From 54bce3f80b5a3b06f0c03836ab9b883fabee825c Mon Sep 17 00:00:00 2001 From: Guilherme Hosoda Date: Wed, 9 Apr 2025 16:15:38 -0300 Subject: [PATCH 01/11] enable kms centralized key usage tracking system --- 1-org/envs/shared/iam.tf | 12 ++++++++++++ 1-org/envs/shared/terraform.example.tfvars | 1 + 1-org/envs/shared/variables.tf | 6 ++++++ 3 files changed, 19 insertions(+) diff --git a/1-org/envs/shared/iam.tf b/1-org/envs/shared/iam.tf index b5c627705..fba5c4134 100644 --- a/1-org/envs/shared/iam.tf +++ b/1-org/envs/shared/iam.tf @@ -62,6 +62,18 @@ resource "google_organization_iam_member" "billing_viewer" { member = "group:${local.required_groups["billing_data_users"]}" } +/****************************************** + Enable KMS Usage Tracking +*****************************************/ + +resource "google_organization_iam_member" "kms_usage_tracking" { + count = var.enable_kms_key_usage_tracking ? 1 : 0 + + org_id = local.org_id + role = "roles/cloudkms.orgServiceAgent" + member = "serviceAccount:service-org-${local.org_id}@gcp-sa-cloudkms.iam.gserviceaccount.com" +} + /****************************************** Groups permissions *****************************************/ diff --git a/1-org/envs/shared/terraform.example.tfvars b/1-org/envs/shared/terraform.example.tfvars index 9ff38bde8..c98cd3af1 100644 --- a/1-org/envs/shared/terraform.example.tfvars +++ b/1-org/envs/shared/terraform.example.tfvars @@ -30,6 +30,7 @@ billing_export_dataset_location = "US" //scc_notification_filter = "state=\\\"ACTIVE\\\"" //enable_hub_and_spoke = true +//enable_kms_key_usage_tracking = true //create_access_context_manager_access_policy = false diff --git a/1-org/envs/shared/variables.tf b/1-org/envs/shared/variables.tf index bc6fae1cf..f04dc3e6f 100644 --- a/1-org/envs/shared/variables.tf +++ b/1-org/envs/shared/variables.tf @@ -26,6 +26,12 @@ variable "enable_scc_resources_in_terraform" { default = false } +variable "enable_kms_key_usage_tracking" { + description = "Enable KMS centralized key usage tracking system." + type = bool + default = false +} + variable "domains_to_allow" { description = "The list of domains to allow users from in IAM. Used by Domain Restricted Sharing Organization Policy. Must include the domain of the organization you are deploying the foundation. To add other domains you must also grant access to these domains to the Terraform Service Account used in the deploy." type = list(string) From 220fb2ba33a5fe120519c62c4b24f428fa049169 Mon Sep 17 00:00:00 2001 From: Guilherme Hosoda Date: Wed, 9 Apr 2025 16:18:19 -0300 Subject: [PATCH 02/11] define group to check for kms protected resources --- 1-org/envs/shared/iam.tf | 7 +++++++ 1-org/envs/shared/variables.tf | 16 +++++++++------- 2 files changed, 16 insertions(+), 7 deletions(-) diff --git a/1-org/envs/shared/iam.tf b/1-org/envs/shared/iam.tf index fba5c4134..d12124289 100644 --- a/1-org/envs/shared/iam.tf +++ b/1-org/envs/shared/iam.tf @@ -166,3 +166,10 @@ resource "google_project_iam_member" "cai_monitoring_builder" { role = each.key member = "serviceAccount:${google_service_account.cai_monitoring_builder[0].email}" } + +resource "google_organization_iam_member" "kms_protected_resources_viewer" { + count = var.gcp_groups.kms_protected_resources_viewer != null && var.enable_kms_key_usage_tracking ? 1 : 0 + org_id = local.org_id + role = "roles/cloudkms.protectedResourcesViewer" + member = "group:${var.gcp_groups.kms_protected_resources_viewer}" +} diff --git a/1-org/envs/shared/variables.tf b/1-org/envs/shared/variables.tf index f04dc3e6f..f41729389 100644 --- a/1-org/envs/shared/variables.tf +++ b/1-org/envs/shared/variables.tf @@ -147,15 +147,17 @@ variable "gcp_groups" { network_viewer: Google Workspace or Cloud Identity group that members are part of the networking team and review network configurations. scc_admin: Google Workspace or Cloud Identity group that can administer Security Command Center. audit_viewer: Google Workspace or Cloud Identity group that members are part of an audit team and view audit logs in the logging project. - global_secrets_admin: Google Workspace or Cloud Identity group that members are responsible for putting secrets into Secrets Manage + global_secrets_admin: Google Workspace or Cloud Identity group that members are responsible for putting secrets into Secrets Management. + kms_protected_resources_viewer: Google Workspace or Cloud Identity group that can search for kms protected resources. EOT type = object({ - audit_viewer = optional(string, null) - security_reviewer = optional(string, null) - network_viewer = optional(string, null) - scc_admin = optional(string, null) - global_secrets_admin = optional(string, null) - kms_admin = optional(string, null) + audit_viewer = optional(string, null) + security_reviewer = optional(string, null) + network_viewer = optional(string, null) + scc_admin = optional(string, null) + global_secrets_admin = optional(string, null) + kms_admin = optional(string, null) + kms_protected_resources_viewer = optional(string, null) }) default = {} } From 5cf959883c538f481f37b69b84d81b939d433bb5 Mon Sep 17 00:00:00 2001 From: Guilherme Hosoda Date: Wed, 9 Apr 2025 16:21:14 -0300 Subject: [PATCH 03/11] update docs --- 1-org/envs/shared/README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/1-org/envs/shared/README.md b/1-org/envs/shared/README.md index 8da1e2415..dbc625af8 100644 --- a/1-org/envs/shared/README.md +++ b/1-org/envs/shared/README.md @@ -8,12 +8,13 @@ | create\_unique\_tag\_key | Creates unique organization-wide tag keys by adding a random suffix to each key. | `bool` | `false` | no | | domains\_to\_allow | The list of domains to allow users from in IAM. Used by Domain Restricted Sharing Organization Policy. Must include the domain of the organization you are deploying the foundation. To add other domains you must also grant access to these domains to the Terraform Service Account used in the deploy. | `list(string)` | n/a | yes | | enable\_hub\_and\_spoke | Enable Hub-and-Spoke architecture. | `bool` | `false` | no | +| enable\_kms\_key\_usage\_tracking | Enable KMS centralized key usage tracking system. | `bool` | `false` | no | | enable\_scc\_resources\_in\_terraform | Create Security Command Center resources in Terraform. If your organization has newly enabled any preview features for SCC and get an error related to the v2 API, you must set this variable to false because the v2 API does not yet support Terraform resources. See [issue 1189](https://github.com/terraform-google-modules/terraform-example-foundation/issues/1189) for context. | `bool` | `false` | no | | enforce\_allowed\_worker\_pools | Whether to enforce the organization policy restriction on allowed worker pools for Cloud Build. | `bool` | `false` | no | | essential\_contacts\_domains\_to\_allow | The list of domains that email addresses added to Essential Contacts can have. | `list(string)` | n/a | yes | | essential\_contacts\_language | Essential Contacts preferred language for notifications, as a ISO 639-1 language code. See [Supported languages](https://cloud.google.com/resource-manager/docs/managing-notification-contacts#supported-languages) for a list of supported languages. | `string` | `"en"` | no | | folder\_deletion\_protection | Prevent Terraform from destroying or recreating the folder. | `string` | `true` | no | -| gcp\_groups | Groups to grant specific roles in the Organization.
