-config-container/nginx-tls/versions.tofu
index 76dde2fde..5a08f1496 100644
--- a/modules/cloud-config-container/nginx-tls/versions.tofu
+++ b/modules/cloud-config-container/nginx-tls/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/cloud-config-container/nginx/versions.tf b/modules/cloud-config-container/nginx/versions.tf
index beb899157..f4d03b13b 100644
--- a/modules/cloud-config-container/nginx/versions.tf
+++ b/modules/cloud-config-container/nginx/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/cloud-config-container/nginx/versions.tofu b/modules/cloud-config-container/nginx/versions.tofu
index 5acd1591d..a7879adb3 100644
--- a/modules/cloud-config-container/nginx/versions.tofu
+++ b/modules/cloud-config-container/nginx/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/cloud-config-container/simple-nva/versions.tf b/modules/cloud-config-container/simple-nva/versions.tf
index 88c9537da..75eea22e2 100644
--- a/modules/cloud-config-container/simple-nva/versions.tf
+++ b/modules/cloud-config-container/simple-nva/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/cloud-config-container/simple-nva/versions.tofu b/modules/cloud-config-container/simple-nva/versions.tofu
index eca53a0a6..e19ef5d98 100644
--- a/modules/cloud-config-container/simple-nva/versions.tofu
+++ b/modules/cloud-config-container/simple-nva/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/cloud-deploy/versions.tf b/modules/cloud-deploy/versions.tf
index 79f09c0bb..3e80ab0df 100644
--- a/modules/cloud-deploy/versions.tf
+++ b/modules/cloud-deploy/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/cloud-deploy/versions.tofu b/modules/cloud-deploy/versions.tofu
index 72972b10c..975b837af 100644
--- a/modules/cloud-deploy/versions.tofu
+++ b/modules/cloud-deploy/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/cloud-function-v1/versions.tf b/modules/cloud-function-v1/versions.tf
index 7877feb72..2e2a726b5 100644
--- a/modules/cloud-function-v1/versions.tf
+++ b/modules/cloud-function-v1/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/cloud-function-v1/versions.tofu b/modules/cloud-function-v1/versions.tofu
index 988ae90e9..c2741c106 100644
--- a/modules/cloud-function-v1/versions.tofu
+++ b/modules/cloud-function-v1/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/cloud-function-v2/versions.tf b/modules/cloud-function-v2/versions.tf
index beda65cfe..db05e8eec 100644
--- a/modules/cloud-function-v2/versions.tf
+++ b/modules/cloud-function-v2/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/cloud-function-v2/versions.tofu b/modules/cloud-function-v2/versions.tofu
index 6efe867b0..9261f428f 100644
--- a/modules/cloud-function-v2/versions.tofu
+++ b/modules/cloud-function-v2/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/cloud-identity-group/versions.tf b/modules/cloud-identity-group/versions.tf
index a7ba1ba00..dfe343157 100644
--- a/modules/cloud-identity-group/versions.tf
+++ b/modules/cloud-identity-group/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/cloud-identity-group/versions.tofu b/modules/cloud-identity-group/versions.tofu
index 8a0fa9410..8fd55f830 100644
--- a/modules/cloud-identity-group/versions.tofu
+++ b/modules/cloud-identity-group/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/cloud-run-v2/versions.tf b/modules/cloud-run-v2/versions.tf
index 54c37e798..7a3fafb84 100644
--- a/modules/cloud-run-v2/versions.tf
+++ b/modules/cloud-run-v2/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/cloud-run-v2/versions.tofu b/modules/cloud-run-v2/versions.tofu
index 38d5a3af7..50973fcd2 100644
--- a/modules/cloud-run-v2/versions.tofu
+++ b/modules/cloud-run-v2/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/cloud-run/versions.tf b/modules/cloud-run/versions.tf
index 8d65ab5f6..b49c8eb64 100644
--- a/modules/cloud-run/versions.tf
+++ b/modules/cloud-run/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/cloud-run/versions.tofu b/modules/cloud-run/versions.tofu
index 0da31022e..08264a339 100644
--- a/modules/cloud-run/versions.tofu
+++ b/modules/cloud-run/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/cloudsql-instance/versions.tf b/modules/cloudsql-instance/versions.tf
index bd601b133..02ab65a75 100644
--- a/modules/cloudsql-instance/versions.tf
+++ b/modules/cloudsql-instance/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/cloudsql-instance/versions.tofu b/modules/cloudsql-instance/versions.tofu
index 506b04c05..f69805cd3 100644
--- a/modules/cloudsql-instance/versions.tofu
+++ b/modules/cloudsql-instance/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/compute-mig/versions.tf b/modules/compute-mig/versions.tf
index 488cf17bf..ee55ef6bd 100644
--- a/modules/compute-mig/versions.tf
+++ b/modules/compute-mig/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/compute-mig/versions.tofu b/modules/compute-mig/versions.tofu
index 02c706dd4..72c52f01c 100644
--- a/modules/compute-mig/versions.tofu
+++ b/modules/compute-mig/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/compute-vm/versions.tf b/modules/compute-vm/versions.tf
index be138e3d6..229f8705c 100644
--- a/modules/compute-vm/versions.tf
+++ b/modules/compute-vm/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/compute-vm/versions.tofu b/modules/compute-vm/versions.tofu
index f0bc0499c..468dd1ead 100644
--- a/modules/compute-vm/versions.tofu
+++ b/modules/compute-vm/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/container-registry/versions.tf b/modules/container-registry/versions.tf
index 65d0de698..4dcf2fa62 100644
--- a/modules/container-registry/versions.tf
+++ b/modules/container-registry/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/container-registry/versions.tofu b/modules/container-registry/versions.tofu
index 7e7fb1832..83abc0673 100644
--- a/modules/container-registry/versions.tofu
+++ b/modules/container-registry/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/data-catalog-policy-tag/versions.tf b/modules/data-catalog-policy-tag/versions.tf
index e647519bd..ab95ba916 100644
--- a/modules/data-catalog-policy-tag/versions.tf
+++ b/modules/data-catalog-policy-tag/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/data-catalog-policy-tag/versions.tofu b/modules/data-catalog-policy-tag/versions.tofu
index ba3a1c994..d028f25ff 100644
--- a/modules/data-catalog-policy-tag/versions.tofu
+++ b/modules/data-catalog-policy-tag/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/data-catalog-tag-template/versions.tf b/modules/data-catalog-tag-template/versions.tf
index 4901b4290..ba7abafd0 100644
--- a/modules/data-catalog-tag-template/versions.tf
+++ b/modules/data-catalog-tag-template/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/data-catalog-tag-template/versions.tofu b/modules/data-catalog-tag-template/versions.tofu
index fa0d4091a..f592dfdf2 100644
--- a/modules/data-catalog-tag-template/versions.tofu
+++ b/modules/data-catalog-tag-template/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/data-catalog-tag/versions.tf b/modules/data-catalog-tag/versions.tf
index 98d150fcb..6d36eb5a6 100644
--- a/modules/data-catalog-tag/versions.tf
+++ b/modules/data-catalog-tag/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/data-catalog-tag/versions.tofu b/modules/data-catalog-tag/versions.tofu
index 89c97c452..a66ffe654 100644
--- a/modules/data-catalog-tag/versions.tofu
+++ b/modules/data-catalog-tag/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/dataform-repository/versions.tf b/modules/dataform-repository/versions.tf
index 0f4ab1675..182bd0af5 100644
--- a/modules/dataform-repository/versions.tf
+++ b/modules/dataform-repository/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/dataform-repository/versions.tofu b/modules/dataform-repository/versions.tofu
index 9b5266db4..d9eb45895 100644
--- a/modules/dataform-repository/versions.tofu
+++ b/modules/dataform-repository/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/datafusion/versions.tf b/modules/datafusion/versions.tf
index 9545b71df..ec554bf60 100644
--- a/modules/datafusion/versions.tf
+++ b/modules/datafusion/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/datafusion/versions.tofu b/modules/datafusion/versions.tofu
index 44d57b219..672a52c89 100644
--- a/modules/datafusion/versions.tofu
+++ b/modules/datafusion/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/dataplex-aspect-types/versions.tf b/modules/dataplex-aspect-types/versions.tf
index 874319dbc..dffd6f610 100644
--- a/modules/dataplex-aspect-types/versions.tf
+++ b/modules/dataplex-aspect-types/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/dataplex-aspect-types/versions.tofu b/modules/dataplex-aspect-types/versions.tofu
index 727294e8b..583244c97 100644
--- a/modules/dataplex-aspect-types/versions.tofu
+++ b/modules/dataplex-aspect-types/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/dataplex-datascan/versions.tf b/modules/dataplex-datascan/versions.tf
index 3d099be50..ae637edc3 100644
--- a/modules/dataplex-datascan/versions.tf
+++ b/modules/dataplex-datascan/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/dataplex-datascan/versions.tofu b/modules/dataplex-datascan/versions.tofu
index 9109e941e..cca063b1a 100644
--- a/modules/dataplex-datascan/versions.tofu
+++ b/modules/dataplex-datascan/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/dataplex/versions.tf b/modules/dataplex/versions.tf
index f1d12162d..501c7d163 100644
--- a/modules/dataplex/versions.tf
+++ b/modules/dataplex/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/dataplex/versions.tofu b/modules/dataplex/versions.tofu
index c195242d9..a215d00a1 100644
--- a/modules/dataplex/versions.tofu
+++ b/modules/dataplex/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/dataproc/versions.tf b/modules/dataproc/versions.tf
index 93400d5ea..9b4e52536 100644
--- a/modules/dataproc/versions.tf
+++ b/modules/dataproc/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/dataproc/versions.tofu b/modules/dataproc/versions.tofu
index 79812080e..7199c8547 100644
--- a/modules/dataproc/versions.tofu
+++ b/modules/dataproc/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/dns-response-policy/versions.tf b/modules/dns-response-policy/versions.tf
index 409bb1736..5c8c28ad1 100644
--- a/modules/dns-response-policy/versions.tf
+++ b/modules/dns-response-policy/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/dns-response-policy/versions.tofu b/modules/dns-response-policy/versions.tofu
index bd9661b60..1ad9943ef 100644
--- a/modules/dns-response-policy/versions.tofu
+++ b/modules/dns-response-policy/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/dns/versions.tf b/modules/dns/versions.tf
index b8806792b..73e1eb1b2 100644
--- a/modules/dns/versions.tf
+++ b/modules/dns/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/dns/versions.tofu b/modules/dns/versions.tofu
index afe2113ff..1debad325 100644
--- a/modules/dns/versions.tofu
+++ b/modules/dns/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/endpoints/versions.tf b/modules/endpoints/versions.tf
index 9435a696e..19dffcbae 100644
--- a/modules/endpoints/versions.tf
+++ b/modules/endpoints/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/endpoints/versions.tofu b/modules/endpoints/versions.tofu
index 0bf567ae3..160bfcb84 100644
--- a/modules/endpoints/versions.tofu
+++ b/modules/endpoints/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/firestore/versions.tf b/modules/firestore/versions.tf
index 9af18cbdb..b02b39b9b 100644
--- a/modules/firestore/versions.tf
+++ b/modules/firestore/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/firestore/versions.tofu b/modules/firestore/versions.tofu
index 9a2936c2d..b6a82f1d3 100644
--- a/modules/firestore/versions.tofu
+++ b/modules/firestore/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/folder/versions.tf b/modules/folder/versions.tf
