* Add ephemeral_storage_local_ssd_config support to modules/gke-nodepool
Adds ephemeral_storage_local_ssd_count to node_config variable and the
corresponding dynamic ephemeral_storage_local_ssd_config block in the
node pool resource, enabling use of local SSDs as ephemeral storage.
* feat(gke-nodepool): add flex_start support to node_config
Add `flex_start` as an optional bool to the `node_config` variable type
and wire it through to the `google_container_node_pool` resource's
node_config block. This enables DWS (Dynamic Workload Scheduler)
flex-start mode for node pools, used for on-demand capacity access
without requiring ProvisioningRequest objects (e.g. spot TPU pools).
* feat(gke-nodepool): add flex_start support to node_config
Add `flex_start` as an optional bool to the `node_config` variable type
and wire it through to the `google_container_node_pool` resource's
node_config block. This enables DWS (Dynamic Workload Scheduler)
flex-start mode for node pools, which allows the Cluster Autoscaler to
request capacity on-demand without requiring ProvisioningRequest objects
(unlike queued_provisioning). Typical use case is spot TPU node pools.
* feat(gke-nodepool): add advanced_machine_features support to node_config
Add `advanced_machine_features` as an optional object to the `node_config`
variable type and wire it through to the `google_container_node_pool`
resource via a dynamic block. This allows callers to configure
`threads_per_core` (e.g. set to 1 to disable hyperthreading) and
`enable_nested_virtualization` for node pools that require fine-grained
CPU threading control or nested hypervisor support.
GKE auto-sets `advanced_machine_features` (threads_per_core=1) on
ct6e/TPU machine types; exposing this field also lets consumers add it to
ignore_changes in their own lifecycle blocks to avoid forced replacements.
* feat(gke-nodepool): add containerd_config support to node_config
Add `containerd_config` as an optional object to the `node_config` variable
and wire it through to the `google_container_node_pool` resource via a
dynamic block. This allows callers to configure private registry mirrors or
custom containerd registry hosts per node pool — useful for air-gapped
environments and internal registry proxies.
The `registry_hosts` list maps each upstream server to one or more mirror
hosts, with optional `capabilities`, `override_path`, and `dial_timeout`
fields (all defaulting to sensible values).
* refactor(gke-nodepool): use maps for containerd_config registry_hosts and hosts
Convert registry_hosts and hosts from lists to maps so that the registry
server and host URLs serve as stable keys, avoiding index-shifting issues
with for_each. Add default values for capabilities, override_path, and
dial_timeout. Update README example and test inventory accordingly.
* Remove default values from containerd_config hosts fields
Leave capabilities, override_path, and dial_timeout without defaults
so the provider/API picks them rather than the module imposing values.
* Refine containerd_config variable interface
- Simplify header to optional(map(list(string)))
- Flatten ca, client cert/key to strings with descriptive names
- Derive private_registry_access_config enabled from ca domain config list
- Simplify writable_cgroups to optional(bool)
- Flatten gcp_secret_manager_certificate_config to string
- Remove redundant defaults where try() handles null in main.tf
- Fix long lines in main.tf to stay within 79-char limit
- Update copyright year to 2026 in inventory files
* fix(gke-nodepool): run terraform fmt to fix attribute alignment in containerd_config
* docs(gke-nodepool): regenerate README with updated variable line numbers
* fix(gke-nodepool): use coalesce instead of try for null header map in for_each
* tests(gke-nodepool): update containerd-config inventory to match actual plan output
---------
Co-authored-by: Julio Castillo <jccb@google.com>
* dp rewrite stage 0, projects
* remove plan files
* generalize handling of basepath for projects in project-factory module
* central-0 ---> core-0
* add schemas, validate YAMLs, tags
* aspect types
* data catalog policy tag factory
* add support for data catalog taxonomy to project factory
* complete retrofit of old stage configuration, except networking
* shared vpc networking
* networking
* data platform as pf dataset
* docs
* test
* remove legacy dp stage, fix tests and links
* boilerplate
* tfdoc
* fix unrelated tfdoc
* schemas
* fix errors
* schema
* duplicate schemas
* yamllint
* Fix module naming convention for aspect-types
* Fix factories_config in vpcs.tf for net-vpc-factory compatibility
* Update schema documentation based on schema changes
* Fix false rename conflict in .config.yaml files
* Sync schemas and update documentation
* Fix path expansion for aspect-types and revert projects_input to master
* Restore path expansion for org_policies in projects-iam call
* Fix trailing newlines in schema duplicates to satisfy duplicate-diff
* Fix path expansion for data_catalog_taxonomy in taxonomies.tf
* Update inventory for data-platform test and clean up debug prints
* Add full values to data-platform inventory
* Align Stage 2 VPC Factory integration with Stage 0 and fix tests
TAG=agy
* Fix project factory context resolution and data platform datasets
- Update tag context keys in project factory to use file key without 'projects/' prefix.