platform\_viewer: Google Workspace or Cloud Identity group that have the ability to view resource information across the Google Cloud organization.
security\_reviewer: Google Workspace or Cloud Identity group that members are part of the security team responsible for reviewing cloud security
network\_viewer: Google Workspace or Cloud Identity group that members are part of the networking team and review network configurations.
scc\_admin: Google Workspace or Cloud Identity group that can administer Security Command Center.
audit\_viewer: Google Workspace or Cloud Identity group that members are part of an audit team and view audit logs in the logging project.
global\_secrets\_admin: Google Workspace or Cloud Identity group that members are responsible for putting secrets into Secrets Manage | 
object({
    audit_viewer         = optional(string, null)
    security_reviewer    = optional(string, null)
    network_viewer       = optional(string, null)
    scc_admin            = optional(string, null)
    global_secrets_admin = optional(string, null)
    kms_admin            = optional(string, null)
  })
| `{}` | no | +| gcp\_groups | Groups to grant specific roles in the Organization.
platform\_viewer: Google Workspace or Cloud Identity group that have the ability to view resource information across the Google Cloud organization.
security\_reviewer: Google Workspace or Cloud Identity group that members are part of the security team responsible for reviewing cloud security
network\_viewer: Google Workspace or Cloud Identity group that members are part of the networking team and review network configurations.
scc\_admin: Google Workspace or Cloud Identity group that can administer Security Command Center.
audit\_viewer: Google Workspace or Cloud Identity group that members are part of an audit team and view audit logs in the logging project.
global\_secrets\_admin: Google Workspace or Cloud Identity group that members are responsible for putting secrets into Secrets Management.
kms\_protected\_resources\_viewer: Google Workspace or Cloud Identity group that can search for kms protected resources. | 
object({
    audit_viewer                   = optional(string, null)
    security_reviewer              = optional(string, null)
    network_viewer                 = optional(string, null)
    scc_admin                      = optional(string, null)
    global_secrets_admin           = optional(string, null)
    kms_admin                      = optional(string, null)
    kms_protected_resources_viewer = optional(string, null)
  })
| `{}` | no | | log\_export\_storage\_force\_destroy | (Optional) If set to true, delete all contents when destroying the resource; otherwise, destroying the resource will fail if contents are present. | `bool` | `false` | no | | log\_export\_storage\_location | The location of the storage bucket used to export logs. | `string` | `null` | no | | log\_export\_storage\_retention\_policy | Configuration of the bucket's data retention policy for how long objects in the bucket should be retained. | 
object({
    is_locked             = bool
    retention_period_days = number
  })
| `null` | no | From 55a5027ddea1c40f941658805e84a0614de699d7 Mon Sep 17 00:00:00 2001 From: Guilherme Hosoda Date: Fri, 11 Apr 2025 09:09:30 -0300 Subject: [PATCH 04/11] add key usage tracking readme reference --- 1-org/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/1-org/README.md b/1-org/README.md index 5bce9c13b..f07233a7d 100644 --- a/1-org/README.md +++ b/1-org/README.md @@ -82,6 +82,8 @@ to Bigquery and Pub/Sub. This will result in additional charges for those copies - To use the **hub-and-spoke** architecture described in the **Networking** section of the [Google Cloud security foundations guide](https://cloud.google.com/architecture/security-foundations/networking#hub-and-spoke), set the `enable_hub_and_spoke` variable to `true`. +- To identify witch resources are protected by a key, use the [view key usage](https://cloud.google.com/kms/docs/view-key-usage) by setting the `enable_kms_key_usage_tracking` variable to true. + - If you are using MacOS, replace `cp -RT` with `cp -R` in the relevant commands. The `-T` flag is required for Linux, but causes problems for MacOS. From a7c2c58ba86ecc2a2fac23a5482588b833b00675 Mon Sep 17 00:00:00 2001 From: Guilherme Hosoda Date: Tue, 22 Apr 2025 08:51:31 -0300 Subject: [PATCH 05/11] chore: improve readme feature usage description --- 1-org/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/1-org/README.md b/1-org/README.md index f07233a7d..6c2ad1638 100644 --- a/1-org/README.md +++ b/1-org/README.md @@ -82,7 +82,7 @@ to Bigquery and Pub/Sub. This will result in additional charges for those copies - To use the **hub-and-spoke** architecture described in the **Networking** section of the [Google Cloud security foundations guide](https://cloud.google.com/architecture/security-foundations/networking#hub-and-spoke), set the `enable_hub_and_spoke` variable to `true`. -- To identify witch resources are protected by a key, use the [view key usage](https://cloud.google.com/kms/docs/view-key-usage) by setting the `enable_kms_key_usage_tracking` variable to true. +- As a KMS Administrator, you can [view all the keys in your organization from a centralized location](https://cloud.google.com/kms/docs/view-key-usage) by setting the `enable_kms_key_usage_tracking` variable to true. - If you are using MacOS, replace `cp -RT` with `cp -R` in the relevant commands. The `-T` flag is required