index e271dd660..8cac5e36a 100644
--- a/modules/folder/versions.tf
+++ b/modules/folder/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/folder/versions.tofu b/modules/folder/versions.tofu
index 508e2a472..50cf9c75c 100644
--- a/modules/folder/versions.tofu
+++ b/modules/folder/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/gcs/versions.tf b/modules/gcs/versions.tf
index 1255a739d..494b8ee24 100644
--- a/modules/gcs/versions.tf
+++ b/modules/gcs/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/gcs/versions.tofu b/modules/gcs/versions.tofu
index 1a1449b4a..567456f5a 100644
--- a/modules/gcs/versions.tofu
+++ b/modules/gcs/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/gcve-private-cloud/versions.tf b/modules/gcve-private-cloud/versions.tf
index 9eaeefc60..06093c71a 100644
--- a/modules/gcve-private-cloud/versions.tf
+++ b/modules/gcve-private-cloud/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/gcve-private-cloud/versions.tofu b/modules/gcve-private-cloud/versions.tofu
index 7a1814fce..fbc9f2d06 100644
--- a/modules/gcve-private-cloud/versions.tofu
+++ b/modules/gcve-private-cloud/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/gke-cluster-autopilot/versions.tf b/modules/gke-cluster-autopilot/versions.tf
index cc372c6b6..b8d037d1e 100644
--- a/modules/gke-cluster-autopilot/versions.tf
+++ b/modules/gke-cluster-autopilot/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/gke-cluster-autopilot/versions.tofu b/modules/gke-cluster-autopilot/versions.tofu
index 76fb36cd2..245f52735 100644
--- a/modules/gke-cluster-autopilot/versions.tofu
+++ b/modules/gke-cluster-autopilot/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/gke-cluster-standard/versions.tf b/modules/gke-cluster-standard/versions.tf
index 5ef33db1e..c9e80ca52 100644
--- a/modules/gke-cluster-standard/versions.tf
+++ b/modules/gke-cluster-standard/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/gke-cluster-standard/versions.tofu b/modules/gke-cluster-standard/versions.tofu
index 561f07f73..91be66bae 100644
--- a/modules/gke-cluster-standard/versions.tofu
+++ b/modules/gke-cluster-standard/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/gke-hub/README.md b/modules/gke-hub/README.md
index 3bf643b48..f01783f0f 100644
--- a/modules/gke-hub/README.md
+++ b/modules/gke-hub/README.md
@@ -11,6 +11,15 @@ To use this module you must ensure the following APIs are enabled in the target
- `multiclusterservicediscovery.googleapis.com`
- `mesh.googleapis.com`
+
+- [Full GKE Hub example](#full-gke-hub-example)
+- [Multi-cluster service mesh on GKE](#multi-cluster-service-mesh-on-gke)
+- [Fleet Default Member Configuration Example](#fleet-default-member-configuration-example)
+- [Policy Controller with Custom Configurations](#policy-controller-with-custom-configurations)
+- [Variables](#variables)
+- [Outputs](#outputs)
+
+
## Full GKE Hub example
```hcl
@@ -75,10 +84,17 @@ module "hub" {
project_id = module.project.project_id
location = "europe-west1"
clusters = {
- cluster-1 = module.cluster_1.id
+ cluster-1 = {
+ id = module.cluster_1.id
+ configmanagement = "default"
+ policycontroller = "default"
+ servicemesh = null
+ workload_identity = false
+ }
}
features = {
configmanagement = true
+ policycontroller = true
}
configmanagement_templates = {
default = {
@@ -95,24 +111,26 @@ module "hub" {
enable_hierarchical_resource_quota = true
enable_pod_tree_labels = true
}
- policy_controller = {
- audit_interval_seconds = 120
- log_denies_enabled = true
- referential_rules_enabled = true
- template_library_installed = true
- }
version = "v1"
}
}
- configmanagement_clusters = {
- "default" = ["cluster-1"]
+ policycontroller_templates = {
+ default = {
+ version = "v1.17.3"
+ policy_controller_hub_config = {
+ audit_interval_seconds = 120
+ exemptable_namespaces = ["kube-system", "kube-public"]
+ log_denies_enabled = true
+ referential_rules_enabled = true
+ }
+ }
}
}
-# tftest modules=4 resources=28 inventory=full.yaml
+# tftest inventory=full.yaml
```
-## Multi-cluster mesh on GKE
+## Multi-cluster service mesh on GKE
```hcl
module "project" {
@@ -276,8 +294,20 @@ module "hub" {
source = "./fabric/modules/gke-hub"
project_id = module.project.project_id
clusters = {
- cluster-1 = module.cluster_1.id
- cluster-2 = module.cluster_2.id
+ cluster-1 = {
+ id = module.cluster_1.id
+ configmanagement = null
+ policycontroller = null
+ servicemesh = null
+ workload_identity = true
+ }
+ cluster-2 = {
+ id = module.cluster_2.id
+ configmanagement = null
+ policycontroller = null
+ servicemesh = null
+ workload_identity = true
+ }
}
features = {
appdevexperience = false
@@ -287,13 +317,9 @@ module "hub" {
servicemesh = true
multiclusterservicediscovery = false
}
- workload_identity_clusters = [
- "cluster-1",
- "cluster-2"
- ]
}
-# tftest modules=8 resources=44
+# tftest modules=8 resources=42
```
## Fleet Default Member Configuration Example
@@ -301,13 +327,152 @@ module "hub" {
This example demonstrates how to use the enhanced `fleet_default_member_config` to configure default settings for all member clusters in the fleet:
```hcl
+module "project" {
+ source = "./fabric/modules/project"
+ billing_account = "123-456-789"
+ name = "gkehub-test"
+ parent = "folders/12345"
+ services = [
+ "anthos.googleapis.com",
+ "container.googleapis.com",
+ "gkehub.googleapis.com",
+ "gkeconnect.googleapis.com",
+ "mesh.googleapis.com",
+ "meshconfig.googleapis.com",
+ "meshca.googleapis.com"
+ ]
+}
+
+module "vpc" {
+ source = "./fabric/modules/net-vpc"
+ project_id = module.project.project_id
+ name = "vpc"
+ mtu = 1500
+ subnets = [
+ {
+ ip_cidr_range = "10.0.1.0/24"
+ name = "subnet-cluster-1"
+ region = "europe-west1"
+ secondary_ip_ranges = {
+ pods = { ip_cidr_range = "10.1.0.0/16" }
+ services = { ip_cidr_range = "10.2.0.0/24" }
+ }
+ },
+ {
+ ip_cidr_range = "10.0.2.0/24"
+ name = "subnet-cluster-2"
+ region = "europe-west4"
+ secondary_ip_ranges = {
+ pods = { ip_cidr_range = "10.3.0.0/16" }
+ services = { ip_cidr_range = "10.4.0.0/24" }
+ }
+ },
+ {
+ ip_cidr_range = "10.0.0.0/28"
+ name = "subnet-mgmt"
+ region = "europe-west1"
+ secondary_ip_ranges = null
+ }
+ ]
+}
+
+module "cluster_1" {
+ source = "./fabric/modules/gke-cluster-standard"
+ project_id = module.project.project_id
+ name = "cluster-1"
+ location = "europe-west1"
+ access_config = {
+ ip_access = {
+ authorized_ranges = {
+ mgmt = "10.0.0.0/28"
+ pods-cluster-1 = "10.3.0.0/16"
+ }
+ }
+ }
+ vpc_config = {
+ network = module.vpc.self_link
+ subnetwork = module.vpc.subnet_self_links["europe-west1/subnet-cluster-1"]
+ }
+ release_channel = "REGULAR"
+ labels = {
+ mesh_id = "proj-${module.project.number}"
+ }
+ enable_features = {
+ workload_identity = true
+ dataplane_v2 = true
+ }
+}
+
+module "cluster_1_nodepool" {
+ source = "./fabric/modules/gke-nodepool"
+ project_id = module.project.project_id
+ cluster_name = module.cluster_1.name
+ cluster_id = module.cluster_1.id
+ location = "europe-west1"
+ name = "cluster-1-nodepool"
+ node_count = { initial = 1 }
+ service_account = { create = true }
+ tags = ["cluster-1-node"]
+}
+
+module "cluster_2" {
+ source = "./fabric/modules/gke-cluster-standard"
+ project_id = module.project.project_id
+ name = "cluster-2"
+ location = "europe-west4"
+ access_config = {
+ ip_access = {
+ authorized_ranges = {
+ mgmt = "10.0.0.0/28"
+ pods-cluster-1 = "10.3.0.0/16"
+ }
+ }
+ }
+ vpc_config = {
+ network = module.vpc.self_link
+ subnetwork = module.vpc.subnet_self_links["europe-west4/subnet-cluster-2"]
+ }
+ release_channel = "REGULAR"
+ labels = {
+ mesh_id = "proj-${module.project.number}"
+ }
+ enable_features = {
+ workload_identity = true
+ dataplane_v2 = true
+ }
+}
+
+module "cluster_2_nodepool" {
+ source = "./fabric/modules/gke-nodepool"
+ project_id = module.project.project_id
+ cluster_name = module.cluster_2.name
+ cluster_id = module.cluster_2.id
+ location = "europe-west4"
+ name = "cluster-2-nodepool"
+ node_count = { initial = 1 }
+ service_account = { create = true }
+ tags = ["cluster-2-node"]
+}
+
module "hub" {
source = "./fabric/modules/gke-hub"
project_id = module.project.project_id
location = "europe-west1"
clusters = {
- cluster-1 = module.cluster_1.id
- cluster-2 = module.cluster_2.id
+ cluster-1 = {
+ id = module.cluster_1.id
+ configmanagement = "cluster-specific"
+ policycontroller = null
+ servicemesh = null
+ workload_identity = false
+ }
+ cluster-2 = {
+ id = module.cluster_2.id
+ configmanagement = null
+ policycontroller = null
+ servicemesh = null
+ workload_identity = false
+ }
}
features = {
configmanagement = true
@@ -317,7 +482,7 @@ module "hub" {
# Fleet default member configuration
fleet_default_member_config = {
# Service Mesh configuration
- mesh = {
+ servicemesh = {
management = "MANAGEMENT_AUTOMATIC"
}
@@ -357,24 +522,297 @@ module "hub" {
version = "v1"
}
}
- configmanagement_clusters = {
- "cluster-specific" = ["cluster-1"]
+}
+# tftest modules=7 resources=38 inventory=defaults.yaml
+```
+
+## Policy Controller with Custom Configurations
+
+This example shows how to configure Policy Controller with custom configurations now that it's separated from Config Management:
+
+```hcl
+module "project" {
+ source = "./fabric/modules/project"
+ billing_account = "123-456-789"
+ name = "gkehub-test"
+ parent = "folders/12345"
+ services = [
+ "anthos.googleapis.com",
+ "container.googleapis.com",
+ "gkehub.googleapis.com",
+ "gkeconnect.googleapis.com",
+ "mesh.googleapis.com",
+ "meshconfig.googleapis.com",
+ "meshca.googleapis.com"
+ ]
+}
+
+module "vpc" {
+ source = "./fabric/modules/net-vpc"
+ project_id = module.project.project_id
+ name = "vpc"
+ mtu = 1500
+ subnets = [
+ {
+ ip_cidr_range = "10.0.1.0/24"
+ name = "subnet-cluster-1"
+ region = "europe-west1"
+ secondary_ip_ranges = {
+ pods = { ip_cidr_range = "10.1.0.0/16" }
+ services = { ip_cidr_range = "10.2.0.0/24" }
+ }
+ },
+ {
+ ip_cidr_range = "10.0.2.0/24"
+ name = "subnet-cluster-2"
+ region = "europe-west4"
+ secondary_ip_ranges = {
+ pods = { ip_cidr_range = "10.3.0.0/16" }
+ services = { ip_cidr_range = "10.4.0.0/24" }
+ }
+ },
+ {
+ ip_cidr_range = "10.0.0.0/28"
+ name = "subnet-mgmt"
+ region = "europe-west1"
+ secondary_ip_ranges = null
+ }
+ ]
+}
+
+module "firewall" {
+ source = "./fabric/modules/net-vpc-firewall"
+ project_id = module.project.project_id
+ network = module.vpc.name
+ ingress_rules = {
+ allow-mesh = {
+ description = "Allow mesh"
+ priority = 900
+ source_ranges = ["10.1.0.0/16", "10.3.0.0/16"]
+ targets = ["cluster-1-node", "cluster-2-node"]
+ },
+ "allow-cluster-1-istio" = {
+ description = "Allow istio sidecar injection, istioctl version and istioctl ps"
+ source_ranges = ["192.168.1.0/28"]
+ targets = ["cluster-1-node"]
+ rules = [
+ { protocol = "tcp", ports = [8080, 15014, 15017] }
+ ]
+ },
+ "allow-cluster-2-istio" = {
+ description = "Allow istio sidecar injection, istioctl version and istioctl ps"
+ source_ranges = ["192.168.2.0/28"]
+ targets = ["cluster-2-node"]
+ rules = [
+ { protocol = "tcp", ports = [8080, 15014, 15017] }
+ ]
+ }
}
}
+
+module "cluster_1" {
+ source = "./fabric/modules/gke-cluster-standard"
+ project_id = module.project.project_id
+ name = "cluster-1"
+ location = "europe-west1"
+ access_config = {
+ ip_access = {
+ authorized_ranges = {
+ mgmt = "10.0.0.0/28"
+ pods-cluster-1 = "10.3.0.0/16"
+ }
+ }
+ }
+ vpc_config = {
+ network = module.vpc.self_link
+ subnetwork = module.vpc.subnet_self_links["europe-west1/subnet-cluster-1"]
+ }
+ release_channel = "REGULAR"
+ labels = {
+ mesh_id = "proj-${module.project.number}"
+ }
+ enable_features = {
+ workload_identity = true
+ dataplane_v2 = true
+ }
+}
+
+module "cluster_1_nodepool" {
+ source = "./fabric/modules/gke-nodepool"
+ project_id = module.project.project_id
+ cluster_name = module.cluster_1.name
+ cluster_id = module.cluster_1.id
+ location = "europe-west1"