- Fix tag reference in product-0.yaml.
- Fix shared_vpc_service_config in shared-0.yaml by moving service account to network_users.
- Set parent for domain-0 folder to data-platform.
- Mock net-dev-0 project ID in tests.
- Update inventories.
TAG=agy
CONV=4b37fa5b-bf59-4604-9e8f-b55353d967a0
* Fix project-level tag keys context resolution in project factory
* Fix commented out tag reference in domain-0 .config.yaml
* Fix merge() calls with empty arguments in project-factory and data-catalog-policy-tag
* Update Data Platform dataset README with prerequisites and customization guide
* Add Table of Contents to Data Platform dataset README
* docs: update Data Platform README with project templates tip
* Document data platform output files and linking sequence in README
* Update data platform README with VPC-SC and delegated IAM details
* Refactor data platform dataset and align stage defaults
* Update test inventory and variables for data platform with new prefix
* Fix categorization of PR #3949 in CHANGELOG.md
* Enhance changelog.py to error on uncategorized PRs
* Update skill to propose breaking changes to user
* Update Cloud Run v2 GPU examples in README
Remove launch_stage = "BETA" from examples as it now defaults to GA in the provider. This fixes E2E test failures where the API returns GA. Reference: https://github.com/hashicorp/terraform-provider-google/pull/17029
TAG=agy
* Fix KMS and Compute VM E2E test failures
Update README examples to avoid conflicts and unsupported modes, and update corresponding inventories.
TAG=agy
* Add instruction to run a single specific example test in GEMINI.md
TAG=agy
Adds support for enhanced query insights on cloud sql instances by adding enhanced_query_insights_enabled to the insights_config block. This allows enabling deeper visibility into query performance.
Closes#3890
TAG=agy
CONV=41331d43-c782-48a4-b0e7-bc8ad14866e9
Adds support for `advanced_datapath_observability_config` to the `gke-cluster-autopilot` module, matching the standard cluster module implementation.
Closes#3936
TAG=agy
CONV=9d4485ab-0fae-4f3d-a6e1-bbb6320d7c46
Add `common_repository` support to `maven`, `npm`, and `python` remote repository configurations in the `artifact-registry` module. This replaces the deprecated `custom_repository` feature which is now discouraged by the provider.
Existing README example `registry-mirror` has been updated to use `common_repository`. A legacy test case `legacy_custom_repo` has been added to the bottom of `README.md` to ensure backward compatibility for `custom_repository` continues to work.
TAG=agy
CONV=ffe77e65-ccef-4701-95e6-4ba2d2446f1b
* fix(modules): allow disabling logging and configuring optional fields in LB backend services
Replaced 'log_sample_rate' (number) with 'log_config' (object) in all Load Balancer Backend Service modules. This allows explicitly disabling logging ('enable = false') and configuring advanced options like 'optional_mode' and 'optional_fields', resolving infinite plan drift and the inability to disable logging.