for Linux, but causes problems for MacOS. From a7cfe472ab3ab83ba769598fd454aa864ce02988 Mon Sep 17 00:00:00 2001 From: Guilherme Hosoda Date: Mon, 28 Apr 2025 08:59:11 -0300 Subject: [PATCH 06/11] review commit --- 1-org/README.md | 2 -- 1-org/envs/shared/README.md | 4 ++-- 1-org/envs/shared/iam.tf | 14 +++++++------- 1-org/envs/shared/variables.tf | 16 +++++++--------- 4 files changed, 16 insertions(+), 20 deletions(-) diff --git a/1-org/README.md b/1-org/README.md index 6c2ad1638..5bce9c13b 100644 --- a/1-org/README.md +++ b/1-org/README.md @@ -82,8 +82,6 @@ to Bigquery and Pub/Sub. This will result in additional charges for those copies - To use the **hub-and-spoke** architecture described in the **Networking** section of the [Google Cloud security foundations guide](https://cloud.google.com/architecture/security-foundations/networking#hub-and-spoke), set the `enable_hub_and_spoke` variable to `true`. -- As a KMS Administrator, you can [view all the keys in your organization from a centralized location](https://cloud.google.com/kms/docs/view-key-usage) by setting the `enable_kms_key_usage_tracking` variable to true. - - If you are using MacOS, replace `cp -RT` with `cp -R` in the relevant commands. The `-T` flag is required for Linux, but causes problems for MacOS. diff --git a/1-org/envs/shared/README.md b/1-org/envs/shared/README.md index dbc625af8..502720442 100644 --- a/1-org/envs/shared/README.md +++ b/1-org/envs/shared/README.md @@ -8,13 +8,13 @@ | create\_unique\_tag\_key | Creates unique organization-wide tag keys by adding a random suffix to each key. | `bool` | `false` | no | | domains\_to\_allow | The list of domains to allow users from in IAM. Used by Domain Restricted Sharing Organization Policy. Must include the domain of the organization you are deploying the foundation. To add other domains you must also grant access to these domains to the Terraform Service Account used in the deploy. | `list(string)` | n/a | yes | | enable\_hub\_and\_spoke | Enable Hub-and-Spoke architecture. | `bool` | `false` | no | -| enable\_kms\_key\_usage\_tracking | Enable KMS centralized key usage tracking system. | `bool` | `false` | no | +| enable\_kms\_key\_usage\_tracking | Enable KMS centralized key usage tracking system. | `bool` | `true` | no | | enable\_scc\_resources\_in\_terraform | Create Security Command Center resources in Terraform. If your organization has newly enabled any preview features for SCC and get an error related to the v2 API, you must set this variable to false because the v2 API does not yet support Terraform resources. See [issue 1189](https://github.com/terraform-google-modules/terraform-example-foundation/issues/1189) for context. | `bool` | `false` | no | | enforce\_allowed\_worker\_pools | Whether to enforce the organization policy restriction on allowed worker pools for Cloud Build. | `bool` | `false` | no | | essential\_contacts\_domains\_to\_allow | The list of domains that email addresses added to Essential Contacts can have. | `list(string)` | n/a | yes | | essential\_contacts\_language | Essential Contacts preferred language for notifications, as a ISO 639-1 language code. See [Supported languages](https://cloud.google.com/resource-manager/docs/managing-notification-contacts#supported-languages) for a list of supported languages. | `string` | `"en"` | no | | folder\_deletion\_protection | Prevent Terraform from destroying or recreating the folder. | `string` | `true` | no | -| gcp\_groups | Groups to grant specific roles in the Organization.
platform\_viewer: Google Workspace or Cloud Identity group that have the ability to view resource information across the Google Cloud organization.
security\_reviewer: Google Workspace or Cloud Identity group that members are part of the security team responsible for reviewing cloud security
network\_viewer: Google Workspace or Cloud Identity group that members are part of the networking team and review network configurations.
scc\_admin: Google Workspace or Cloud Identity group that can administer Security Command Center.
audit\_viewer: Google Workspace or Cloud Identity group that members are part of an audit team and view audit logs in the logging project.
global\_secrets\_admin: Google Workspace or Cloud Identity group that members are responsible for putting secrets into Secrets Management.
kms\_protected\_resources\_viewer: Google Workspace or Cloud Identity group that can search for kms protected resources. | 
object({
    audit_viewer                   = optional(string, null)
    security_reviewer              = optional(string, null)
    network_viewer                 = optional(string, null)
    scc_admin                      = optional(string, null)
    global_secrets_admin           = optional(string, null)
    kms_admin                      = optional(string, null)
    kms_protected_resources_viewer = optional(string, null)
  })
| `{}` | no | +| gcp\_groups | Groups to grant specific roles in the Organization.
platform\_viewer: Google Workspace or Cloud Identity group that have the ability to view resource information across the Google Cloud organization.
security\_reviewer: Google Workspace or Cloud Identity group that members are part of the security team responsible for reviewing cloud security
network\_viewer: Google Workspace or Cloud Identity group that members are part of the networking team and review network configurations.
scc\_admin: Google Workspace or Cloud Identity group that can administer Security Command Center.