+ name = "cluster-1-nodepool"
+ node_count = { initial = 1 }
+ service_account = { create = true }
+ tags = ["cluster-1-node"]
+}
+
+module "cluster_2" {
+ source = "./fabric/modules/gke-cluster-standard"
+ project_id = module.project.project_id
+ name = "cluster-2"
+ location = "europe-west4"
+ access_config = {
+ ip_access = {
+ authorized_ranges = {
+ mgmt = "10.0.0.0/28"
+ pods-cluster-1 = "10.3.0.0/16"
+ }
+ }
+ }
+ vpc_config = {
+ network = module.vpc.self_link
+ subnetwork = module.vpc.subnet_self_links["europe-west4/subnet-cluster-2"]
+ }
+ release_channel = "REGULAR"
+ labels = {
+ mesh_id = "proj-${module.project.number}"
+ }
+ enable_features = {
+ workload_identity = true
+ dataplane_v2 = true
+ }
+}
+
+module "cluster_2_nodepool" {
+ source = "./fabric/modules/gke-nodepool"
+ project_id = module.project.project_id
+ cluster_name = module.cluster_2.name
+ cluster_id = module.cluster_2.id
+ location = "europe-west4"
+ name = "cluster-2-nodepool"
+ node_count = { initial = 1 }
+ service_account = { create = true }
+ tags = ["cluster-2-node"]
+}
+
+module "hub" {
+ source = "./fabric/modules/gke-hub"
+ project_id = var.project_id
+ location = "europe-west1"
+ clusters = {
+ cluster-1 = {
+ id = module.cluster_1.id
+ configmanagement = "default"
+ policycontroller = "strict"
+ servicemesh = null
+ workload_identity = false
+ }
+ cluster-2 = {
+ id = module.cluster_2.id
+ configmanagement = "default"
+ policycontroller = "permissive"
+ servicemesh = null
+ workload_identity = false
+ }
+ }
+ features = {
+ configmanagement = true
+ policycontroller = true
+ }
+
+ # Config Management configuration (without policy controller)
+ configmanagement_templates = {
+ default = {
+ version = "v1"
+ config_sync = {
+ git = {
+ sync_repo = "https://github.com/your-org/config-repo"
+ policy_dir = "configsync"
+ sync_branch = "main"
+ }
+ source_format = "hierarchy"
+ }
+ }
+ }
+
+ # Policy Controller configuration (separate from Config Management)
+ policycontroller_templates = {
+ strict = {
+ version = "v1.17.3"
+ policy_controller_hub_config = {
+ audit_interval_seconds = 60
+ constraint_violation_limit = 20
+ exemptable_namespaces = ["kube-system", "kube-public", "kube-node-lease"]
+ install_spec = "INSTALL_SPEC_ENABLED"
+ log_denies_enabled = true
+ mutation_enabled = false
+ referential_rules_enabled = true
+
+ deployment_configs = {
+ "admission" = {
+ replica_count = 3
+ container_resources = {
+ limits = {
+ cpu = "1000m"
+ memory = "512Mi"
+ }
+ requests = {
+ cpu = "100m"
+ memory = "256Mi"
+ }
+ }
+ }
+ "audit" = {
+ replica_count = 1
+ container_resources = {
+ limits = {
+ cpu = "1000m"
+ memory = "512Mi"
+ }
+ requests = {
+ cpu = "100m"
+ memory = "256Mi"
+ }
+ }
+ }
+ }
+
+ monitoring = {
+ backends = ["PROMETHEUS"]
+ }
+
+ policy_content = {
+ bundles = {
+ "policy-essentials-v2022" = {
+ exempted_namespaces = ["kube-system", "kube-public"]
+ }
+ }
+ template_library = {
+ installation = "ALL"
+ }
+ }
+ }
+ }
+
+ permissive = {
+ version = "v1.17.3"
+ policy_controller_hub_config = {
+ audit_interval_seconds = 120
+ exemptable_namespaces = ["kube-system", "kube-public", "kube-node-lease", "gke-system"]
+ log_denies_enabled = false
+ referential_rules_enabled = false
+ }
+ }
+ }
+}
+# tftest modules=8 resources=47 inventory=policycontroller.yaml
```
## Variables
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
-| [project_id](variables.tf#L115) | GKE hub project ID. | string | ✓ | |
-| [clusters](variables.tf#L17) | Clusters members of this GKE Hub in name => id format. | map(string) | | {} |
-| [configmanagement_clusters](variables.tf#L24) | Config management features enabled on specific sets of member clusters, in config name => [cluster name] format. | map(list(string)) | | {} |
-| [configmanagement_templates](variables.tf#L31) | Sets of config management configurations that can be applied to member clusters, in config name => {options} format. | map(object({…})) | | {} |
-| [features](variables.tf#L65) | Enable and configure fleet features. | object({…}) | | {} |
-| [fleet_default_member_config](variables.tf#L79) | Fleet default member config. | object({…}) | | null |
-| [location](variables.tf#L108) | GKE hub location, will also be used for the membership location. | string | | null |
-| [workload_identity_clusters](variables.tf#L120) | Clusters that will use Fleet Workload Identity. | list(string) | | [] |
+| [project_id](variables.tf#L207) | GKE hub project ID. | string | ✓ | |
+| [clusters](variables.tf#L17) | A map of GKE clusters to register with GKE Hub and their associated feature configurations. The key is a logical name for the cluster, and the value is an object describing the cluster and its features. | map(object({…})) | | {} |
+| [configmanagement_templates](variables.tf#L30) | Sets of config management configurations that can be applied to member clusters, in config name => {options} format. | map(object({…})) | | {} |
+| [features](variables.tf#L64) | Enable and configure fleet features. | object({…}) | | {} |
+| [fleet_default_member_config](variables.tf#L79) | Fleet default member config. | object({…}) | | null |
+| [location](variables.tf#L151) | GKE hub location, will also be used for the membership location. | string | | null |
+| [policycontroller_templates](variables.tf#L158) | Sets of Policy Controller configurations that can be applied to member clusters, in config name => {options} format. | map(object({…})) | | {} |
+| [servicemesh_templates](variables.tf#L212) | Sets of Service Mesh configurations that can be applied to member clusters, in config name => {options} format. | map(object({…})) | | {} |
## Outputs
diff --git a/modules/gke-hub/main.tf b/modules/gke-hub/main.tf
index c4456ecd5..103642bf7 100644
--- a/modules/gke-hub/main.tf
+++ b/modules/gke-hub/main.tf
@@ -15,22 +15,37 @@
*/
locals {
- _cluster_cm_config = flatten([
- for template, clusters in var.configmanagement_clusters : [
- for cluster in clusters : {
- cluster = cluster
- template = lookup(var.configmanagement_templates, template, null)
- }
- ]
- ])
+ # Filter and prepare config management configurations
cluster_cm_config = {
- for k in local._cluster_cm_config : k.cluster => k.template if(
- k.template != null &&
- var.features.configmanagement == true
- )
+ for key, cluster in var.clusters :
+ key => lookup(var.configmanagement_templates, cluster.configmanagement, null)
+ if cluster.configmanagement != null &&
+ var.features.configmanagement == true &&
+ lookup(var.configmanagement_templates, cluster.configmanagement, null) != null
}
+
+ # Filter and prepare policy controller configurations
+ cluster_pc_config = {
+ for key, cluster in var.clusters :
+ key => lookup(var.policycontroller_templates, cluster.policycontroller, null)
+ if cluster.policycontroller != null &&
+ var.features.policycontroller == true &&
+ lookup(var.policycontroller_templates, cluster.policycontroller, null) != null
+ }
+
+ # Filter and prepare service mesh configurations
+ cluster_mesh_config = {
+ for key, cluster in var.clusters :
+ key => lookup(var.servicemesh_templates, cluster.servicemesh, null)
+ if cluster.servicemesh != null &&
+ var.features.servicemesh == true &&
+ lookup(var.servicemesh_templates, cluster.servicemesh, null) != null
+ }
+
hub_features = {
- for k, v in var.features : k => v if v != null && v != false && v != ""
+ for k, v in var.features :
+ k => v
+ if v != null && v != false && v != ""
}
}
@@ -42,15 +57,13 @@ resource "google_gke_hub_membership" "default" {
membership_id = each.key
endpoint {
gke_cluster {
- resource_link = "//container.googleapis.com/${each.value}"
+ resource_link = "//container.googleapis.com/${each.value.id}"
}
}
dynamic "authority" {
- for_each = (
- contains(var.workload_identity_clusters, each.key) ? { 1 = 1 } : {}
- )
+ for_each = each.value.workload_identity ? [1] : []
content {
- issuer = "https://container.googleapis.com/v1/${var.clusters[each.key]}"
+ issuer = "https://container.googleapis.com/v1/${each.value.id}"
}
}
}
@@ -62,7 +75,7 @@ resource "google_gke_hub_feature" "default" {
name = each.key
location = "global"
dynamic "spec" {
- for_each = each.key == "multiclusteringress" && each.value != null ? { 1 = 1 } : {}
+ for_each = each.key == "multiclusteringress" && each.value != null ? [1] : []
content {
multiclusteringress {
config_membership = google_gke_hub_membership.default[each.value].id
@@ -70,29 +83,29 @@ resource "google_gke_hub_feature" "default" {
}
}
dynamic "fleet_default_member_config" {
- for_each = var.fleet_default_member_config != null ? { 1 = 1 } : {}
+ for_each = var.fleet_default_member_config[*]
content {
dynamic "mesh" {
- for_each = var.fleet_default_member_config.mesh != null ? { 1 = 1 } : {}
+ for_each = var.fleet_default_member_config.mesh[*]
content {
- management = try(mesh.value.management, "MANAGEMENT_AUTOMATIC")
+ management = mesh.value.management
}
}
dynamic "configmanagement" {
- for_each = var.fleet_default_member_config.configmanagement != null ? { 1 = 1 } : {}
+ for_each = var.fleet_default_member_config.configmanagement[*]
content {
version = configmanagement.value.version
dynamic "config_sync" {
- for_each = configmanagement.value.config_sync != null ? { 1 = 1 } : {}
+ for_each = configmanagement.value.config_sync[*]
content {
prevent_drift = config_sync.value.prevent_drift
source_format = config_sync.value.source_format
enabled = config_sync.value.enabled
dynamic "git" {
- for_each = config_sync.value.git != null ? { 1 = 1 } : {}
+ for_each = config_sync.value.git[*]
content {
gcp_service_account_email = git.value.gcp_service_account_email
https_proxy = git.value.https_proxy
@@ -108,13 +121,99 @@ resource "google_gke_hub_feature" "default" {
}
}
}
+
+ dynamic "policycontroller" {
+ for_each = var.fleet_default_member_config.policycontroller[*]
+ content {
+ version = policycontroller.value.version
+
+ policy_controller_hub_config {
+ audit_interval_seconds = policycontroller.value.policy_controller_hub_config.audit_interval_seconds
+ constraint_violation_limit = policycontroller.value.policy_controller_hub_config.constraint_violation_limit
+ exemptable_namespaces = policycontroller.value.policy_controller_hub_config.exemptable_namespaces
+ install_spec = policycontroller.value.policy_controller_hub_config.install_spec
+ log_denies_enabled = policycontroller.value.policy_controller_hub_config.log_denies_enabled
+ mutation_enabled = policycontroller.value.policy_controller_hub_config.mutation_enabled
+ referential_rules_enabled = policycontroller.value.policy_controller_hub_config.referential_rules_enabled
+
+ dynamic "deployment_configs" {
+ for_each = policycontroller.value.policy_controller_hub_config.deployment_configs[*]
+ content {
+ component = deployment_configs.key
+
+ dynamic "container_resources" {
+ for_each = deployment_configs.value.container_resources[*]
+ content {
+ dynamic "limits" {
+ for_each = deployment_configs.value.container_resources.limits[*]
+ content {
+ cpu = limits.value.cpu
+ memory = limits.value.memory
+ }
+ }
+
+ dynamic "requests" {
+ for_each = deployment_configs.value.container_resources.requests[*]
+ content {
+ cpu = requests.value.cpu
+ memory = requests.value.memory
+ }
+ }
+ }
+ }
+
+ pod_affinity = deployment_configs.value.pod_affinity
+
+ dynamic "pod_toleration" {
+ for_each = deployment_configs.value.pod_toleration[*]
+ content {
+ key = pod_toleration.value.key
+ operator = pod_toleration.value.operator
+ value = pod_toleration.value.value
+ effect = pod_toleration.value.effect
+ }
+ }
+
+ replica_count = deployment_configs.value.replica_count
+ }
+ }
+
+ dynamic "monitoring" {
+ for_each = policycontroller.value.policy_controller_hub_config.monitoring[*]
+ content {
+ backends = monitoring.value.backends
+ }
+ }
+
+ dynamic "policy_content" {
+ for_each = policycontroller.value.policy_controller_hub_config.policy_content[*]