Affected modules:
- net-lb-app-ext-regional
- net-lb-app-ext
- net-lb-app-int-cross-region
- net-lb-app-int
- net-lb-ext
- net-lb-int
- net-lb-proxy-int
Added test cases and updated documentation.
Fixes#3914
* style: format variables files with terraform fmt
* docs: add critical linting rule for AI agents to GEMINI.md
Introduce support for regional health checks in the net-lb-app-int module while maintaining backward compatibility.
Added optional is_regional flag to health_check_configs (defaulting to false). When true, it creates google_compute_region_health_check instead of google_compute_health_check.
Updated backend services and outputs to merge both global and regional health check IDs. Added a new test case to verify regional health check functionality.
TAG=agy
CONV=6aff620c-e5a5-44eb-afe0-459cff820daa
* feat(2-networking): add support for static IPs NAT
* fix(linting): fix linting
* fix(linting): fix linting
* fix(2-networking): factory-cloudnat don't assume that the context values are present.
* fix(2-networking): factory-cloudnat pass region in a try to forward the problem to the module
---------
Co-authored-by: Simone Ruffilli <sruffilli@google.com>
Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com>
Co-authored-by: Julio Castillo <jccb@google.com>
* module project-factory: include project in conditional_var context for org policies
* module project-factory: include project and folders in conditional_var context for org policies
- Move project org policies (explicit and factory) to projects-iam invocation.
- Move folder org policies (explicit and factory) to folder-X-iam invocations (levels 1-4).
- Inject folder_ids into projects-iam condition_vars and pass resolved folders.
- Update and regenerate test inventories (example.yaml, simple.yaml, hardened.yaml).
TAG=agy
CONV=e0f45850-ab01-4600-a2b6-4de62465c204
---------
Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com>
* Draft terraform_naming_convention
* Two fast/stages fixes for terraform_naming_convention
* Disable terraform_naming_convention for resources for now
* module fixes for terraform_naming_convention
* tfdoc
* Remove "moved" from recipe and needs-fixing
* Fix moved for spoke_ra
* fix tests
* Use default (snake_case) for resources
* factory.terraform_data.project-preconditions
* First-pass migration of resources + tests
* Fix tests/modules/organization
* Require snake_case for variables; Add annotations for _testing
* permit _fast_debug variable
* Fix net_vpc_factory and net_vpc_firewall tests
* tfdoc addons and recipe
* Fix more tests
* Fix some net-global -> net_global tests
---------
Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com>
* Add example "Remote Docker registry with credentials" for artifact-registry
* Add inventory
(cherry picked from commit 903c4c423c0264bf270f1da13245fa01e58163d9)
Add inventory
(cherry picked from commit fd439be6412c2ea281578ee49f61cb3399850521)
---------
Co-authored-by: Julio Castillo <jccb@google.com>
* Bump GH template action versions to avoid GHA Node 20 deprecation
Github Actions runners are deprecating Node 20 as Node 20 is EOL in April, 2026. More information: https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/
This bumps all the GHAs in the FAST stage 0 templates to use newer versions that do not depend on Node 20. This avoids the EOL and clears the deprecation warning in GHA when users run any GHA workflows generated in stage 0.
I just ran stage 0 with these bumps and it seems to work fine.
* Fix failing fast tests from old GHA version in yaml inventory file
---------
Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com>
* Allow creation of dynamic tags
* Extend project factory and related modules to support dynamic values
* Extend folder and organization modules
* project and organization readme
* Simplify dynamic tag support and remove unnecessary restrictions
• Schemas & Validations: Removed the restriction that forbade combining IAM fields with allowed_values_regex on tags. Updated validations in project and organization modules, and
simplified all relevant JSON schemas.
• Module Tag Bindings: Simplified the tag_value assignment in folder , project , gcs , bigquery-dataset , and kms modules by removing the defensive can(regex(...)) check and
calling templatestring directly.