audit\_viewer: Google Workspace or Cloud Identity group that members are part of an audit team and view audit logs in the logging project.
global\_secrets\_admin: Google Workspace or Cloud Identity group that members are responsible for putting secrets into Secrets Management. | 
object({
    audit_viewer         = optional(string, null)
    security_reviewer    = optional(string, null)
    network_viewer       = optional(string, null)
    scc_admin            = optional(string, null)
    global_secrets_admin = optional(string, null)
    kms_admin            = optional(string, null)
  })
| `{}` | no | | log\_export\_storage\_force\_destroy | (Optional) If set to true, delete all contents when destroying the resource; otherwise, destroying the resource will fail if contents are present. | `bool` | `false` | no | | log\_export\_storage\_location | The location of the storage bucket used to export logs. | `string` | `null` | no | | log\_export\_storage\_retention\_policy | Configuration of the bucket's data retention policy for how long objects in the bucket should be retained. | 
object({
    is_locked             = bool
    retention_period_days = number
  })
| `null` | no | diff --git a/1-org/envs/shared/iam.tf b/1-org/envs/shared/iam.tf index d12124289..a1e1e2c45 100644 --- a/1-org/envs/shared/iam.tf +++ b/1-org/envs/shared/iam.tf @@ -155,6 +155,13 @@ resource "google_project_iam_member" "kms_admin" { member = "group:${var.gcp_groups.kms_admin}" } +resource "google_organization_iam_member" "kms_protected_resources_viewer" { + count = var.gcp_groups.kms_admin != null && var.enable_kms_key_usage_tracking ? 1 : 0 + org_id = local.org_id + role = "roles/cloudkms.protectedResourcesViewer" + member = "group:${var.gcp_groups.kms_admin}" +} + resource "google_project_iam_member" "cai_monitoring_builder" { project = module.scc_notifications.project_id for_each = toset(var.enable_scc_resources_in_terraform ? @@ -166,10 +173,3 @@ resource "google_project_iam_member" "cai_monitoring_builder" { role = each.key member = "serviceAccount:${google_service_account.cai_monitoring_builder[0].email}" } - -resource "google_organization_iam_member" "kms_protected_resources_viewer" { - count = var.gcp_groups.kms_protected_resources_viewer != null && var.enable_kms_key_usage_tracking ? 1 : 0 - org_id = local.org_id - role = "roles/cloudkms.protectedResourcesViewer" - member = "group:${var.gcp_groups.kms_protected_resources_viewer}" -} diff --git a/1-org/envs/shared/variables.tf b/1-org/envs/shared/variables.tf index f41729389..1c1830366 100644 --- a/1-org/envs/shared/variables.tf +++ b/1-org/envs/shared/variables.tf @@ -29,7 +29,7 @@ variable "enable_scc_resources_in_terraform" { variable "enable_kms_key_usage_tracking" { description = "Enable KMS centralized key usage tracking system." type = bool - default = false + default = true } variable "domains_to_allow" { @@ -148,16 +148,14 @@ variable "gcp_groups" { scc_admin: Google Workspace or Cloud Identity group that can administer Security Command Center. audit_viewer: Google Workspace or Cloud Identity group that members are part of an audit team and view audit logs in the logging project. global_secrets_admin: Google Workspace or Cloud Identity group that members are responsible for putting secrets into Secrets Management. - kms_protected_resources_viewer: Google Workspace or Cloud Identity group that can search for kms protected resources. EOT type = object({ - audit_viewer = optional(string, null) - security_reviewer = optional(string, null) - network_viewer = optional(string, null) - scc_admin = optional(string, null) - global_secrets_admin = optional(string, null) - kms_admin = optional(string, null) - kms_protected_resources_viewer = optional(string, null) + audit_viewer = optional(string, null) + security_reviewer = optional(string, null) + network_viewer = optional(string, null) + scc_admin = optional(string, null) + global_secrets_admin = optional(string, null) + kms_admin = optional(string, null) }) default = {} } From 31abfb724a6ff77ff6c88662e5b88360a10d643c Mon Sep 17 00:00:00 2001 From: Guilherme Hosoda Date: Mon, 28 Apr 2025 09:07:36 -0300 Subject: [PATCH 07/11] review commit --- 1-org/envs/shared/terraform.example.tfvars | 1 - 1 file changed, 1 deletion(-) diff --git a/1-org/envs/shared/terraform.example.tfvars b/1-org/envs/shared/terraform.example.tfvars index c98cd3af1..9ff38bde8 100644 --- a/1-org/envs/shared/terraform.example.tfvars +++ b/1-org/envs/shared/terraform.example.tfvars @@ -30,7 +30,6 @@ billing_export_dataset_location = "US" //scc_notification_filter = "state=\\\"ACTIVE\\\"" //enable_hub_and_spoke = true -//enable_kms_key_usage_tracking = true //create_access_context_manager_access_policy = false From 35202f1385a69caa1a453aa5bd3a050aa63673ad Mon Sep 17 00:00:00 2001 From: Renato Rudnicki <77694243+renato-rudnicki@users.noreply.github.com> Date: Wed, 30 Apr 2025 18:00:24 -0300 Subject: [PATCH 08/11] fix: Fix for google-terraform-provider in version 6.26.0 (#1408) --- 0-bootstrap/versions.tf | 8 ++++---- 3-networks-hub-and-spoke/envs/development/versions.tf | 8 ++++---- 3-networks-hub-and-spoke/envs/nonproduction/versions.tf | 8 ++++---- 3-networks-hub-and-spoke/envs/production/versions.tf | 8 ++++---- 3-networks-hub-and-spoke/envs/shared/versions.tf | 8 ++++---- 3-networks-hub-and-spoke/modules/base_env/versions.tf | 8 ++++---- .../modules/dedicated_interconnect/versions.tf | 8 ++++---- .../modules/hierarchical_firewall_policy/versions.tf | 8 ++++---- .../modules/partner_interconnect/versions.tf | 8 ++++---- 3-networks-hub-and-spoke/modules/shared_vpc/versions.tf | 6 ++++-- 3-networks-hub-and-spoke/modules/transitivity/versions.tf | 8 ++++---- 3-networks-svpc/envs/development/versions.tf | 8 ++++---- 3-networks-svpc/envs/nonproduction/versions.tf | 8 ++++---- 3-networks-svpc/envs/production/versions.tf | 8 ++++---- 3-networks-svpc/envs/shared/versions.tf | 8 ++++---- 3-networks-svpc/modules/base_env/versions.tf | 8 ++++---- .../modules/dedicated_interconnect/versions.tf | 8 ++++---- .../modules/hierarchical_firewall_policy/versions.tf | 6 ++++-- 3-networks-svpc/modules/partner_interconnect/versions.tf | 8 ++++---- 3-networks-svpc/modules/shared_vpc/versions.tf | 6 ++++-- 4-projects/modules/infra_pipelines/versions.tf | 8 ++++---- 4-projects/modules/single_project/versions.tf | 8 ++++---- 22 files changed, 88 insertions(+), 82 deletions(-) diff --git a/0-bootstrap/versions.tf b/0-bootstrap/versions.tf index 8129e9abf..3b9b1a7c8 100644 --- a/0-bootstrap/versions.tf +++ b/0-bootstrap/versions.tf @@ -19,16 +19,16 @@ terraform { required_providers { google = { // version 4.31.0 removed because of issue https://github.com/hashicorp/terraform-provider-google/issues/12226 - // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 + // version 6.26.0 and 6.27.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google" - version = ">= 3.50, != 4.31.0, < 6.26.0" + version = ">= 3.50, != 4.31.0, != 6.26.0, != 6.27.0, < 7.0" } google-beta = { // version 4.31.0 removed because of issue https://github.com/hashicorp/terraform-provider-google/issues/12226 - // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 + // version 6.26.0 and 6.27.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google-beta" - version = ">= 3.50, != 4.31.0, < 6.26.0" + version = ">= 3.50, != 4.31.0, != 6.26.0, != 6.27.0, < 7.0" } // Un-comment gitlab required_providers when using gitlab CI/CD diff --git a/3-networks-hub-and-spoke/envs/development/versions.tf b/3-networks-hub-and-spoke/envs/development/versions.tf index b04474822..afa4ea6f2 100644 --- a/3-networks-hub-and-spoke/envs/development/versions.tf +++ b/3-networks-hub-and-spoke/envs/development/versions.tf @@ -18,14 +18,14 @@ terraform { required_version = ">= 0.13" required_providers { google = { - // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 + // version 6.26.0 and 6.27.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google" - version = ">= 3.50, < 6.26.0" + version = ">= 3.50, != 6.26.0, != 6.27.0, < 7.0" } google-beta = { - // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 + // version 6.26.0 and 6.27.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google-beta" - version = ">= 3.50, < 6.26.0" + version = ">= 3.50, != 6.26.0, != 6.27.0, < 7.0" } } } diff --git a/3-networks-hub-and-spoke/envs/nonproduction/versions.tf b/3-networks-hub-and-spoke/envs/nonproduction/versions.tf index b04474822..afa4ea6f2 100644 --- a/3-networks-hub-and-spoke/envs/nonproduction/versions.tf +++ b/3-networks-hub-and-spoke/envs/nonproduction/versions.tf @@ -18,14 +18,14 @@ terraform { required_version = ">= 0.13" required_providers { google = { - // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 + // version 6.26.0 and 6.27.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google" - version = ">= 3.50, < 6.26.0" + version = ">= 3.50, != 6.26.0, != 6.27.0, < 7.0" } google-beta = { - // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 + // version 6.26.0 and 6.27.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google-beta" - version = ">= 3.50, < 6.26.0" + version = ">= 3.50, != 6.26.0, != 6.27.0, < 7.0" } } } diff --git a/3-networks-hub-and-spoke/envs/production/versions.tf b/3-networks-hub-and-spoke/envs/production/versions.tf index b04474822..afa4ea6f2 100644 --- a/3-networks-hub-and-spoke/envs/production/versions.tf +++ b/3-networks-hub-and-spoke/envs/production/versions.tf @@ -18,14 +18,14 @@ terraform { required_version = ">= 0.13" required_providers { google = { - // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 + // version 6.26.0 and 6.27.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google" - version = ">= 3.50, < 6.26.0" + version = ">= 3.50, != 6.26.0, != 6.27.0, < 7.0" } google-beta = { - // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 + // version 6.26.0 and 6.27.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google-beta" - version = ">= 3.50, < 6.26.0" + version = ">= 3.50, != 6.26.0, != 6.27.0, < 7.0" } } } diff --git a/3-networks-hub-and-spoke/envs/shared/versions.tf b/3-networks-hub-and-spoke/envs/shared/versions.tf index b04474822..afa4ea6f2 100644 --- a/3-networks-hub-and-spoke/envs/shared/versions.tf +++ b/3-networks-hub-and-spoke/envs/shared/versions.tf @@ -18,14 +18,14 @@ terraform { required_version = ">= 0.13" required_providers { google = { - // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 + // version 6.26.0 and 6.27.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google" - version = ">= 3.50, < 6.26.0" + version = ">= 3.50, != 6.26.0, != 6.27.0, < 7.0" } google-beta = { - // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 + // version 6.26.0 and 6.27.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google-beta" - version = ">= 3.50, < 6.26.0" + version = ">= 3.50, != 6.26.0, != 6.27.0, < 7.0" } } } diff --git a/3-networks-hub-and-spoke/modules/base_env/versions.tf b/3-networks-hub-and-spoke/modules/base_env/versions.tf index 9ac2a00d6..acb94ac62 100644 --- a/3-networks-hub-and-spoke/modules/base_env/versions.tf +++ b/3-networks-hub-and-spoke/modules/base_env/versions.tf @@ -18,14 +18,14 @@ terraform { required_version = ">= 0.13" required_providers { google = { - // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 + // version 6.26.0 and 6.27.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google" - version = ">= 3.50, < 6.26.0" + version = ">= 3.50, != 6.26.0, != 6.27.0, < 7.0" } google-beta = { - // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 + // version 6.26.0 and 6.27.