+ content {
+ dynamic "bundles" {
+ for_each = policy_content.value.bundles == null ? {} : policy_content.value.bundles
+ content {
+ bundle = bundles.key
+ exempted_namespaces = bundles.value.exempted_namespaces
+ }
+ }
+
+ dynamic "template_library" {
+ for_each = policycontroller.value.policy_controller_hub_config.policy_content.template_library[*]
+ content {
+ installation = template_library.value.installation
+ }
+ }
+ }
+ }
+ }
+ }
+ }
}
}
}
resource "google_gke_hub_feature_membership" "servicemesh" {
provider = google-beta
- for_each = var.features.servicemesh ? var.clusters : {}
+ for_each = local.cluster_mesh_config
project = var.project_id
location = "global"
feature = google_gke_hub_feature.default["servicemesh"].name
@@ -122,7 +221,102 @@ resource "google_gke_hub_feature_membership" "servicemesh" {
membership_location = var.location
mesh {
- management = "MANAGEMENT_AUTOMATIC"
+ management = each.value.management
+ }
+}
+
+resource "google_gke_hub_feature_membership" "policycontroller" {
+ provider = google-beta
+ for_each = local.cluster_pc_config
+ project = var.project_id
+ location = "global"
+ feature = google_gke_hub_feature.default["policycontroller"].name
+ membership = google_gke_hub_membership.default[each.key].membership_id
+ membership_location = var.location
+
+ policycontroller {
+ version = each.value.version
+
+ policy_controller_hub_config {
+ audit_interval_seconds = each.value.policy_controller_hub_config.audit_interval_seconds
+ constraint_violation_limit = each.value.policy_controller_hub_config.constraint_violation_limit
+
+ dynamic "policy_content" {
+ for_each = each.value.policy_controller_hub_config.policy_content[*]
+ content {
+ dynamic "bundles" {
+ for_each = policy_content.value.bundles == null ? {} : policy_content.value.bundles
+ content {
+ bundle_name = bundles.key
+ exempted_namespaces = bundles.value.exempted_namespaces
+ }
+ }
+
+ dynamic "template_library" {
+ for_each = policy_content.value.template_library[*]
+ content {
+ installation = template_library.value.installation
+ }
+ }
+ }
+ }
+
+ dynamic "deployment_configs" {
+ for_each = each.value.policy_controller_hub_config.deployment_configs == null ? {} : each.value.policy_controller_hub_config.deployment_configs
+ content {
+ component_name = deployment_configs.key
+
+ dynamic "container_resources" {
+ for_each = deployment_configs.value.container_resources[*]
+ content {
+ dynamic "limits" {
+ for_each = container_resources.value.limits[*]
+ content {
+ cpu = container_resources.value.limits.cpu
+ memory = container_resources.value.limits.memory
+ }
+ }
+
+ dynamic "requests" {
+ for_each = container_resources.value.requests[*]
+ content {
+ cpu = requests.value.cpu
+ memory = requests.value.memory
+ }
+ }
+ }
+ }
+
+ pod_affinity = deployment_configs.value.pod_affinity
+
+ dynamic "pod_tolerations" {
+ for_each = deployment_configs.value.pod_tolerations[*]
+ content {
+ key = pod_tolerations.value.key
+ operator = pod_tolerations.value.operator
+ value = pod_tolerations.value.value
+ effect = pod_tolerations.value.effect
+ }
+ }
+
+ replica_count = deployment_configs.value.replica_count
+ }
+ }
+
+ exemptable_namespaces = each.value.policy_controller_hub_config.exemptable_namespaces
+ install_spec = each.value.policy_controller_hub_config.install_spec
+ log_denies_enabled = each.value.policy_controller_hub_config.log_denies_enabled
+
+ dynamic "monitoring" {
+ for_each = each.value.policy_controller_hub_config.monitoring[*]
+ content {
+ backends = monitoring.value.backends
+ }
+ }
+
+ mutation_enabled = each.value.policy_controller_hub_config.mutation_enabled
+ referential_rules_enabled = each.value.policy_controller_hub_config.referential_rules_enabled
+ }
}
}
@@ -139,61 +333,37 @@ resource "google_gke_hub_feature_membership" "default" {
version = each.value.version
dynamic "config_sync" {
- for_each = each.value.config_sync == null ? {} : { 1 = 1 }
+ for_each = each.value.config_sync[*]
content {
- prevent_drift = each.value.config_sync.prevent_drift
- source_format = each.value.config_sync.source_format
+ prevent_drift = config_sync.value.prevent_drift
+ source_format = config_sync.value.source_format
enabled = true
dynamic "git" {
- for_each = (
- try(each.value.config_sync.git, null) == null ? {} : { 1 = 1 }
- )
+ for_each = config_sync.value.git[*]
content {
gcp_service_account_email = (
- each.value.config_sync.git.gcp_service_account_email
+ git.value.gcp_service_account_email
)
- https_proxy = each.value.config_sync.git.https_proxy
- policy_dir = each.value.config_sync.git.policy_dir
- secret_type = each.value.config_sync.git.secret_type
- sync_branch = each.value.config_sync.git.sync_branch
- sync_repo = each.value.config_sync.git.sync_repo
- sync_rev = each.value.config_sync.git.sync_rev
- sync_wait_secs = each.value.config_sync.git.sync_wait_secs
+ https_proxy = git.value.https_proxy
+ policy_dir = git.value.policy_dir
+ secret_type = git.value.secret_type
+ sync_branch = git.value.sync_branch
+ sync_repo = git.value.sync_repo
+ sync_rev = git.value.sync_rev
+ sync_wait_secs = git.value.sync_wait_secs
}
}
}
}
dynamic "hierarchy_controller" {
- for_each = each.value.hierarchy_controller == null ? {} : { 1 = 1 }
+ for_each = each.value.hierarchy_controller[*]
content {
enable_hierarchical_resource_quota = (
- each.value.hierarchy_controller.enable_hierarchical_resource_quota
+ hierarchy_controller.value.enable_hierarchical_resource_quota
)
enable_pod_tree_labels = (
- each.value.hierarchy_controller.enable_pod_tree_labels
- )
- enabled = true
- }
- }
-
- dynamic "policy_controller" {
- for_each = each.value.policy_controller == null ? {} : { 1 = 1 }
- content {
- audit_interval_seconds = (
- each.value.policy_controller.audit_interval_seconds
- )
- exemptable_namespaces = (
- each.value.policy_controller.exemptable_namespaces
- )
- log_denies_enabled = (
- each.value.policy_controller.log_denies_enabled
- )
- referential_rules_enabled = (
- each.value.policy_controller.referential_rules_enabled
- )
- template_library_installed = (
- each.value.policy_controller.template_library_installed
+ hierarchy_controller.value.enable_pod_tree_labels
)
enabled = true
}
diff --git a/modules/gke-hub/outputs.tf b/modules/gke-hub/outputs.tf
index 2e74cdaf0..f65665488 100644
--- a/modules/gke-hub/outputs.tf
+++ b/modules/gke-hub/outputs.tf
@@ -23,5 +23,7 @@ output "cluster_ids" {
google_gke_hub_membership.default,
google_gke_hub_feature.default,
google_gke_hub_feature_membership.default,
+ google_gke_hub_feature_membership.policycontroller,
+ google_gke_hub_feature_membership.servicemesh,
]
}
diff --git a/modules/gke-hub/variables.tf b/modules/gke-hub/variables.tf
index fd5c0d7ea..c0b21863e 100644
--- a/modules/gke-hub/variables.tf
+++ b/modules/gke-hub/variables.tf
@@ -15,17 +15,16 @@
*/
variable "clusters" {
- description = "Clusters members of this GKE Hub in name => id format."
- type = map(string)
- default = {}
- nullable = false
-}
-
-variable "configmanagement_clusters" {
- description = "Config management features enabled on specific sets of member clusters, in config name => [cluster name] format."
- type = map(list(string))
- default = {}
- nullable = false
+ description = "A map of GKE clusters to register with GKE Hub and their associated feature configurations. The key is a logical name for the cluster, and the value is an object describing the cluster and its features."
+ type = map(object({
+ id = string
+ configmanagement = optional(string)
+ policycontroller = optional(string)
+ servicemesh = optional(string)
+ workload_identity = optional(bool, false)
+ }))
+ default = {}
+ nullable = false
}
variable "configmanagement_templates" {
@@ -50,16 +49,16 @@ variable "configmanagement_templates" {
enable_hierarchical_resource_quota = optional(bool)
enable_pod_tree_labels = optional(bool)
}))
- policy_controller = optional(object({
- audit_interval_seconds = optional(number)
- exemptable_namespaces = optional(list(string))
- log_denies_enabled = optional(bool)
- referential_rules_enabled = optional(bool)
- template_library_installed = optional(bool)
- }))
+ policy_controller = optional(any) # DEPRECATED: Use policycontroller_templates instead
}))
default = {}
nullable = false
+ validation {
+ condition = alltrue([
+ for k, v in var.configmanagement_templates : v.policy_controller == null
+ ])
+ error_message = "The 'policy_controller' field in configmanagement_templates is deprecated. Please use the 'policycontroller_templates' variable instead to configure Policy Controller with its own API."
+ }
}
variable "features" {
@@ -70,6 +69,7 @@ variable "features" {
identityservice = optional(bool, false)
multiclusteringress = optional(string, null)
multiclusterservicediscovery = optional(bool, false)
+ policycontroller = optional(bool, false)
servicemesh = optional(bool, false)
})
default = {}
@@ -100,6 +100,49 @@ variable "fleet_default_member_config" {
}))
}))
}))
+ policycontroller = optional(object({
+ version = optional(string)
+ policy_controller_hub_config = object({
+ audit_interval_seconds = optional(number)
+ constraint_violation_limit = optional(number)
+ exemptable_namespaces = optional(list(string))
+ install_spec = optional(string)
+ log_denies_enabled = optional(bool)
+ mutation_enabled = optional(bool)
+ referential_rules_enabled = optional(bool)
+ deployment_configs = optional(map(object({
+ container_resources = optional(object({
+ limits = optional(object({
+ cpu = optional(string)
+ memory = optional(string)
+ }))
+ requests = optional(object({
+ cpu = optional(string)
+ memory = optional(string)
+ }))
+ }))
+ pod_affinity = optional(string)
+ pod_toleration = optional(list(object({
+ key = optional(string)
+ operator = optional(string)
+ value = optional(string)
+ effect = optional(string)
+ })), [])
+ replica_count = optional(number)
+ })))
+ monitoring = optional(object({
+ backends = optional(list(string))
+ }))
+ policy_content = optional(object({
+ bundles = optional(map(object({
+ exempted_namespaces = optional(list(string))
+ })))
+ template_library = optional(object({
+ installation = optional(string)
+ }))
+ }))
+ })
+ }))
})
default = null
nullable = true
@@ -112,14 +155,65 @@ variable "location" {
nullable = true
}
+variable "policycontroller_templates" {
+ description = "Sets of Policy Controller configurations that can be applied to member clusters, in config name => {options} format."
+ type = map(object({
+ version = optional(string)
+ policy_controller_hub_config = object({
+ audit_interval_seconds = optional(number)
+ constraint_violation_limit = optional(number)
+ exemptable_namespaces = optional(list(string))
+ install_spec = optional(string)
+ log_denies_enabled = optional(bool)
+ mutation_enabled = optional(bool)
+ referential_rules_enabled = optional(bool)
+ deployment_configs = optional(map(object({
+ container_resources = optional(object({
+ limits = optional(object({
+ cpu = optional(string)
+ memory = optional(string)
+ }))
+ requests = optional(object({
+ cpu = optional(string)
+ memory = optional(string)
+ }))
+ }))
+ pod_affinity = optional(string)
+ pod_tolerations = optional(list(object({
+ key = optional(string)
+ operator = optional(string)
+ value = optional(string)
+ effect = optional(string)
+ })), [])
+ replica_count = optional(number)
+ })))
+ monitoring = optional(object({
+ backends = optional(list(string))
+ }))
+ policy_content = optional(object({
+ bundles = optional(map(object({
+ exempted_namespaces = optional(list(string))
+ })))
+ template_library = optional(object({
+ installation = optional(string)
+ }))
+ }))
+ })
+ }))
+ default = {}
+ nullable = false
+}
+
variable "project_id" {
description = "GKE hub project ID."
type = string
}
-variable "workload_identity_clusters" {
- description = "Clusters that will use Fleet Workload Identity."