• Outputs: Removed the tags_dynamic output from project and organization modules, as the same information is now available in tag_keys .
• Project Factory: Updated tag_vars_projects in projects.tf to use the native namespaced_name attribute and filtered manually for dynamic tags.
* fix(organization, project): fix linting and tests for dynamic tag support
- Align allowed_values_regex and description extraction in _tags_merged
locals to use lookup() for consistency with other fields.
- Fix spacing in project context variable (alphabetical ordering).
- Update organization tags test to include the new cost_center tag key
with allowed_values_regex.
- Update project tags test to include the new cost_center tag key and
reflect the resolved allowed_values_regex on environment.
* refactor(gcs): refine tag bindings and fix context test
- Add _tag_bindings local to pre-resolve context references, enabling
templatestring to receive a direct map reference (required by Terraform).
- Use var.context.tag_vars instead of the non-existent local.ctx.tag_vars.
- Fix HCL syntax in context.tfvars (escaped inner quotes).
- Update context test inventory to reflect 3 tag bindings including a
dynamic value resolved via templatestring.
* refactor: align modules with tag binding context pattern
- Add _tag_bindings local + templatestring dance to cloud-run-v2,
compute-vm, folder, kms modules (bigquery-dataset already had it)
- Exclude tag_vars from local.ctx in cloud-run-v2, compute-vm, folder,
kms, project modules (bigquery-dataset already had it)
- Add tag_vars to context variable in cloud-run-v2, compute-vm modules
(others already had it)
- Update all context tests with dynamic tag binding values using
var.context.tag_vars
* docs: add module-level tftest.yaml test instructions to GEMINI.md
* docs: regenerate READMEs after tag-regex alignment
- Regenerate variable tables in 7 module READMEs to reflect
line number shifts from prior tag-regex changes
- Add tag_vars exclusion to gcs ctx local
- Fix whitespace alignment in iam-service-account and
project-factory tag_vars blocks
- Update tftest resource counts for organization and project
- Remove tags_dynamic from organization/project output tables
* fix(project-factory): update test inventory for tag_bindings module split
- Move tag binding address from folder-2 to folder-2-iam in test
inventory (tag_bindings moved from creation to IAM modules)
- Update module instance count from 34 to 35
- Regenerate README tables after terraform fmt line shifts
- Apply terraform fmt to variables.tf
* refactor(project-factory): remove unnecessary depends_on from folder-iam modules
Folder IAM modules depend on their own folder creation modules, not
on module.projects. The explicit depends_on was leftover from an
earlier design.
* FAST stages
* Address review comments.
- FAST Stages:
- Added tag_keys to output-files.tf in 0-org-setup to pass org tags via tfvars.
- Sorted tag_keys and tag_values in output-files.tf.
- Updated project-factory, networking, and security stages to use tag_keys.
- Filtered tag_keys for dynamic tags only.
- Modules:
- Excluded tag_vars from local.ctx in iam-service-account and organization.
- Simplified tag_value in iam-service-account.
- Tests:
- Updated test inventories for 0-org-setup and project-factory.
* Fix tf format
* Fix tfdoc
* docs: add ADR for templatestring vars convention and update status of base path ADR
* More tfdoc
* Update schemas
* Use endswith in context loop
* Address review
* Update FAST readmes
* Update last modules
* Terraform fmt
* Revert alloydb
* Fix whitespace
---------
Co-authored-by: Ludovico Magnocavallo <ludo@qix.it>
* add dns armor module
* add dns armor to pf
* added missing/optional attributes
* Update project schemas
* Set version file copyright year to 2025
* replace module with single resource
* moved into it's own file
* Added tests and defaulting enabled to false
* Add optional name parameter and updated schemas
* make dns_threat_detector.enabled optional in project schemas
---------
Co-authored-by: Luca Prete <preteluca@gmail.com>