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google-beta" - version = ">= 3.50, < 6.26.0" + version = ">= 3.50, != 6.26.0, != 6.27.0, < 7.0" } } diff --git a/3-networks-hub-and-spoke/modules/dedicated_interconnect/versions.tf b/3-networks-hub-and-spoke/modules/dedicated_interconnect/versions.tf index e0f5555f4..3fbcfc3e6 100644 --- a/3-networks-hub-and-spoke/modules/dedicated_interconnect/versions.tf +++ b/3-networks-hub-and-spoke/modules/dedicated_interconnect/versions.tf @@ -18,14 +18,14 @@ terraform { required_version = ">= 0.13" required_providers { google = { - // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 + // version 6.26.0 and 6.27.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google" - version = ">= 3.50, < 6.26.0" + version = ">= 3.50, != 6.26.0, != 6.27.0, < 7.0" } google-beta = { - // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 + // version 6.26.0 and 6.27.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google-beta" - version = ">= 3.50, < 6.26.0" + version = ">= 3.50, != 6.26.0, != 6.27.0, < 7.0" } } diff --git a/3-networks-hub-and-spoke/modules/hierarchical_firewall_policy/versions.tf b/3-networks-hub-and-spoke/modules/hierarchical_firewall_policy/versions.tf index 3101ab902..e38763e46 100644 --- a/3-networks-hub-and-spoke/modules/hierarchical_firewall_policy/versions.tf +++ b/3-networks-hub-and-spoke/modules/hierarchical_firewall_policy/versions.tf @@ -18,14 +18,14 @@ terraform { required_version = ">= 0.13" required_providers { google = { - // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 + // version 6.26.0 and 6.27.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google" - version = ">= 3.82, < 6.26.0" + version = ">= 3.82, != 6.26.0, != 6.27.0, < 7.0" } google-beta = { - // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 + // version 6.26.0 and 6.27.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google-beta" - version = ">= 3.82, < 6.26.0" + version = ">= 3.82, != 6.26.0, != 6.27.0, < 7.0" } random = { source = "hashicorp/random" diff --git a/3-networks-hub-and-spoke/modules/partner_interconnect/versions.tf b/3-networks-hub-and-spoke/modules/partner_interconnect/versions.tf index 7eb80374d..73ec2247b 100644 --- a/3-networks-hub-and-spoke/modules/partner_interconnect/versions.tf +++ b/3-networks-hub-and-spoke/modules/partner_interconnect/versions.tf @@ -18,14 +18,14 @@ terraform { required_version = ">= 0.13" required_providers { google = { - // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 + // version 6.26.0 and 6.27.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google" - version = ">= 3.50, < 6.26.0" + version = ">= 3.50, != 6.26.0, != 6.27.0, < 7.0" } google-beta = { - // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 + // version 6.26.0 and 6.27.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google-beta" - version = ">= 3.50, < 6.26.0" + version = ">= 3.50, != 6.26.0, != 6.27.0, < 7.0" } } diff --git a/3-networks-hub-and-spoke/modules/shared_vpc/versions.tf b/3-networks-hub-and-spoke/modules/shared_vpc/versions.tf index 2193f4688..ba16bcea3 100644 --- a/3-networks-hub-and-spoke/modules/shared_vpc/versions.tf +++ b/3-networks-hub-and-spoke/modules/shared_vpc/versions.tf @@ -18,12 +18,14 @@ terraform { required_version = ">= 0.13" required_providers { google = { + // version 6.26.0 and 6.27.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google" - version = ">= 3.50, < 6.26.0" + version = ">= 3.50, != 6.26.0, != 6.27.0, < 7.0" } google-beta = { + // version 6.26.0 and 6.27.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google-beta" - version = ">= 3.50, < 6.26.0" + version = ">= 3.50, != 6.26.0, != 6.27.0, < 7.0" } random = { source = "hashicorp/random" diff --git a/3-networks-hub-and-spoke/modules/transitivity/versions.tf b/3-networks-hub-and-spoke/modules/transitivity/versions.tf index d70c918f4..a4563c86e 100644 --- a/3-networks-hub-and-spoke/modules/transitivity/versions.tf +++ b/3-networks-hub-and-spoke/modules/transitivity/versions.tf @@ -18,14 +18,14 @@ terraform { required_version = ">= 0.13" required_providers { google = { - // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 + // version 6.26.0 and 6.27.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google" - version = ">= 3.50, < 6.26.0" + version = ">= 3.50, != 6.26.0, != 6.27.0, < 7.0" } google-beta = { - // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 + // version 6.26.0 and 6.27.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google-beta" - version = ">= 3.50, < 6.26.0" + version = ">= 3.50, != 6.26.0, != 6.27.0, < 7.0" } } diff --git a/3-networks-svpc/envs/development/versions.tf b/3-networks-svpc/envs/development/versions.tf index 94018c4e5..12c8e9986 100644 --- a/3-networks-svpc/envs/development/versions.tf +++ b/3-networks-svpc/envs/development/versions.tf @@ -18,14 +18,14 @@ terraform { required_version = ">= 0.13" required_providers { google = { - // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 + // version 6.26.0 and 6.27.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google" - version = ">= 3.50, < 6.26.0" + version = ">= 3.50, != 6.26.0, != 6.27.0, < 7.0" } google-beta = { - // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 + // version 6.26.0 and 6.27.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google-beta" - version = ">= 3.50, < 6.26.0" + version = ">= 3.50, != 6.26.0, != 6.27.0, < 7.0" } } } diff --git a/3-networks-svpc/envs/nonproduction/versions.tf b/3-networks-svpc/envs/nonproduction/versions.tf index 94018c4e5..12c8e9986 100644 --- a/3-networks-svpc/envs/nonproduction/versions.tf +++ b/3-networks-svpc/envs/nonproduction/versions.tf @@ -18,14 +18,14 @@ terraform { required_version = ">= 0.13" required_providers { google = { - // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 + // version 6.26.0 and 6.27.