- type = list(string)
- default = []
- nullable = false
+variable "servicemesh_templates" {
+ description = "Sets of Service Mesh configurations that can be applied to member clusters, in config name => {options} format."
+ type = map(object({
+ management = optional(string, "MANAGEMENT_AUTOMATIC")
+ }))
+ default = {}
+ nullable = false
}
diff --git a/modules/gke-hub/versions.tf b/modules/gke-hub/versions.tf
index 90c9b3617..55ea07c19 100644
--- a/modules/gke-hub/versions.tf
+++ b/modules/gke-hub/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/gke-hub/versions.tofu b/modules/gke-hub/versions.tofu
index 05bbb9710..254ffb4e1 100644
--- a/modules/gke-hub/versions.tofu
+++ b/modules/gke-hub/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/gke-nodepool/versions.tf b/modules/gke-nodepool/versions.tf
index 88e34648f..0da82ce20 100644
--- a/modules/gke-nodepool/versions.tf
+++ b/modules/gke-nodepool/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/gke-nodepool/versions.tofu b/modules/gke-nodepool/versions.tofu
index 03e4dfe11..4e2bf7a65 100644
--- a/modules/gke-nodepool/versions.tofu
+++ b/modules/gke-nodepool/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/iam-service-account/versions.tf b/modules/iam-service-account/versions.tf
index ad968f046..ef3ce5562 100644
--- a/modules/iam-service-account/versions.tf
+++ b/modules/iam-service-account/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/iam-service-account/versions.tofu b/modules/iam-service-account/versions.tofu
index 58d22927a..0901a1d2b 100644
--- a/modules/iam-service-account/versions.tofu
+++ b/modules/iam-service-account/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/kms/versions.tf b/modules/kms/versions.tf
index 6c26bbcfb..20c749305 100644
--- a/modules/kms/versions.tf
+++ b/modules/kms/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/kms/versions.tofu b/modules/kms/versions.tofu
index 41997b1d2..9d7ee392e 100644
--- a/modules/kms/versions.tofu
+++ b/modules/kms/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/logging-bucket/versions.tf b/modules/logging-bucket/versions.tf
index 612c8f668..17d3621d0 100644
--- a/modules/logging-bucket/versions.tf
+++ b/modules/logging-bucket/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/logging-bucket/versions.tofu b/modules/logging-bucket/versions.tofu
index 870f4df43..9b84466c2 100644
--- a/modules/logging-bucket/versions.tofu
+++ b/modules/logging-bucket/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/looker-core/versions.tf b/modules/looker-core/versions.tf
index 910cef01b..b5e5cb8aa 100644
--- a/modules/looker-core/versions.tf
+++ b/modules/looker-core/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/looker-core/versions.tofu b/modules/looker-core/versions.tofu
index 04da4bde5..d1e163eb2 100644
--- a/modules/looker-core/versions.tofu
+++ b/modules/looker-core/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/managed-kafka/versions.tf b/modules/managed-kafka/versions.tf
index 43d0c9145..f37511b6e 100644
--- a/modules/managed-kafka/versions.tf
+++ b/modules/managed-kafka/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/managed-kafka/versions.tofu b/modules/managed-kafka/versions.tofu
index 7596abbd6..05b93f210 100644
--- a/modules/managed-kafka/versions.tofu
+++ b/modules/managed-kafka/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/ncc-spoke-ra/versions.tf b/modules/ncc-spoke-ra/versions.tf
index ef6c858f0..35a95fe4e 100644
--- a/modules/ncc-spoke-ra/versions.tf
+++ b/modules/ncc-spoke-ra/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/ncc-spoke-ra/versions.tofu b/modules/ncc-spoke-ra/versions.tofu
index 6b46e396a..cce9e2ccb 100644
--- a/modules/ncc-spoke-ra/versions.tofu
+++ b/modules/ncc-spoke-ra/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/net-address/versions.tf b/modules/net-address/versions.tf
index 46a3cf2ec..2a49d8a65 100644
--- a/modules/net-address/versions.tf
+++ b/modules/net-address/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/net-address/versions.tofu b/modules/net-address/versions.tofu
index a1885bc49..f161d040a 100644
--- a/modules/net-address/versions.tofu
+++ b/modules/net-address/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/net-cloudnat/versions.tf b/modules/net-cloudnat/versions.tf
index d7b4fff48..7d5ea293a 100644
--- a/modules/net-cloudnat/versions.tf
+++ b/modules/net-cloudnat/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/net-cloudnat/versions.tofu b/modules/net-cloudnat/versions.tofu
index c47c66706..79db7532c 100644
--- a/modules/net-cloudnat/versions.tofu
+++ b/modules/net-cloudnat/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/net-firewall-policy/versions.tf b/modules/net-firewall-policy/versions.tf
index b163c8ff0..0dd213620 100644
--- a/modules/net-firewall-policy/versions.tf
+++ b/modules/net-firewall-policy/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/net-firewall-policy/versions.tofu b/modules/net-firewall-policy/versions.tofu
index d19d99062..3103dd3ce 100644
--- a/modules/net-firewall-policy/versions.tofu
+++ b/modules/net-firewall-policy/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/net-ipsec-over-interconnect/versions.tf b/modules/net-ipsec-over-interconnect/versions.tf
index 7adda27d1..f1e6f2abf 100644
--- a/modules/net-ipsec-over-interconnect/versions.tf
+++ b/modules/net-ipsec-over-interconnect/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/net-ipsec-over-interconnect/versions.tofu b/modules/net-ipsec-over-interconnect/versions.tofu
index 80069fb95..4b49dc081 100644
--- a/modules/net-ipsec-over-interconnect/versions.tofu
+++ b/modules/net-ipsec-over-interconnect/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/net-lb-app-ext-regional/versions.tf b/modules/net-lb-app-ext-regional/versions.tf
index c6f64b6e1..f68a75ad0 100644
--- a/modules/net-lb-app-ext-regional/versions.tf
+++ b/modules/net-lb-app-ext-regional/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/net-lb-app-ext-regional/versions.tofu b/modules/net-lb-app-ext-regional/versions.tofu
index 0146cd09a..093d5b67a 100644
--- a/modules/net-lb-app-ext-regional/versions.tofu
+++ b/modules/net-lb-app-ext-regional/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/net-lb-app-ext/versions.tf b/modules/net-lb-app-ext/versions.tf
index 438747691..fa0483cbf 100644
--- a/modules/net-lb-app-ext/versions.tf
+++ b/modules/net-lb-app-ext/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/net-lb-app-ext/versions.tofu b/modules/net-lb-app-ext/versions.tofu
index d024e7097..8b8b112ae 100644
--- a/modules/net-lb-app-ext/versions.tofu
+++ b/modules/net-lb-app-ext/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/net-lb-app-int-cross-region/versions.tf b/modules/net-lb-app-int-cross-region/versions.tf
index e7cd8de2e..a46d353b4 100644
--- a/modules/net-lb-app-int-cross-region/versions.tf
+++ b/modules/net-lb-app-int-cross-region/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/net-lb-app-int-cross-region/versions.tofu b/modules/net-lb-app-int-cross-region/versions.tofu
index 6e2570f65..6010dd589 100644
--- a/modules/net-lb-app-int-cross-region/versions.tofu
+++ b/modules/net-lb-app-int-cross-region/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/net-lb-app-int/versions.tf b/modules/net-lb-app-int/versions.tf
index 73436e1f8..7f1d0df08 100644
--- a/modules/net-lb-app-int/versions.tf
+++ b/modules/net-lb-app-int/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/net-lb-app-int/versions.tofu b/modules/net-lb-app-int/versions.tofu
index c9d269eec..75b81da41 100644
--- a/modules/net-lb-app-int/versions.tofu
+++ b/modules/net-lb-app-int/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/net-lb-ext/versions.tf b/modules/net-lb-ext/versions.tf
index e5485bf11..11dd507da 100644
--- a/modules/net-lb-ext/versions.tf
+++ b/modules/net-lb-ext/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/net-lb-ext/versions.tofu b/modules/net-lb-ext/versions.tofu
index a02cf11fe..7f7735f66 100644
--- a/modules/net-lb-ext/versions.tofu
+++ b/modules/net-lb-ext/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/net-lb-int/versions.tf b/modules/net-lb-int/versions.tf
index 9345a3584..a0445fabf 100644
--- a/modules/net-lb-int/versions.tf
+++ b/modules/net-lb-int/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/net-lb-int/versions.tofu b/modules/net-lb-int/versions.tofu
index 3cc178adc..5dbf66810 100644
--- a/modules/net-lb-int/versions.tofu
+++ b/modules/net-lb-int/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/net-lb-proxy-int/versions.tf b/modules/net-lb-proxy-int/versions.tf
index c3b72cbbc..c5a36ff51 100644
--- a/modules/net-lb-proxy-int/versions.tf
+++ b/modules/net-lb-proxy-int/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/net-lb-proxy-int/versions.tofu b/modules/net-lb-proxy-int/versions.tofu
index 73183e561..bb25bf36f 100644
--- a/modules/net-lb-proxy-int/versions.tofu
+++ b/modules/net-lb-proxy-int/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/net-swp/versions.tf b/modules/net-swp/versions.tf
index 20c2e51bc..6588d825c 100644
--- a/modules/net-swp/versions.tf
+++ b/modules/net-swp/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/net-swp/versions.tofu b/modules/net-swp/versions.tofu
index a08dc2158..c9312f3ae 100644
--- a/modules/net-swp/versions.tofu
+++ b/modules/net-swp/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/net-vlan-attachment/versions.tf b/modules/net-vlan-attachment/versions.tf
index 835ce6c55..338bd28b7 100644
--- a/modules/net-vlan-attachment/versions.tf
+++ b/modules/net-vlan-attachment/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/net-vlan-attachment/versions.tofu b/modules/net-vlan-attachment/versions.tofu
index 893515f18..1c5fa7a96 100644
--- a/modules/net-vlan-attachment/versions.tofu
+++ b/modules/net-vlan-attachment/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/net-vpc-factory/versions.tf b/modules/net-vpc-factory/versions.tf
index 79ebbcb8a..8800d504f 100644
--- a/modules/net-vpc-factory/versions.tf
+++ b/modules/net-vpc-factory/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/net-vpc-factory/versions.tofu b/modules/net-vpc-factory/versions.tofu
index bfe360d63..9d31bb1a6 100644
--- a/modules/net-vpc-factory/versions.tofu
+++ b/modules/net-vpc-factory/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/net-vpc-firewall/versions.tf b/modules/net-vpc-firewall/versions.tf
index e2eaed207..0ca4d524a 100644
--- a/modules/net-vpc-firewall/versions.tf
+++ b/modules/net-vpc-firewall/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/net-vpc-firewall/versions.tofu b/modules/net-vpc-firewall/versions.tofu
index a317cef7a..833d8779d 100644
--- a/modules/net-vpc-firewall/versions.tofu
+++ b/modules/net-vpc-firewall/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/net-vpc-peering/versions.tf b/modules/net-vpc-peering/versions.tf
index aa3541cf8..5ea684eb3 100644
--- a/modules/net-vpc-peering/versions.tf
+++ b/modules/net-vpc-peering/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/net-vpc-peering/versions.tofu b/modules/net-vpc-peering/versions.tofu
index 9681f4ceb..93d143a0e 100644
--- a/modules/net-vpc-peering/versions.tofu
+++ b/modules/net-vpc-peering/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/net-vpc/versions.tf b/modules/net-vpc/versions.tf
index 383ab847c..9bd2c64c8 100644
--- a/modules/net-vpc/versions.tf
+++ b/modules/net-vpc/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/net-vpc/versions.tofu b/modules/net-vpc/versions.tofu
index 64bcb247b..e616e1b6f 100644
--- a/modules/net-vpc/versions.tofu
+++ b/modules/net-vpc/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/net-vpn-dynamic/versions.tf b/modules/net-vpn-dynamic/versions.tf
index 95f5a44f7..fa702fe4a 100644
--- a/modules/net-vpn-dynamic/versions.tf
+++ b/modules/net-vpn-dynamic/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/net-vpn-dynamic/versions.tofu b/modules/net-vpn-dynamic/versions.tofu
index 4a60f42a8..1a49112bc 100644
--- a/modules/net-vpn-dynamic/versions.tofu
+++ b/modules/net-vpn-dynamic/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/net-vpn-ha/versions.tf b/modules/net-vpn-ha/versions.tf
index 2625f1968..dcdd01102 100644
--- a/modules/net-vpn-ha/versions.tf
+++ b/modules/net-vpn-ha/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/net-vpn-ha/versions.tofu b/modules/net-vpn-ha/versions.tofu
index 29e5d4c3c..43fb93168 100644
--- a/modules/net-vpn-ha/versions.tofu
+++ b/modules/net-vpn-ha/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/net-vpn-static/versions.tf b/modules/net-vpn-static/versions.tf
index b39cea597..a733143d6 100644
--- a/modules/net-vpn-static/versions.tf
+++ b/modules/net-vpn-static/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/net-vpn-static/versions.tofu b/modules/net-vpn-static/versions.tofu
index f8018a2ac..fa2997d14 100644
--- a/modules/net-vpn-static/versions.tofu
+++ b/modules/net-vpn-static/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/organization/versions.tf b/modules/organization/versions.tf
index 12acea4fd..ac423fc59 100644
--- a/modules/organization/versions.tf
+++ b/modules/organization/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/organization/versions.tofu b/modules/organization/versions.tofu
index c8daa8243..f2556a350 100644
--- a/modules/organization/versions.tofu
+++ b/modules/organization/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/project/service-agents.tf b/modules/project/service-agents.tf
index 2b0d1bfe7..93308c6aa 100644
--- a/modules/project/service-agents.tf
+++ b/modules/project/service-agents.tf
@@ -25,10 +25,17 @@ locals {
(agent.name) => merge(agent, {
email = (
api == "cloudservices"
- ? format(
- "%s@cloudservices.%siam.gserviceaccount.com",
- local.project.number,
- local._u_domain
+ ? (
+ var.universe == null
+ ? format(
+ "%s@cloudservices.gserviceaccount.com",
+ local.project.number
+ )
+ : format(
+ "%s@cloudservices.%siam.gserviceaccount.com",
+ local.project.number,
+ local._u_domain
+ )
)
: (
var.universe == null || !startswith(api, "cloudkms.")