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google" - version = ">= 3.50, < 6.26.0" + version = ">= 3.50, != 6.26.0, != 6.27.0, < 7.0" } google-beta = { - // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 + // version 6.26.0 and 6.27.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google-beta" - version = ">= 3.50, < 6.26.0" + version = ">= 3.50, != 6.26.0, != 6.27.0, < 7.0" } } } diff --git a/3-networks-svpc/envs/production/versions.tf b/3-networks-svpc/envs/production/versions.tf index 94018c4e5..12c8e9986 100644 --- a/3-networks-svpc/envs/production/versions.tf +++ b/3-networks-svpc/envs/production/versions.tf @@ -18,14 +18,14 @@ terraform { required_version = ">= 0.13" required_providers { google = { - // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 + // version 6.26.0 and 6.27.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google" - version = ">= 3.50, < 6.26.0" + version = ">= 3.50, != 6.26.0, != 6.27.0, < 7.0" } google-beta = { - // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 + // version 6.26.0 and 6.27.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google-beta" - version = ">= 3.50, < 6.26.0" + version = ">= 3.50, != 6.26.0, != 6.27.0, < 7.0" } } } diff --git a/3-networks-svpc/envs/shared/versions.tf b/3-networks-svpc/envs/shared/versions.tf index 94018c4e5..12c8e9986 100644 --- a/3-networks-svpc/envs/shared/versions.tf +++ b/3-networks-svpc/envs/shared/versions.tf @@ -18,14 +18,14 @@ terraform { required_version = ">= 0.13" required_providers { google = { - // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 + // version 6.26.0 and 6.27.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google" - version = ">= 3.50, < 6.26.0" + version = ">= 3.50, != 6.26.0, != 6.27.0, < 7.0" } google-beta = { - // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 + // version 6.26.0 and 6.27.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google-beta" - version = ">= 3.50, < 6.26.0" + version = ">= 3.50, != 6.26.0, != 6.27.0, < 7.0" } } } diff --git a/3-networks-svpc/modules/base_env/versions.tf b/3-networks-svpc/modules/base_env/versions.tf index 8f6a07861..5abf0a2fb 100644 --- a/3-networks-svpc/modules/base_env/versions.tf +++ b/3-networks-svpc/modules/base_env/versions.tf @@ -18,14 +18,14 @@ terraform { required_version = ">= 0.13" required_providers { google = { - // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 + // version 6.26.0 and 6.27.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google" - version = ">= 3.50, < 6.26.0" + version = ">= 3.50, != 6.26.0, != 6.27.0, < 7.0" } google-beta = { - // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 + // version 6.26.0 and 6.27.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google-beta" - version = ">= 3.50, < 6.26.0" + version = ">= 3.50, != 6.26.0, != 6.27.0, < 7.0" } } diff --git a/3-networks-svpc/modules/dedicated_interconnect/versions.tf b/3-networks-svpc/modules/dedicated_interconnect/versions.tf index 788fb60a6..a7e194f77 100644 --- a/3-networks-svpc/modules/dedicated_interconnect/versions.tf +++ b/3-networks-svpc/modules/dedicated_interconnect/versions.tf @@ -18,14 +18,14 @@ terraform { required_version = ">= 0.13" required_providers { google = { - // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 + // version 6.26.0 and 6.27.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google" - version = ">= 3.50, < 6.26.0" + version = ">= 3.50, != 6.26.0, != 6.27.0, < 7.0" } google-beta = { - // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 + // version 6.26.0 and 6.27.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google-beta" - version = ">= 3.50, < 6.26.0" + version = ">= 3.50, != 6.26.0, != 6.27.0, < 7.0" } } diff --git a/3-networks-svpc/modules/hierarchical_firewall_policy/versions.tf b/3-networks-svpc/modules/hierarchical_firewall_policy/versions.tf index e54585e86..8baa49abe 100644 --- a/3-networks-svpc/modules/hierarchical_firewall_policy/versions.tf +++ b/3-networks-svpc/modules/hierarchical_firewall_policy/versions.tf @@ -18,12 +18,14 @@ terraform { required_version = ">= 0.13" required_providers { google = { + // version 6.26.0 and 6.27.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google" - version = ">= 3.82, < 6.26.0" + version = ">= 3.82, != 6.26.0, != 6.27.0, < 7.0" } google-beta = { + // version 6.26.0 and 6.27.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google-beta" - version = ">= 3.82, < 6.26.0" + version = ">= 3.82, != 6.26.0, != 6.27.0, < 7.0" } random = { source = "hashicorp/random" diff --git a/3-networks-svpc/modules/partner_interconnect/versions.tf b/3-networks-svpc/modules/partner_interconnect/versions.tf index 8cde23477..c6b8913c4 100644 --- a/3-networks-svpc/modules/partner_interconnect/versions.tf +++ b/3-networks-svpc/modules/partner_interconnect/versions.tf @@ -18,14 +18,14 @@ terraform { required_version = ">= 0.13" required_providers { google = { - // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 + // version 6.26.0 and 6.27.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google" - version = ">= 3.50, < 6.26.0" + version = ">= 3.50, != 6.26.0, != 6.27.0, < 7.0" } google-beta = { - // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 + // version 6.26.0 and 6.27.