diff --git a/modules/project/versions.tf b/modules/project/versions.tf
index 983c968f0..84d13ea97 100644
--- a/modules/project/versions.tf
+++ b/modules/project/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/project/versions.tofu b/modules/project/versions.tofu
index a0d201845..2593ae248 100644
--- a/modules/project/versions.tofu
+++ b/modules/project/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/projects-data-source/versions.tf b/modules/projects-data-source/versions.tf
index 9445cafe8..613938dcc 100644
--- a/modules/projects-data-source/versions.tf
+++ b/modules/projects-data-source/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/projects-data-source/versions.tofu b/modules/projects-data-source/versions.tofu
index 676c17a5d..9c27355a3 100644
--- a/modules/projects-data-source/versions.tofu
+++ b/modules/projects-data-source/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/pubsub/versions.tf b/modules/pubsub/versions.tf
index 770672688..cc050922c 100644
--- a/modules/pubsub/versions.tf
+++ b/modules/pubsub/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/pubsub/versions.tofu b/modules/pubsub/versions.tofu
index fd78e2178..0fccce296 100644
--- a/modules/pubsub/versions.tofu
+++ b/modules/pubsub/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/secops-rules/versions.tf b/modules/secops-rules/versions.tf
index 388812ec2..d54d4df60 100644
--- a/modules/secops-rules/versions.tf
+++ b/modules/secops-rules/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/secops-rules/versions.tofu b/modules/secops-rules/versions.tofu
index c21600d72..2127c5f46 100644
--- a/modules/secops-rules/versions.tofu
+++ b/modules/secops-rules/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/secret-manager/versions.tf b/modules/secret-manager/versions.tf
index b84576f2b..3e8a03567 100644
--- a/modules/secret-manager/versions.tf
+++ b/modules/secret-manager/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/secret-manager/versions.tofu b/modules/secret-manager/versions.tofu
index 156184575..3f9466627 100644
--- a/modules/secret-manager/versions.tofu
+++ b/modules/secret-manager/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/secure-source-manager-instance/versions.tf b/modules/secure-source-manager-instance/versions.tf
index 9223ee048..af07fe421 100644
--- a/modules/secure-source-manager-instance/versions.tf
+++ b/modules/secure-source-manager-instance/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/secure-source-manager-instance/versions.tofu b/modules/secure-source-manager-instance/versions.tofu
index 9a56988f8..46a7911a8 100644
--- a/modules/secure-source-manager-instance/versions.tofu
+++ b/modules/secure-source-manager-instance/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/service-directory/versions.tf b/modules/service-directory/versions.tf
index ed4640b00..46959f947 100644
--- a/modules/service-directory/versions.tf
+++ b/modules/service-directory/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/service-directory/versions.tofu b/modules/service-directory/versions.tofu
index 96f79d16d..ee69d5408 100644
--- a/modules/service-directory/versions.tofu
+++ b/modules/service-directory/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/source-repository/versions.tf b/modules/source-repository/versions.tf
index 3d6efb788..a63b51984 100644
--- a/modules/source-repository/versions.tf
+++ b/modules/source-repository/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/source-repository/versions.tofu b/modules/source-repository/versions.tofu
index d04bb5b9a..695f1610f 100644
--- a/modules/source-repository/versions.tofu
+++ b/modules/source-repository/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/spanner-instance/versions.tf b/modules/spanner-instance/versions.tf
index 0811e8cc9..2f1762d42 100644
--- a/modules/spanner-instance/versions.tf
+++ b/modules/spanner-instance/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/spanner-instance/versions.tofu b/modules/spanner-instance/versions.tofu
index 896478b01..bbf4069b6 100644
--- a/modules/spanner-instance/versions.tofu
+++ b/modules/spanner-instance/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/vpc-sc/versions.tf b/modules/vpc-sc/versions.tf
index e0c7f7cf1..b149d8e40 100644
--- a/modules/vpc-sc/versions.tf
+++ b/modules/vpc-sc/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/vpc-sc/versions.tofu b/modules/vpc-sc/versions.tofu
index 8c13d1cc3..7d5da86cf 100644
--- a/modules/vpc-sc/versions.tofu
+++ b/modules/vpc-sc/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/workstation-cluster/versions.tf b/modules/workstation-cluster/versions.tf
index 3f2c9eae1..67997e7d8 100644
--- a/modules/workstation-cluster/versions.tf
+++ b/modules/workstation-cluster/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/modules/workstation-cluster/versions.tofu b/modules/workstation-cluster/versions.tofu
index 4889ade3b..ee6c7c193 100644
--- a/modules/workstation-cluster/versions.tofu
+++ b/modules/workstation-cluster/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/tests/examples_e2e/setup_module/versions.tf b/tests/examples_e2e/setup_module/versions.tf
index fc5c9f999..005e5159e 100644
--- a/tests/examples_e2e/setup_module/versions.tf
+++ b/tests/examples_e2e/setup_module/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/tests/examples_e2e/setup_module/versions.tofu b/tests/examples_e2e/setup_module/versions.tofu
index 10b1a5636..7ebabe1ca 100644
--- a/tests/examples_e2e/setup_module/versions.tofu
+++ b/tests/examples_e2e/setup_module/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/tests/modules/gke_hub/examples/defaults.yaml b/tests/modules/gke_hub/examples/defaults.yaml
new file mode 100644
index 000000000..e9f3936d3
--- /dev/null
+++ b/tests/modules/gke_hub/examples/defaults.yaml
@@ -0,0 +1,155 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+ module.hub.google_gke_hub_feature.default["configmanagement"]:
+ effective_labels:
+ goog-terraform-provisioned: 'true'
+ fleet_default_member_config:
+ - configmanagement:
+ - config_sync:
+ - enabled: true
+ git:
+ - gcp_service_account_email: config-sync@your-project.iam.gserviceaccount.com
+ https_proxy: null
+ policy_dir: configsync
+ secret_type: gcenode
+ sync_branch: main
+ sync_repo: https://github.com/your-org/config-repo
+ sync_rev: HEAD
+ sync_wait_secs: '15'
+ metrics_gcp_service_account_email: null
+ oci: []
+ prevent_drift: true
+ source_format: hierarchy
+ management: null
+ version: v1
+ mesh: []
+ policycontroller: []
+ labels: null
+ location: global
+ name: configmanagement
+ project: gkehub-test
+ spec: []
+ terraform_labels:
+ goog-terraform-provisioned: 'true'
+ timeouts: null
+ module.hub.google_gke_hub_feature.default["servicemesh"]:
+ effective_labels:
+ goog-terraform-provisioned: 'true'
+ fleet_default_member_config:
+ - configmanagement:
+ - config_sync:
+ - enabled: true
+ git:
+ - gcp_service_account_email: config-sync@your-project.iam.gserviceaccount.com
+ https_proxy: null
+ policy_dir: configsync
+ secret_type: gcenode
+ sync_branch: main
+ sync_repo: https://github.com/your-org/config-repo
+ sync_rev: HEAD
+ sync_wait_secs: '15'
+ metrics_gcp_service_account_email: null
+ oci: []
+ prevent_drift: true
+ source_format: hierarchy
+ management: null
+ version: v1
+ mesh: []
+ policycontroller: []
+ labels: null
+ location: global
+ name: servicemesh
+ project: gkehub-test
+ spec: []
+ terraform_labels:
+ goog-terraform-provisioned: 'true'
+ timeouts: null
+ module.hub.google_gke_hub_feature_membership.default["cluster-1"]:
+ configmanagement:
+ - config_sync:
+ - deployment_overrides: []
+ enabled: true
+ git:
+ - gcp_service_account_email: null
+ https_proxy: null
+ policy_dir: cluster-specific
+ secret_type: none
+ sync_branch: main
+ sync_repo: https://github.com/your-org/cluster-specific-config
+ sync_rev: null
+ sync_wait_secs: null
+ metrics_gcp_service_account_email: null
+ oci: []
+ source_format: hierarchy
+ stop_syncing: null
+ hierarchy_controller: []
+ policy_controller: []
+ version: v1
+ feature: configmanagement
+ location: global
+ membership: cluster-1
+ membership_location: europe-west1
+ mesh: []
+ policycontroller: []
+ project: gkehub-test
+ timeouts: null
+ module.hub.google_gke_hub_membership.default["cluster-1"]:
+ authority: []
+ effective_labels:
+ goog-terraform-provisioned: 'true'
+ endpoint:
+ - gke_cluster:
+ - {}
+ labels: null
+ location: europe-west1
+ membership_id: cluster-1
+ project: gkehub-test
+ terraform_labels:
+ goog-terraform-provisioned: 'true'
+ timeouts: null
+ module.hub.google_gke_hub_membership.default["cluster-2"]:
+ authority: []
+ effective_labels:
+ goog-terraform-provisioned: 'true'
+ endpoint:
+ - gke_cluster:
+ - {}
+ labels: null
+ location: europe-west1
+ membership_id: cluster-2
+ project: gkehub-test
+ terraform_labels:
+ goog-terraform-provisioned: 'true'
+ timeouts: null
+
+counts:
+ google_compute_network: 1
+ google_compute_route: 3
+ google_compute_subnetwork: 3
+ google_container_cluster: 2
+ google_container_node_pool: 2
+ google_gke_hub_feature: 2
+ google_gke_hub_feature_membership: 1
+ google_gke_hub_membership: 2
+ google_project: 1
+ google_project_iam_member: 8
+ google_project_service: 7
+ google_project_service_identity: 4
+ google_service_account: 2
+ modules: 7
+ resources: 38
+
+outputs: {}
diff --git a/tests/modules/gke_hub/examples/full.yaml b/tests/modules/gke_hub/examples/full.yaml
index 02a3c9a61..f635e2e28 100644
--- a/tests/modules/gke_hub/examples/full.yaml
+++ b/tests/modules/gke_hub/examples/full.yaml
@@ -172,6 +172,18 @@ values:
terraform_labels:
goog-terraform-provisioned: 'true'
timeouts: null
+ module.hub.google_gke_hub_feature.default["policycontroller"]:
+ effective_labels:
+ goog-terraform-provisioned: 'true'
+ fleet_default_member_config: []
+ labels: null
+ location: global
+ name: policycontroller
+ project: gkehub-test
+ spec: []
+ terraform_labels:
+ goog-terraform-provisioned: 'true'
+ timeouts: null
module.hub.google_gke_hub_feature_membership.default["cluster-1"]:
configmanagement:
- config_sync:
@@ -194,14 +206,7 @@ values:
- enable_hierarchical_resource_quota: true
enable_pod_tree_labels: true
enabled: true
- policy_controller:
- - audit_interval_seconds: '120'
- enabled: true
- exemptable_namespaces: null
- log_denies_enabled: true
- mutation_enabled: null
- referential_rules_enabled: true
- template_library_installed: true
+ policy_controller: []
version: v1
feature: configmanagement
location: global
@@ -211,6 +216,27 @@ values:
policycontroller: []
project: gkehub-test
timeouts: null
+ module.hub.google_gke_hub_feature_membership.policycontroller["cluster-1"]:
+ configmanagement: []
+ feature: policycontroller
+ location: global
+ membership: cluster-1
+ membership_location: europe-west1
+ mesh: []