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google-beta" - version = ">= 3.50, < 6.26.0" + version = ">= 3.50, != 6.26.0, != 6.27.0, < 7.0" } } diff --git a/3-networks-svpc/modules/shared_vpc/versions.tf b/3-networks-svpc/modules/shared_vpc/versions.tf index 70d2dd824..5789aa423 100644 --- a/3-networks-svpc/modules/shared_vpc/versions.tf +++ b/3-networks-svpc/modules/shared_vpc/versions.tf @@ -18,12 +18,14 @@ terraform { required_version = ">= 0.13" required_providers { google = { + // version 6.26.0 and 6.27.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google" - version = ">= 3.50, < 6.26.0" + version = ">= 3.50, != 6.26.0, != 6.27.0, < 7.0" } google-beta = { + // version 6.26.0 and 6.27.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google-beta" - version = ">= 3.50, < 6.26.0" + version = ">= 3.50, != 6.26.0, != 6.27.0, < 7.0" } random = { source = "hashicorp/random" diff --git a/4-projects/modules/infra_pipelines/versions.tf b/4-projects/modules/infra_pipelines/versions.tf index 4124769e8..d5a15e5c7 100644 --- a/4-projects/modules/infra_pipelines/versions.tf +++ b/4-projects/modules/infra_pipelines/versions.tf @@ -19,15 +19,15 @@ terraform { required_providers { google = { // version 4.31.0 removed because of issue https://github.com/hashicorp/terraform-provider-google/issues/12226 - // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 + // version 6.26.0 and 6.27.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google" - version = ">= 3.50, != 4.31.0, < 6.26.0" + version = ">= 3.50, != 4.31.0, != 6.26.0, != 6.27.0, < 7.0" } google-beta = { // version 4.31.0 removed because of issue https://github.com/hashicorp/terraform-provider-google/issues/12226 - // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 + // version 6.26.0 and 6.27.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google-beta" - version = ">= 3.50, != 4.31.0, < 6.26.0" + version = ">= 3.50, != 4.31.0, != 6.26.0, != 6.27.0, < 7.0" } null = { source = "hashicorp/null" diff --git a/4-projects/modules/single_project/versions.tf b/4-projects/modules/single_project/versions.tf index e5e3863b7..56f3692cb 100644 --- a/4-projects/modules/single_project/versions.tf +++ b/4-projects/modules/single_project/versions.tf @@ -18,14 +18,14 @@ terraform { required_version = ">= 1.3" required_providers { google = { - // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 + // version 6.26.0 and 6.27.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google" - version = ">= 3.50, < 6.26.0" + version = ">= 3.50, != 6.26.0, != 6.27.0, < 7.0" } google-beta = { - // version 6.26.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 + // version 6.26.0 and 6.27.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 source = "hashicorp/google-beta" - version = ">= 3.50, < 6.26.0" + version = ">= 3.50, != 6.26.0, != 6.27.0, < 7.0" } } From 1bbdc04f595e0907a00433aa472b9816dbaa4a8c Mon Sep 17 00:00:00 2001 From: Guilherme Hosoda Date: Fri, 2 May 2025 09:14:47 -0300 Subject: [PATCH 09/11] create org kms service identity --- 1-org/envs/shared/iam.tf | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/1-org/envs/shared/iam.tf b/1-org/envs/shared/iam.tf index a1e1e2c45..0448e1eac 100644 --- a/1-org/envs/shared/iam.tf +++ b/1-org/envs/shared/iam.tf @@ -66,8 +66,23 @@ resource "google_organization_iam_member" "billing_viewer" { Enable KMS Usage Tracking *****************************************/ +module "create_kms_organization_service_agent" { + source = "terraform-google-modules/gcloud/google" + version = "~> 3.1" + upgrade = false + + create_cmd_triggers = { + org_id = local.org_id + } + + create_cmd_body = "beta services identity create --service cloudkms.googleapis.com --organization ${local.org_id}" +} + resource "google_organization_iam_member" "kms_usage_tracking" { count = var.enable_kms_key_usage_tracking ? 1 : 0 + depends_on = [ + module.create_kms_organization_service_agent, + ] org_id = local.org_id role = "roles/cloudkms.orgServiceAgent" From e0d03db1d31111ff4877c316812265897fa2e9f5 Mon Sep 17 00:00:00 2001 From: Guilherme Hosoda Date: Fri, 2 May 2025 11:31:55 -0300 Subject: [PATCH 10/11] lint --- 1-org/envs/shared/iam.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/1-org/envs/shared/iam.tf b/1-org/envs/shared/iam.tf index 0448e1eac..b5880493f 100644 --- a/1-org/envs/shared/iam.tf +++ b/1-org/envs/shared/iam.tf @@ -67,7 +67,7 @@ resource "google_organization_iam_member" "billing_viewer" { *****************************************/ module "create_kms_organization_service_agent" { - source = "terraform-google-modules/gcloud/google" + source = "terraform-google-modules/gcloud/google" version = "~> 3.1" upgrade = false @@ -80,6 +80,7 @@ module "create_kms_organization_service_agent" { resource "google_organization_iam_member" "kms_usage_tracking" { count = var.enable_kms_key_usage_tracking ? 1 : 0 + depends_on = [ module.create_kms_organization_service_agent, ] From 68081f3dc940447802f4198d4197f4411962da47 Mon Sep 17 00:00:00 2001 From: Guilherme Hosoda Date: Mon, 5 May 2025 11:43:02 -0300 Subject: [PATCH 11/11] setup test retry setting for vpcsc etag conflict --- test/integration/testutils/retry.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/test/integration/testutils/retry.go b/test/integration/testutils/retry.go index 67c05bb19..d70ca41a6 100644 --- a/test/integration/testutils/retry.go +++ b/test/integration/testutils/retry.go @@ -45,5 +45,8 @@ var ( // Error waiting for creating service network connection. This happens randomly for development, production and non-production environments ".*Error code 16.*Error waiting for Create Service Networking Connection*": "Request had invalid authentication credentials", + + // Error 400: The eTag provided {} does not match the eTag of the current version of the Access Policy, which is {}. + ".*Error 400: The eTag provided.*does not match the eTag of the current version of the Access Policy, which is.*": "Conflict during Access Policy configuration.", } )