+ policycontroller:
+ - policy_controller_hub_config:
+ - audit_interval_seconds: 120
+ constraint_violation_limit: null
+ exemptable_namespaces:
+ - kube-system
+ - kube-public
+ install_spec: null
+ log_denies_enabled: true
+ mutation_enabled: null
+ referential_rules_enabled: true
+ version: v1.17.3
+ project: gkehub-test
+ timeouts: null
module.hub.google_gke_hub_membership.default["cluster-1"]:
authority: []
effective_labels:
@@ -402,14 +428,14 @@ counts:
google_compute_route: 3
google_compute_subnetwork: 1
google_container_cluster: 1
- google_gke_hub_feature: 1
- google_gke_hub_feature_membership: 1
+ google_gke_hub_feature: 2
+ google_gke_hub_feature_membership: 2
google_gke_hub_membership: 1
google_project: 1
google_project_iam_member: 6
google_project_service: 7
google_project_service_identity: 5
modules: 4
- resources: 28
+ resources: 30
outputs: {}
diff --git a/tests/modules/gke_hub/examples/policycontroller.yaml b/tests/modules/gke_hub/examples/policycontroller.yaml
new file mode 100644
index 000000000..1167d534d
--- /dev/null
+++ b/tests/modules/gke_hub/examples/policycontroller.yaml
@@ -0,0 +1,239 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+ module.hub.google_gke_hub_feature.default["configmanagement"]:
+ effective_labels:
+ goog-terraform-provisioned: 'true'
+ fleet_default_member_config: []
+ labels: null
+ location: global
+ name: configmanagement
+ project: project-id
+ spec: []
+ terraform_labels:
+ goog-terraform-provisioned: 'true'
+ timeouts: null
+ module.hub.google_gke_hub_feature.default["policycontroller"]:
+ effective_labels:
+ goog-terraform-provisioned: 'true'
+ fleet_default_member_config: []
+ labels: null
+ location: global
+ name: policycontroller
+ project: project-id
+ spec: []
+ terraform_labels:
+ goog-terraform-provisioned: 'true'
+ timeouts: null
+ module.hub.google_gke_hub_feature_membership.default["cluster-1"]:
+ configmanagement:
+ - config_sync:
+ - deployment_overrides: []
+ enabled: true
+ git:
+ - gcp_service_account_email: null
+ https_proxy: null
+ policy_dir: configsync
+ secret_type: none
+ sync_branch: main
+ sync_repo: https://github.com/your-org/config-repo
+ sync_rev: null
+ sync_wait_secs: null
+ metrics_gcp_service_account_email: null
+ oci: []
+ source_format: hierarchy
+ stop_syncing: null
+ hierarchy_controller: []
+ policy_controller: []
+ version: v1
+ feature: configmanagement
+ location: global
+ membership: cluster-1
+ membership_location: europe-west1
+ mesh: []
+ policycontroller: []
+ project: project-id
+ timeouts: null
+ module.hub.google_gke_hub_feature_membership.default["cluster-2"]:
+ configmanagement:
+ - config_sync:
+ - deployment_overrides: []
+ enabled: true
+ git:
+ - gcp_service_account_email: null
+ https_proxy: null
+ policy_dir: configsync
+ secret_type: none
+ sync_branch: main
+ sync_repo: https://github.com/your-org/config-repo
+ sync_rev: null
+ sync_wait_secs: null
+ metrics_gcp_service_account_email: null
+ oci: []
+ source_format: hierarchy
+ stop_syncing: null
+ hierarchy_controller: []
+ policy_controller: []
+ version: v1
+ feature: configmanagement
+ location: global
+ membership: cluster-2
+ membership_location: europe-west1
+ mesh: []
+ policycontroller: []
+ project: project-id
+ timeouts: null
+ module.hub.google_gke_hub_feature_membership.policycontroller["cluster-1"]:
+ configmanagement: []
+ feature: policycontroller
+ location: global
+ membership: cluster-1
+ membership_location: europe-west1
+ mesh: []
+ policycontroller:
+ - policy_controller_hub_config:
+ - audit_interval_seconds: 60
+ constraint_violation_limit: 20
+ deployment_configs:
+ - component_name: admission
+ container_resources:
+ - limits:
+ - cpu: 1000m
+ memory: 512Mi
+ requests:
+ - cpu: 100m
+ memory: 256Mi
+ pod_affinity: ''
+ pod_tolerations: []
+ replica_count: 3
+ - component_name: audit
+ container_resources:
+ - limits:
+ - cpu: 1000m
+ memory: 512Mi
+ requests:
+ - cpu: 100m
+ memory: 256Mi
+ pod_affinity: ''
+ pod_tolerations: []
+ replica_count: 1
+ exemptable_namespaces:
+ - kube-system
+ - kube-public
+ - kube-node-lease
+ install_spec: INSTALL_SPEC_ENABLED
+ log_denies_enabled: true
+ monitoring:
+ - backends:
+ - PROMETHEUS
+ mutation_enabled: false
+ policy_content:
+ - bundles:
+ - bundle_name: policy-essentials-v2022
+ exempted_namespaces:
+ - kube-system
+ - kube-public
+ template_library:
+ - installation: ALL
+ referential_rules_enabled: true
+ version: v1.17.3
+ project: project-id
+ timeouts: null
+ module.hub.google_gke_hub_feature_membership.policycontroller["cluster-2"]:
+ configmanagement: []
+ feature: policycontroller
+ location: global
+ membership: cluster-2
+ membership_location: europe-west1
+ mesh: []
+ policycontroller:
+ - policy_controller_hub_config:
+ - audit_interval_seconds: 120
+ constraint_violation_limit: null
+ exemptable_namespaces:
+ - kube-system
+ - kube-public
+ - kube-node-lease
+ - gke-system
+ install_spec: null
+ log_denies_enabled: false
+ mutation_enabled: null
+ referential_rules_enabled: false
+ version: v1.17.3
+ project: project-id
+ timeouts: null
+ module.hub.google_gke_hub_membership.default["cluster-1"]:
+ authority: []
+ effective_labels:
+ goog-terraform-provisioned: 'true'
+ endpoint:
+ - gke_cluster:
+ - {}
+ labels: null
+ location: europe-west1
+ membership_id: cluster-1
+ project: project-id
+ terraform_labels:
+ goog-terraform-provisioned: 'true'
+ timeouts: null
+ module.hub.google_gke_hub_membership.default["cluster-2"]:
+ authority: []
+ effective_labels:
+ goog-terraform-provisioned: 'true'
+ endpoint:
+ - gke_cluster:
+ - {}
+ labels: null
+ location: europe-west1
+ membership_id: cluster-2
+ project: project-id
+ terraform_labels:
+ goog-terraform-provisioned: 'true'
+ timeouts: null
+ module.project.google_project.project[0]:
+ auto_create_network: false
+ billing_account: 123-456-789
+ deletion_policy: DELETE
+ effective_labels:
+ goog-terraform-provisioned: 'true'
+ folder_id: '12345'
+ labels: null
+ name: gkehub-test
+ org_id: null
+ project_id: gkehub-test
+ tags: null
+ terraform_labels:
+ goog-terraform-provisioned: 'true'
+ timeouts: null
+
+counts:
+ google_compute_firewall: 6
+ google_compute_network: 1
+ google_compute_route: 3
+ google_compute_subnetwork: 3
+ google_container_cluster: 2
+ google_container_node_pool: 2
+ google_gke_hub_feature: 2
+ google_gke_hub_feature_membership: 4
+ google_gke_hub_membership: 2
+ google_project: 1
+ google_project_iam_member: 8
+ google_project_service: 7
+ google_project_service_identity: 4
+ google_service_account: 2
+ modules: 8
+ resources: 47
+
+outputs: {}
diff --git a/tests/modules/project/service_agents.tfvars b/tests/modules/project/service_agents.tfvars
new file mode 100644
index 000000000..6905a42f3
--- /dev/null
+++ b/tests/modules/project/service_agents.tfvars
@@ -0,0 +1,25 @@
+services = [
+ "container.googleapis.com",
+ "run.googleapis.com"
+]
+shared_vpc_service_config = {
+ host_project = "host-project"
+ service_agent_iam = {
+ "roles/compute.networkUser" = [
+ "$service_agents:cloudservices", "$service_agents:container-engine"
+ ]
+ "roles/container.hostServiceAgentUser" = [
+ "$service_agents:container-engine"
+ ]
+ }
+ service_iam_grants = [
+ "$service_agents:run.googleapis.com"
+ ]
+}
+project_reuse = {
+ use_data_source = false
+ attributes = {
+ name = "my-project"
+ number = 12345
+ }
+}
diff --git a/tests/modules/project/service_agents.yaml b/tests/modules/project/service_agents.yaml
new file mode 100644
index 000000000..c51281104
--- /dev/null
+++ b/tests/modules/project/service_agents.yaml
@@ -0,0 +1,158 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+ google_compute_shared_vpc_service_project.shared_vpc_service[0]:
+ host_project: host-project
+ service_project: my-project
+ google_project_iam_member.service_agents["container-engine-robot"]:
+ condition: []
+ member: serviceAccount:service-12345@container-engine-robot.iam.gserviceaccount.com
+ project: my-project
+ role: roles/container.serviceAgent
+ google_project_iam_member.service_agents["gkenode"]:
+ condition: []
+ member: serviceAccount:service-12345@gcp-sa-gkenode.iam.gserviceaccount.com
+ project: my-project
+ role: roles/container.defaultNodeServiceAgent
+ google_project_iam_member.service_agents["serverless-robot-prod"]:
+ condition: []
+ member: serviceAccount:service-12345@serverless-robot-prod.iam.gserviceaccount.com
+ project: my-project
+ role: roles/run.serviceAgent
+ google_project_iam_member.shared_vpc_host_robots["roles/compute.networkUser:cloudservices"]:
+ condition: []
+ member: serviceAccount:12345@cloudservices.gserviceaccount.com
+ project: host-project
+ role: roles/compute.networkUser
+ google_project_iam_member.shared_vpc_host_robots["roles/compute.networkUser:container-engine"]:
+ condition: []
+ member: serviceAccount:service-12345@container-engine-robot.iam.gserviceaccount.com
+ project: host-project
+ role: roles/compute.networkUser
+ google_project_iam_member.shared_vpc_host_robots["roles/container.hostServiceAgentUser:container-engine"]:
+ condition: []
+ member: serviceAccount:service-12345@container-engine-robot.iam.gserviceaccount.com
+ project: host-project
+ role: roles/container.hostServiceAgentUser
+ google_project_iam_member.shared_vpc_host_robots["roles/vpcaccess.user:cloudrun"]:
+ condition: []
+ member: serviceAccount:service-12345@serverless-robot-prod.iam.gserviceaccount.com
+ project: host-project
+ role: roles/vpcaccess.user
+ google_project_service.project_services["container.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: my-project
+ service: container.googleapis.com
+ timeouts: null
+ google_project_service.project_services["run.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: my-project
+ service: run.googleapis.com
+ timeouts: null
+ google_project_service_identity.default["container.googleapis.com"]:
+ project: my-project
+ service: container.googleapis.com
+ timeouts: null
+ google_project_service_identity.default["run.googleapis.com"]:
+ project: my-project
+ service: run.googleapis.com
+ timeouts: null
+
+outputs:
+ default_service_accounts:
+ compute: 12345-compute@developer.gserviceaccount.com
+ gae: my-project@appspot.gserviceaccount.com
+ id: my-project
+ name: my-project
+ number: 12345
+ project_id: my-project
+ service_agents:
+ cloudrun:
+ api: run.googleapis.com
+ display_name: Google Cloud Run Service Agent
+ email: service-12345@serverless-robot-prod.iam.gserviceaccount.com
+ iam_email: serviceAccount:service-12345@serverless-robot-prod.iam.gserviceaccount.com
+ is_primary: true
+ name: serverless-robot-prod
+ role: roles/run.serviceAgent
+ cloudservices:
+ api: null
+ display_name: Google APIs Service Agent
+ email: 12345@cloudservices.gserviceaccount.com
+ iam_email: serviceAccount:12345@cloudservices.gserviceaccount.com
+ is_primary: false
+ name: cloudservices
+ role: null
+ cloudsvc:
+ api: null
+ display_name: Google APIs Service Agent
+ email: 12345@cloudservices.gserviceaccount.com
+ iam_email: serviceAccount:12345@cloudservices.gserviceaccount.com
+ is_primary: false
+ name: cloudservices
+ role: null
+ container:
+ api: container.googleapis.com
+ display_name: Kubernetes Engine Service Agent
+ email: service-12345@container-engine-robot.iam.gserviceaccount.com
+ iam_email: serviceAccount:service-12345@container-engine-robot.iam.gserviceaccount.com
+ is_primary: true
+ name: container-engine-robot
+ role: roles/container.serviceAgent
+ container-engine:
+ api: container.googleapis.com
+ display_name: Kubernetes Engine Service Agent
+ email: service-12345@container-engine-robot.iam.gserviceaccount.com
+ iam_email: serviceAccount:service-12345@container-engine-robot.iam.gserviceaccount.com
+ is_primary: true
+ name: container-engine-robot
+ role: roles/container.serviceAgent
+ container-engine-robot:
+ api: container.googleapis.com
+ display_name: Kubernetes Engine Service Agent
+ email: service-12345@container-engine-robot.iam.gserviceaccount.com
+ iam_email: serviceAccount:service-12345@container-engine-robot.iam.gserviceaccount.com
+ is_primary: true
+ name: container-engine-robot
+ role: roles/container.serviceAgent
+ gkenode:
+ api: container.googleapis.com
+ display_name: Kubernetes Engine Node Service Agent
+ email: service-12345@gcp-sa-gkenode.iam.gserviceaccount.com
+ iam_email: serviceAccount:service-12345@gcp-sa-gkenode.iam.gserviceaccount.com
+ is_primary: false
+ name: gkenode
+ role: roles/container.defaultNodeServiceAgent
+ run:
+ api: run.googleapis.com
+ display_name: Google Cloud Run Service Agent
+ email: service-12345@serverless-robot-prod.iam.gserviceaccount.com
+ iam_email: serviceAccount:service-12345@serverless-robot-prod.iam.gserviceaccount.com
+ is_primary: true
+ name: serverless-robot-prod
+ role: roles/run.serviceAgent
+ serverless-robot-prod:
+ api: run.googleapis.com
+ display_name: Google Cloud Run Service Agent
+ email: service-12345@serverless-robot-prod.iam.gserviceaccount.com
+ iam_email: serviceAccount:service-12345@serverless-robot-prod.iam.gserviceaccount.com
+ is_primary: true
+ name: serverless-robot-prod
+ role: roles/run.serviceAgent
+ services:
+ - container.googleapis.com
+ - run.googleapis.com
diff --git a/tests/modules/project/service_agents_universe.tfvars b/tests/modules/project/service_agents_universe.tfvars
new file mode 100644
index 000000000..b695744d0
--- /dev/null
+++ b/tests/modules/project/service_agents_universe.tfvars
@@ -0,0 +1,32 @@
+services = [
+ "container.googleapis.com",
+ "run.googleapis.com"
+]
+shared_vpc_service_config = {
+ host_project = "host-project"
+ service_agent_iam = {
+ "roles/compute.networkUser" = [
+ "$service_agents:cloudservices", "$service_agents:container-engine"
+ ]
+ "roles/container.hostServiceAgentUser" = [
+ "$service_agents:container-engine"
+ ]
+ }
+ service_iam_grants = [
+ "$service_agents:run.googleapis.com"
+ ]
+}
+project_reuse = {
+ use_data_source = false
+ attributes = {
+ name = "my-project"
+ number = 12345
+ }
+}
+universe = {
+ prefix = "alpha"
+ unavailable_services = [
+ "xxx.googleapis.com",
+ "yyy.googleapis.com"
+ ]
+}
diff --git a/tests/modules/project/service_agents_universe.yaml b/tests/modules/project/service_agents_universe.yaml
new file mode 100644
index 000000000..01c270777
--- /dev/null
+++ b/tests/modules/project/service_agents_universe.yaml
@@ -0,0 +1,160 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+ google_compute_shared_vpc_service_project.shared_vpc_service[0]:
+ deletion_policy: null
+ host_project: host-project
+ service_project: alpha:my-project
+ timeouts: null
+ google_project_iam_member.service_agents["container-engine-robot"]:
+ condition: []
+ member: serviceAccount:service-12345@container-engine-robot.alpha-system.iam.gserviceaccount.com
+ project: alpha:my-project
+ role: roles/container.serviceAgent
+ google_project_iam_member.service_agents["gkenode"]:
+ condition: []
+ member: serviceAccount:service-12345@gcp-sa-gkenode.alpha-system.iam.gserviceaccount.com
+ project: alpha:my-project
+ role: roles/container.defaultNodeServiceAgent
+ google_project_iam_member.service_agents["serverless-robot-prod"]:
+ condition: []
+ member: serviceAccount:service-12345@serverless-robot-prod.alpha-system.iam.gserviceaccount.com
+ project: alpha:my-project
+ role: roles/run.serviceAgent
+ google_project_iam_member.shared_vpc_host_robots["roles/compute.networkUser:cloudservices"]:
+ condition: []
+ member: serviceAccount:12345@cloudservices.alpha-system.iam.gserviceaccount.com
+ project: host-project
+ role: roles/compute.networkUser
+ google_project_iam_member.shared_vpc_host_robots["roles/compute.networkUser:container-engine"]:
+ condition: []
+ member: serviceAccount:service-12345@container-engine-robot.alpha-system.iam.gserviceaccount.com
+ project: host-project
+ role: roles/compute.networkUser
+ google_project_iam_member.shared_vpc_host_robots["roles/container.hostServiceAgentUser:container-engine"]:
+ condition: []
+ member: serviceAccount:service-12345@container-engine-robot.alpha-system.iam.gserviceaccount.com
+ project: host-project
+ role: roles/container.hostServiceAgentUser
+ google_project_iam_member.shared_vpc_host_robots["roles/vpcaccess.user:cloudrun"]:
+ condition: []
+ member: serviceAccount:service-12345@serverless-robot-prod.alpha-system.iam.gserviceaccount.com
+ project: host-project
+ role: roles/vpcaccess.user
+ google_project_service.project_services["container.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: alpha:my-project
+ service: container.googleapis.com
+ timeouts: null
+ google_project_service.project_services["run.googleapis.com"]:
+ disable_dependent_services: false
+ disable_on_destroy: false
+ project: alpha:my-project
+ service: run.googleapis.com
+ timeouts: null
+ google_project_service_identity.default["container.googleapis.com"]:
+ project: alpha:my-project
+ service: container.googleapis.com
+ timeouts: null
+ google_project_service_identity.default["run.googleapis.com"]:
+ project: alpha:my-project
+ service: run.googleapis.com
+ timeouts: null
+
+outputs:
+ default_service_accounts:
+ compute: 12345-compute@developer.gserviceaccount.com
+ gae: alpha:my-project@appspot.gserviceaccount.com
+ id: alpha:my-project
+ name: my-project
+ number: 12345
+ project_id: alpha:my-project
+ service_agents:
+ cloudrun:
+ api: run.googleapis.com
+ display_name: Google Cloud Run Service Agent
+ email: service-12345@serverless-robot-prod.alpha-system.iam.gserviceaccount.com
+ iam_email: serviceAccount:service-12345@serverless-robot-prod.alpha-system.iam.gserviceaccount.com
+ is_primary: true
+ name: serverless-robot-prod
+ role: roles/run.serviceAgent
+ cloudservices:
+ api: null
+ display_name: Google APIs Service Agent
+ email: 12345@cloudservices.alpha-system.iam.gserviceaccount.com
+ iam_email: serviceAccount:12345@cloudservices.alpha-system.iam.gserviceaccount.com
+ is_primary: false
+ name: cloudservices
+ role: null
+ cloudsvc:
+ api: null
+ display_name: Google APIs Service Agent
+ email: 12345@cloudservices.alpha-system.iam.gserviceaccount.com
+ iam_email: serviceAccount:12345@cloudservices.alpha-system.iam.gserviceaccount.com
+ is_primary: false
+ name: cloudservices
+ role: null
+ container:
+ api: container.googleapis.com
+ display_name: Kubernetes Engine Service Agent
+ email: service-12345@container-engine-robot.alpha-system.iam.gserviceaccount.com
+ iam_email: serviceAccount:service-12345@container-engine-robot.alpha-system.iam.gserviceaccount.com
+ is_primary: true
+ name: container-engine-robot
+ role: roles/container.serviceAgent
+ container-engine:
+ api: container.googleapis.com
+ display_name: Kubernetes Engine Service Agent
+ email: service-12345@container-engine-robot.alpha-system.iam.gserviceaccount.com
+ iam_email: serviceAccount:service-12345@container-engine-robot.alpha-system.iam.gserviceaccount.com
+ is_primary: true
+ name: container-engine-robot
+ role: roles/container.serviceAgent
+ container-engine-robot:
+ api: container.googleapis.com
+ display_name: Kubernetes Engine Service Agent
+ email: service-12345@container-engine-robot.alpha-system.iam.gserviceaccount.com
+ iam_email: serviceAccount:service-12345@container-engine-robot.alpha-system.iam.gserviceaccount.com
+ is_primary: true
+ name: container-engine-robot
+ role: roles/container.serviceAgent
+ gkenode:
+ api: container.googleapis.com
+ display_name: Kubernetes Engine Node Service Agent
+ email: service-12345@gcp-sa-gkenode.alpha-system.iam.gserviceaccount.com
+ iam_email: serviceAccount:service-12345@gcp-sa-gkenode.alpha-system.iam.gserviceaccount.com
+ is_primary: false
+ name: gkenode
+ role: roles/container.defaultNodeServiceAgent
+ run:
+ api: run.googleapis.com
+ display_name: Google Cloud Run Service Agent
+ email: service-12345@serverless-robot-prod.alpha-system.iam.gserviceaccount.com
+ iam_email: serviceAccount:service-12345@serverless-robot-prod.alpha-system.iam.gserviceaccount.com
+ is_primary: true
+ name: serverless-robot-prod
+ role: roles/run.serviceAgent
+ serverless-robot-prod:
+ api: run.googleapis.com
+ display_name: Google Cloud Run Service Agent
+ email: service-12345@serverless-robot-prod.alpha-system.iam.gserviceaccount.com
+ iam_email: serviceAccount:service-12345@serverless-robot-prod.alpha-system.iam.gserviceaccount.com
+ is_primary: true
+ name: serverless-robot-prod
+ role: roles/run.serviceAgent
+ services:
+ - container.googleapis.com
+ - run.googleapis.com
diff --git a/tests/modules/project/tftest.yaml b/tests/modules/project/tftest.yaml
index f6c2bb67a..e97eac8e7 100644
--- a/tests/modules/project/tftest.yaml
+++ b/tests/modules/project/tftest.yaml
@@ -19,13 +19,15 @@ common_tfvars:
tests:
context:
- prefix:
+ iam_by_principals_additive:
+ no_parent:
no_prefix:
+ org_policies_boolean:
+ org_policies_list:
parent_folder:
parent_org:
- no_parent:
+ prefix:
service_encryption_keys:
- org_policies_list:
- org_policies_boolean:
- iam_by_principals_additive:
+ service_agents:
+ service_agents_universe:
universe:
diff --git a/tools/lockfile/versions.tf b/tools/lockfile/versions.tf
index f00c5ecfc..2667eef84 100644
--- a/tools/lockfile/versions.tf
+++ b/tools/lockfile/versions.tf
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.11.4"
+ required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
diff --git a/tools/lockfile/versions.tofu b/tools/lockfile/versions.tofu
index b39f13ab6..2a7a3167a 100644
--- a/tools/lockfile/versions.tofu
+++ b/tools/lockfile/versions.tofu
@@ -15,7 +15,7 @@
# Fabric release: v45.0.0
terraform {
- required_version = ">= 1.9.0"
+ required_version = ">= 1.10.0"
required_providers {
google = {
source = "hashicorp/google"